Microsoft has revealed details of a credential theft campaign using fake virtual private network (VPN) clients distributed through search engine optimization (SEO) poisoning techniques.
“This campaign deploys a digitally signed Trojan horse that redirects users searching for legitimate enterprise software to a malicious ZIP file on an attacker-controlled website and harvests VPN credentials by posing as a trusted VPN client,” Microsoft Threat Intelligence and Microsoft Defender Experts teams said.
The Windows manufacturer, which observed this activity in mid-January 2026, attributed it to the threat activity cluster Storm-2561, known for spreading malware through SEO poisoning and impersonating popular software vendors since May 2025.
The threat actor’s campaign was first documented by Cyjax and highlights the use of SEO poisoning to redirect users searching for software programs from companies such as SonicWall, Hanwha Vision, and Pulse Secure (now Ivanti Secure Access) on Bing to a fake site to download an MSI installer that deploys the Bumblebee loader.
A subsequent iteration of the attack was revealed by Zscaler in October 2025. The campaign was observed leveraging users searching for legitimate software on Bing to deploy a trojanized Ivanti Pulse Secure VPN client on a fake website (spreading via “ivanti-vpn”).[.]org”) to ultimately steal VPN credentials from the victim’s machine.
Microsoft said this activity highlights how threat actors are exploiting trust in search engine rankings and software branding as a social engineering tactic to steal data from users looking for enterprise VPN software. The misuse of trusted platforms such as GitHub to host installer files further complicates the problem.
Specifically, a GitHub repository hosts a ZIP file containing an MSI installer file that pretends to be legitimate VPN software, but sideloads a malicious DLL file during installation. The end goal, as before, is to collect and extract VPN credentials using a variant of the information stealer called Hyrax.
Users are presented with a fake but convincing VPN sign-in dialog to obtain their credentials. Once the victim enters their information, an error message appears prompting them to download a legitimate VPN client. In some cases, you will be redirected to a legitimate VPN website.
The malware leverages the Windows RunOnce registry key to set persistence so that it runs automatically after every system restart.
“This campaign exhibits characteristics consistent with the financially motivated cybercriminal activity utilized by Storm-2561,” Microsoft said. “The malicious component is digitally signed by ‘Taiyuan Lihuajin Information Technology Co., Ltd.'”
The tech giant then took down GitHub repositories controlled by the attackers and revoked their legitimate certificates, disabling their operations.
To combat such threats, organizations and users are encouraged to implement multi-factor authentication (MFA) on all accounts, use caution when downloading software from websites, and verify that the software is genuine.
Source link
