A financially motivated threat actor tracked as Storm-2561 has been manipulating search engine rankings since at least May 2025 to serve trojanized VPN software to enterprise users. The campaign went largely undetected for months. When Microsoft Defender Experts finally caught it in mid-January 2026, the infrastructure had already been refining its techniques across multiple VPN brands and a pair of attacker-controlled domains.
Enterprise VPN software is, by design, something employees trust. It carries the branding of established vendors. It sits at the authentication boundary between a remote worker and the corporate network. That trust is precisely what Storm-2561 is exploiting. By inserting fake VPN clients at the top of search results, the group turns a routine software download into a credential handover. The employee never knows it happened. The VPN they end up installing even works.
Who Is Storm-2561
Microsoft uses the "Storm" designation for threat clusters whose attribution remains under investigation. A number following "Storm" indicates the group is still being characterized. Storm-2561 fits that pattern: it has been active since at least May 2025, and its methods are consistent with financially motivated cybercrime rather than state sponsorship. The group's toolkit centers on two things — SEO manipulation and vendor impersonation — both of which it has been applying since its earliest documented activity.
The campaign was first publicly documented by threat intelligence firm Cyjax, which observed Storm-2561 redirecting users searching for software from SonicWall, Hanwha Vision, and Pulse Secure on Bing toward spoofed download pages. Zscaler subsequently disclosed an iteration of the attack in October 2025, this time targeting users searching for Ivanti Pulse Secure VPN through a fraudulent domain, ivanti-vpn[.]org, that presented a convincing replica of the legitimate vendor portal. By the time Microsoft's own Defender Experts team detected the campaign in mid-January 2026, Storm-2561 had expanded the list of spoofed brands to include Fortinet, Cisco, Check Point, Sophos, WatchGuard, and GlobalProtect, in addition to Ivanti and SonicWall.
"The techniques they used in this campaign highlight how threat actors continue to exploit trusted platforms and software branding to avoid user suspicion and steal sensitive information." — Microsoft Threat Intelligence, March 2026
The malicious components Microsoft analyzed are digitally signed by a Chinese entity called "Taiyuan Lihua Near Information Technology Co., Ltd." That certificate has since been revoked, but at the time of the campaign it allowed the malware to pass as legitimately signed software, bypassing standard Windows security warnings and many application allowlisting controls that flag unsigned binaries.
How the Attack Chain Works
The attack begins long before any user downloads a file. Storm-2561 manipulates search engine results so that queries like "Pulse VPN download" or "Pulse Secure client" return attacker-controlled pages near or at the top of the results. Two attacker-controlled domains were confirmed by Microsoft: vpn-fortinet[.]com and ivanti-vpn[.]org. These sites are designed to match the look of real vendor portals, with correct logos, matching color schemes, and download buttons that appear entirely plausible.
When a user clicks the download button on one of these spoofed portals, they are sent to a GitHub repository — now taken down — that hosted a ZIP archive named VPN-CLIENT.zip. The ZIP contains a Windows Installer package (MSI file) that is signed with the now-revoked Taiyuan Lihua certificate. The signed MSI drops Pulse.exe into a folder path mimicking the legitimate Pulse Secure installation directory under %CommonFiles%\Pulse Secure, making it blend into the file system alongside any genuine Pulse Secure components already present.
Two malicious DLL files arrive with the installer: dwmapi.dll and inspector.dll. The name dwmapi.dll is significant — it is the name of a legitimate Windows Desktop Window Manager API library. Storm-2561 abuses DLL sideloading, a technique where a trusted application loads a malicious DLL because the DLL has been placed in a location the application checks before the Windows system directory. In this case, dwmapi.dll acts as an in-memory loader, executing shellcode that then loads inspector.dll, which is a variant of the Hyrax infostealer.
Confirmed attacker-controlled domains: vpn-fortinet[.]com and ivanti-vpn[.]org. Malicious C2 server: 194.76.226[.]93:8080. Files signed by "Taiyuan Lihua Near Information Technology Co., Ltd." (certificate now revoked). Persistence via Pulse.exe in Windows RunOnce registry key. VPN configuration data targeted at C:\ProgramData\Pulse Secure\ConnectionStore\connectionstore.dat.
The Hyrax Infostealer and the Cover-Up
Hyrax is the payload that does the actual credential harvesting. Once loaded by dwmapi.dll, inspector.dll presents the user with a fake VPN sign-in dialog that closely replicates the legitimate Pulse Secure client interface. When the user enters their VPN username and password, Hyrax captures those credentials. It also reads stored VPN configuration data from a local file: C:\ProgramData\Pulse Secure\ConnectionStore\connectionstore.dat. Everything gathered — credentials and configuration data — is transmitted to the attacker's command-and-control server at 194.76.226[.]93:8080.
What makes Hyrax particularly effective in this campaign is what comes next. After the theft, the malware displays a fake error message telling the user the installation failed. In many cases it then directs them — sometimes by automatically opening a browser — to the official vendor website to download the real client. The user installs the legitimate VPN software, it connects without issue, and the compromise becomes invisible. There are no lingering error messages, no broken application, no reason to open a support ticket.
"If users successfully install and use legitimate VPN software afterward, and the VPN connection works as expected, there are no indications of compromise to the end user." — Microsoft Threat Intelligence, March 2026
Persistence is maintained through the Windows RunOnce registry key. Pulse.exe is configured to execute on every device restart, giving Storm-2561 ongoing access or the ability to re-harvest credentials if the user changes their password and logs back in through what they believe is a now-legitimate client. Microsoft also identified additional malicious executables carrying the same Taiyuan Lihua certificate, including files named Sophos-Connect-Client.exe, GlobalProtect-VPN.exe, VPN-Client.exe, and vpn.exe, confirming that this is a broader distribution effort spanning multiple vendor impersonations under a single signing identity.
Why This Campaign Is Harder to Catch Than It Looks
Each layer of this attack is individually unremarkable. Users trust search engines. They trust GitHub as a software hosting platform. They trust digitally signed installers — code signing exists specifically to signal that software is verified. And they trust VPN clients, because VPN clients are the gateway to work. Storm-2561 has stacked these individually plausible trust signals into a chain that, taken together, gives the malicious installer every surface appearance of legitimacy.
The Microsoft advisory explicitly notes this design: the installation path under %CommonFiles%\Pulse Secure blends in with legitimate software, and DLL sideloading via a Windows-named file like dwmapi.dll is less likely to trigger endpoint alerts tuned to flag obviously anomalous executables. The CSO Online analysis of the campaign noted a parallel with GPUGate malware identified by Arctic Wolf in August 2025 — that campaign also used GitHub repositories, MSI-packaged payloads, and credential exfiltration in a near-identical delivery chain, suggesting that a template for this style of attack has matured and is being replicated across threat actors.
The post-theft redirection is particularly consequential for security operations. When the user has a working VPN and no complaint, there is no ticket, no escalation, and no forensic trail to follow. The credential was stolen cleanly, and the victim's experience looks like a routine installation hiccup. Without endpoint detection and response visibility into DLL sideloading events and RunOnce registry modifications, the compromise has no natural discovery path.
The Register's coverage of the campaign highlighted a vendor-neutral observation from Microsoft's own advisory worth underscoring: corporate credentials stored in browser-based password vaults secured only with personal credentials are at elevated risk. If an employee reuses a personal password to protect a browser vault that contains enterprise VPN credentials, a separate unrelated breach can expose those VPN credentials without the VPN vendor or employer ever being involved.
What Organizations Should Do Now
Microsoft's advisory offers several mitigation measures. The vendor-neutral ones are the most important. Multi-factor authentication on all VPN accounts is the single highest-leverage control: even if Storm-2561 harvests a username and password pair, MFA stops that pair from being used to open a session. The advisory is explicit that MFA exclusions — accounts carved out of MFA requirements for convenience — should be removed. Every account, on every device, from every location, should require MFA.
On the endpoint side, organizations should ensure EDR is running in block mode rather than audit-only mode, and that network protection and web protection are enabled. Microsoft's SmartScreen is specifically designed to flag suspicious download sites before the installer reaches the disk. Attack surface reduction rules that restrict execution of low-prevalence binaries — software that has never been seen before on the network — are effective at catching the kind of novel signed executables Storm-2561 is pushing.
For hunting, Microsoft advises searching for files signed by "Taiyuan Lihua Near Information Technology Co., Ltd." and for anomalous DLL activity under Pulse Secure installation paths. Specifically, EDR telemetry showing dwmapi.dll being loaded from a Pulse Secure directory rather than from C:\Windows\System32 is a reliable indicator of this particular technique. The persistence mechanism is equally detectable: a RunOnce registry key pointing to Pulse.exe outside of the expected system path warrants immediate investigation.
Browser credential storage deserves direct policy attention. Microsoft's advisory recommends disabling browser password syncing on managed devices through Group Policy, and further advises that employees should not store workplace credentials in personal browser vaults at all. The threat surface created by credential syncing across personal and work devices has grown considerably as remote work has normalized, and this campaign is a concrete example of why that surface matters.
At the user awareness level, the practical control is straightforward: enterprise VPN software should be distributed through internal channels — a company intranet, an IT self-service portal, or a managed deployment system — not downloaded from a search engine. When employees need to install or reinstall VPN clients, they should be directed to a canonical internal source. A search engine result, however convincing, is not that source.
Key Takeaways
- Storm-2561 has been operating since May 2025 and expanded the scope of its spoofed VPN brands significantly before Microsoft's mid-January 2026 detection. The campaign likely claimed credentials from employees across many organizations during that window.
- The attack is self-erasing by design. The redirect to legitimate software after credential theft means victims have no obvious reason to report a problem, and security teams have no natural signal to investigate.
- Code signing is not a trust signal for downloads from search results. Storm-2561 obtained a legitimate certificate and used it to bypass both user caution and signature-based security controls. A signed installer from an unfamiliar domain is not a safe installer.
- MFA is the primary mitigation. Stolen credentials are only useful if they can open a session. Organizations with MFA fully enforced — no exclusions — significantly reduce the operational value of credentials stolen through this campaign.
- The playbook is being replicated. The similarities between Storm-2561's delivery chain and campaigns identified by other vendors suggest this technique is maturing into a repeatable pattern. VPN credential theft via fake signed installers distributed through SEO manipulation will appear again under different actor names.
The sources for this article are Microsoft's threat advisory published March 12, 2026 (Microsoft Security Blog), SecurityWeek's coverage of the same campaign, The Hacker News report drawing on both Microsoft and Zscaler disclosures, analysis from The Register, CSO Online, and CyberSecurityNews. Indicators of compromise are drawn directly from Microsoft's technical advisory.