Microsoft Tracks Storm-2561 In Fake VPN Client Credential Theft Scheme

Microsoft says a cybercriminal group it tracks as Storm-2561 is running a credential theft campaign that uses fake VPN clients pushed through search engine optimization poisoning, luring users who search for trusted enterprise software into downloading trojanized installers instead of real tools.

Microsoft Defender Experts identified the activity in mid-January 2026, and the company says the operation shows how attackers continue to abuse well-known software brands, search rankings, and trusted platforms to steal corporate access.​

How The Attack Works

According to Microsoft, Storm-2561 has been active since at least May 2025. It is known for using SEO poisoning and software impersonation to deliver malware to users looking for legitimate products.

When a user clicked the download button, the site redirected them to a malicious GitHub repository that hosted a ZIP archive named VPN-CLIENT.zip.

However, Microsoft says that the repository has since been removed.

Inside the archive was an MSI installer that masqueraded as a legitimate Pulse Secure VPN package but actually deployed malware signed with a now-revoked certificate issued to Taiyuan Lihua Near Information Technology Co., Ltd.​

Microsoft said the installer placed Pulse.exe in a folder that closely resembled a genuine Pulse Secure path under %CommonFiles%Pulse Secure, helping the files blend into the system and avoid user suspicion.

It also dropped two malicious DLLs, dwmapi.dll and inspector.dll, with dwmapi.dll acting as an in-memory loader that launched shellcode and then loaded inspector.dll, a variant of the Hyrax infostealer.​

The campaign also used a clever deception step after the theft.

Microsoft said the fake installer displayed an error message and, in some cases, redirected users to the legitimate VPN website, which could make the earlier compromise appear to be nothing more than a failed installation or a temporary software issue.

For persistence, the malware added Pulse.exe to the Windows RunOnce registry key so it could relaunch after a reboot.​

This campaign stands out because it combines several trust signals into a single attack chain: search engine placement, brand impersonation, GitHub hosting, and valid code signing.

Each layer reduces suspicion, and together they create a convincing path from search results to a fake installer to stolen credentials, especially for employees who are urgently trying to access business systems.​

For defenders, Microsoft recommends enabling cloud-delivered protection, EDR in block mode, network protection, web protection, and browser protections such as SmartScreen to stop malicious sites and artifacts earlier in the chain.

The company also urged organizations to enforce multifactor authentication, prevent the storage of workplace passwords in personal browser vaults, and use attack surface reduction rules to block the execution of low-prevalence or untrusted executables.​

Follow us on X to Get More Instant Updates..