Storm-2561: Signed VPN Impersonation via SEO Poisoning

Key Takeaways

Microsoft Threat Intelligence disclosed on March 12, 2026 a multi-phase credential theft campaign attributed to Storm-2561, a financially motivated threat actor tracked since May 2025 [1]. The campaign targets enterprise users who search for VPN client software and are directed by manipulated organic search rankings to actor-controlled spoofed download pages. Victims download trojanized installers for widely deployed enterprise VPN products — including Cisco Secure Client, Palo Alto GlobalProtect, Ivanti Pulse Secure, Fortinet FortiClient, SonicWall NetExtender, Sophos Connect, WatchGuard Mobile VPN, and Check Point Endpoint Security — each signed with Extended Validation (EV) code-signing certificates issued to Chinese-registered companies whose precise relationship to the actor — whether shell entities or fraudulently appropriated legitimate registrations — has not been publicly confirmed [1][2].

The core evasion mechanism is the abuse of legitimate EV certificates, which suppresses User Account Control warnings and induces false trust in endpoint protection tools that treat EV-signed binaries as elevated-trust artifacts. The malicious MSI packages deploy a DLL sideloading chain that ultimately delivers Hyrax, a general-purpose infostealer, which presents a convincing replica of the impersonated product’s credential dialog. Captured VPN credentials — along with stored VPN server URIs extracted from local configuration files — are exfiltrated to actor-controlled command-and-control infrastructure [1][3].

Organizations should treat this campaign as a significant credential exposure risk for any enterprise that uses affected VPN products or permits IT staff to download software through commercial search engines. Affected VPN credentials should be rotated immediately, and MFA should be enforced across all remote access paths. At a structural level, the campaign illustrates the limits of code-signing trust as a security signal in environments where EV certificate procurement by criminal actors has been increasingly documented across multiple campaigns.

Background

Storm-2561 is designated under Microsoft’s Storm naming convention, which indicates a new or emerging cluster of threat activity where nation-state attribution has not been confirmed. The group is assessed as financially motivated based on its tradecraft, tooling, and targeting pattern. It has been active since at least May 2025, with three campaign phases documented: an initial mid-2025 wave using the Bumblebee loader against SonicWall and Pulse Secure lures, a second wave in October 2025 that focused exclusively on Ivanti Pulse Secure and was documented by Zscaler, and the current January 2026 campaign that expanded impersonation coverage to nine enterprise VPN products and was publicly disclosed by Microsoft Defender Experts [1][3][4].

The broader TTP class — distributing malware through SEO-optimized spoofed download pages — is not unique to Storm-2561. The technique, often called SEO poisoning or search engine optimization abuse, exploits the organic search ranking mechanism to place attacker-controlled pages above or alongside legitimate vendor pages for high-intent download queries. Unlike malvertising, which depends on paid placement and is subject to ad platform detection and removal, SEO-based delivery depends on persistent domain authority manipulation and is harder to detect and disrupt through automated means [5]. The technique has been observed across multiple financially motivated and nation-state-aligned actors since at least 2022, with documented campaigns distributing infostealers, RATs, and initial access loaders across developer tool, productivity software, and security utility lure themes — though a comprehensive accounting of its adoption remains dependent on which campaigns receive public reporting.

The certificate abuse dimension of this campaign has particular significance for enterprise security architecture. EV code-signing certificates are issued by accredited certificate authorities after identity verification of the subscribing organization. They command elevated trust treatment across Microsoft Windows SmartScreen, many endpoint protection products, and enterprise software policies. Storm-2561 obtained EV certificates issued through Certum Extended Validation Code Signing 2021 CA to at least two Chinese companies: “Hefei Qiangwei Network Technology Co., Ltd.” for the October 2025 phase, and “Taiyuan Lihua Near Information Technology Co., Ltd.” for the January 2026 campaign [1][3]. Whether these entities are shell companies established for certificate procurement or legitimately registered businesses whose credentials were fraudulently used is not publicly confirmed. Both certificates were revoked following Microsoft’s disclosure [1].

Security Analysis

Attack Chain: From Search Query to Credential Exfiltration

The operational workflow Storm-2561 employs is designed to minimize anomalies that a vigilant user might notice while maximizing credential capture fidelity. A user searching for “Cisco Secure Client installer,” “GlobalProtect VPN download,” or any of seven other high-volume enterprise VPN queries arrives at an actor-controlled domain crafted to visually replicate the legitimate vendor’s download page. The spoofed sites are distinct from the legitimate vendor domains, but the use of plausible domain patterns — including country-code TLD variants, hyphen-separated vendor product names, and .org suffixes — reduces obvious suspicion [1][3]. Upon clicking “Download,” the user is redirected to a GitHub repository hosted under the latestver organization, which at the time of disclosure contained the malicious ZIP archive VPN-CLIENT.zip under a release tagged vpn-client2. Microsoft confirmed the repositories were removed following disclosure [1].

The ZIP archive contains a single MSI installer, VPN-Client.msi, bearing a valid EV signature from Taiyuan Lihua Near Information Technology Co., Ltd. When executed, the MSI deposits a set of files into %CommonFiles%\Pulse Secure\JUNS\ and %CommonFiles%\Pulse Secure\JAMUI\ — paths that mimic the legitimate Ivanti Pulse Secure installation footprint — and establishes a RunOnce registry key for persistence across a reboot [1]. The apparent “Pulse Secure” installation context is consistent across all lure themes: regardless of which VPN product the download page impersonated, the underlying file set is uniform, suggesting the actor prioritized tooling simplicity — though this consistency is itself a forensic differentiator in environments that do not run Pulse Secure.

The installation chain proceeds through DLL sideloading. The signed dropper, Pulse.exe, loads dwmapi.dll from its local directory rather than from the Windows system directory, exploiting DLL search order resolution. The local dwmapi.dll is not the legitimate Windows Desktop Window Manager API library; it is the campaign’s loader, which decrypts and executes an embedded shellcode payload that in turn loads inspector.dll — the Hyrax infostealer module [1]. The sideloading technique is notable because SmartScreen and many endpoint protection tools evaluate the trust of the signed Pulse.exe but do not necessarily enforce signature requirements on the DLLs that process loads alongside it, creating a trust propagation gap that the chain deliberately exploits.

Hyrax presents a credential capture dialog that is visually matched to the specific VPN product the user initially sought to download. After the user enters their VPN credentials, the infostealer transmits them along with stored VPN server URIs extracted from C:\ProgramData\Pulse Secure\ConnectionStore\connectionstore.dat to actor-controlled C2 endpoints via HTTP POST [1]. Following exfiltration, the malware displays a fake installation error — mimicking a common software compatibility warning — and opens the legitimate vendor download page in the user’s default browser. This post-compromise misdirection is operationally significant: in most cases the user attributes the failed “installation” to a technical glitch, installs the real VPN client, and has no apparent reason to report the event to security operations or treat it as a potential compromise indicator.

Sources: Microsoft Security Blog [1], Zscaler ThreatLabz [3]

Malware Components and Indicators

The technical artifacts of the January 2026 campaign have been fully documented by Microsoft Defender Experts. The delivery archive VPN-Client.zip contains VPN-Client.msi, which is the installation vehicle. The MSI drops Pulse.exe as the signed execution stub, dwmapi.dll as the first-stage loader, and inspector.dll as the Hyrax payload. File hashes for these components are as follows [1]:

Source: Microsoft Security Blog [1]

Active C2 infrastructure associated with the January 2026 campaign includes the IP endpoint 194.76.226[.]93:8080 and the domains vpn-connection[.]pro and myconnection[.]pro [1]. The October 2025 Zscaler-documented phase used an earlier C2 at 4.239.95.1:8080 with a distinctive /income_shit POST path [3]. The evolution from the idiosyncratic October 2025 path to the operationally generic January 2026 endpoints suggests deliberate tradecraft improvement between campaign phases.

The GitHub distribution mechanism merits separate attention. Using a public platform as a staging server for malware downloads provides several advantages for the actor: GitHub’s CDN infrastructure delivers files over HTTPS from a domain with extremely high reputation, making network-level blocking impractical without collateral impact. Automated download prevention relies on GitHub’s own abuse detection, which has latency that actors can exploit within campaign windows. The latestver/vpn repository naming is crafted to appear like a version aggregator or community mirror, which is a pattern IT administrators may recognize as legitimate. This is not the first documented campaign to exploit GitHub as a malware staging host; the technique was also documented in the GPUGate campaign attributed to a separate actor in September 2025 [6].

EV Certificate Abuse: Structural Implications

The use of two separately issued EV certificates from the same CA across distinct campaign phases suggests the actor has reliable access to an EV certificate procurement capability, whether through a criminal service provider or repeated registration of new entities. EV certificate procurement requires documentation of organizational existence and identity, yet documented campaigns have consistently obtained such certificates through one of two pathways: the fraudulent use of legitimate business registrations (often in jurisdictions with weak verification practices), or the use of shell companies established specifically for certificate acquisition [7].

The two EV certificates used in the documented Storm-2561 phases — both issued through Certum’s Extended Validation CA, both linked to Chinese companies in different cities — suggest either a relationship with a certificate procurement service that can repeatedly supply EV credentials from the same CA, or a separate operation by the same actor to register multiple entities across campaign phases. Either interpretation implies that certificate revocation, while necessary and appropriate, functions as a lagging control: it addresses known artifacts after exposure rather than preventing the initial abuse. For defenders, this means EV certificate presence cannot be treated as evidence of trustworthiness; it is a property of the artifact that an adversary can manufacture with modest operational investment.

Microsoft Defender detects the campaign’s components under the names Trojan:Win32/Malgent and TrojanSpy:Win64/Hyrax [1]. Organizations with Microsoft Defender ATP or Defender for Endpoint in block mode with cloud-delivered protection enabled should receive detection and blocking coverage for the known hashes. Organizations relying on signature-based AV or certificate presence as a trust signal without behavioral detection capability may have lower coverage fidelity against variants using new certificates and modified binaries.

MITRE ATT&CK Technique Mapping

Storm-2561’s documented tradecraft maps to a coherent initial access and collection chain within the MITRE ATT&CK framework. The attack begins with Stage Capabilities techniques — registering lure domains (T1583.001) and uploading the malware to GitHub (T1608.001) — before the user arrives at the delivery surface. Initial execution requires social engineering: the victim must execute the malicious file (T1204.002), which the actor facilitates by impersonating trusted software (T1036.005) and presenting a digitally signed binary (T1553.002). Post-execution, DLL sideloading (T1574.001) achieves defense evasion, credential input capture through the fake dialog constitutes Input Capture (T1056.002), and the connectionstore.dat file read adds a Data from Local System (T1005) component. Exfiltration occurs over the existing C2 HTTP channel (T1041), with persistence via Registry Run Keys (T1547.001). Search engine manipulation to reach users constitutes SEO Poisoning (T1608.006), the specific distribution sub-technique that enables the entire chain.

Recommendations

Immediate Actions

Organizations that use any of the nine impersonated VPN products — Cisco Secure Client, Palo Alto GlobalProtect, Ivanti Pulse Secure, Fortinet FortiClient, SonicWall NetExtender, Sophos Connect, WatchGuard Mobile VPN, or Check Point Endpoint Security — should conduct immediate triage regardless of known exposure. The actor’s post-compromise misdirection means affected users may not self-report, making proactive detection essential. Security operations teams should hunt endpoints for files signed by “Taiyuan Lihua Near Information Technology Co., Ltd.” or “Hefei Qiangwei Network Technology Co., Ltd.” and search for the presence of VPN-related MSI or EXE files deployed outside IT-managed distribution channels. Any endpoint with %CommonFiles%\Pulse Secure\JUNS\ or %CommonFiles%\Pulse Secure\JAMUI\ directories in an environment that does not run Ivanti Pulse Secure warrants immediate isolation and investigation.

DNS and proxy filtering should be updated to block the known C2 domains and lure domains. Outbound connections to 194.76.226[.]93:8080, vpn-connection[.]pro, and myconnection[.]pro should be denied at the network perimeter. Confirmed or suspected exposures should trigger mandatory VPN credential rotation and re-authentication, with authentication events reviewed for anomalous access patterns in the period following the exposure window.

Short-Term Mitigations

MFA enforcement across all VPN and remote access endpoints is among the most impactful near-term controls available, as it directly limits the operational value of any credentials already exfiltrated via the Hyrax dialog. Even when an attacker successfully captures VPN credentials, MFA prevents those credentials from yielding a successful authentication without the second factor. Organizations without universal MFA on VPN access should treat this campaign as an immediate driver to accelerate MFA deployment, particularly for remote access endpoints that expose internal network resources.

Software acquisition policy is the second critical control surface. Users who download VPN client software through commercial search engines — including IT staff performing routine client deployments — are exposed to this attack vector in a way that endpoint controls alone cannot fully address. A policy requiring all software installation to proceed through an internal software catalog, IT-managed deployment workflow, or directly bookmarked vendor download pages substantially reduces the search-engine-as-discovery-channel risk. This is especially important for IT professionals and security staff: VPN client software is most frequently sought by those performing device provisioning, making these personnel likely primary targets of lure themes focused on enterprise VPN products.

Hyrax is categorized as a general-purpose infostealer with browser credential harvesting capability; while the cited campaign documentation focuses on VPN credential capture, organizations should assume broader collection potential and consider disabling browser-based credential storage for work accounts. Enforcing credential manager policies through Group Policy or MDM limits what a successful infostealer execution can collect beyond the explicitly captured VPN credential.

Strategic Considerations

At a strategic level, the Storm-2561 campaign highlights that search engine result integrity is an uncontrolled variable in enterprise software acquisition workflows that security architecture has rarely been observed to account for explicitly — a gap this campaign illustrates. Zero Trust frameworks and software-defined perimeter architectures emphasize the principle that network access decisions must be based on verified identity and device state, not assumed based on network position — but they do not in themselves constrain how software reaches managed endpoints before device state is assessed. Closing this gap requires deliberate policy: defining approved installation channels, enforcing those channels through application control, and treating employee-initiated software downloads from web sources as unmanaged by default.

The recurrent pattern of EV certificate abuse across multiple threat actor campaigns suggests that certificate presence as a trust indicator has been structurally undermined. Enterprises relying on certificate-based application control — such as policies that allow execution of all Microsoft-signed or EV-signed binaries — should reconsider whether certificate trust alone is an appropriate gate. A more robust model couples code signing with publisher reputation derived from file prevalence telemetry, deployment channel provenance, and behavioral analysis. Microsoft Defender’s Attack Surface Reduction rules, particularly rules blocking low-prevalence newly signed executables, operationalize this principle and would likely have flagged or blocked the Storm-2561 MSI on endpoints where this rule was active in block mode, given the low prevalence of the newly issued Taiyuan Lihua certificate.

Finally, the campaign’s use of DLL sideloading through a signed parent process reflects a persistent pattern across infostealer and RAT delivery campaigns that has resisted straightforward technical mitigation. Detection engineering investments that focus on DLL load monitoring — particularly loads of dwmapi.dll, version.dll, and other commonly sideloaded system library names from non-system directories — represent durable detection capability against this technique class, regardless of the specific campaign variants that follow.

CSA Resource Alignment

Storm-2561’s campaign connects to multiple CSA frameworks and guidance documents that provide complementary context and action frameworks for enterprise security programs.

The CSA Zero Trust guidance is directly applicable to the credential theft scenario at the center of this campaign. The core Zero Trust principle — that identity verification must occur continuously and cannot be assumed based on prior authentication — means that even successfully exfiltrated VPN credentials should not automatically yield persistent access to internal resources. Zero Trust architectures that enforce device posture assessment at every access decision, require re-authentication for sensitive resource access, and restrict lateral movement based on identity rather than network position meaningfully limit the damage from a credential compromise event by ensuring that stolen credentials alone cannot yield persistent access to sensitive resources [8].

The Cloud Controls Matrix (CCM) domain IAM (Identity and Access Management) addresses the controls that limit credential theft impact. CCM controls IAM-02 (Strong Authentication), IAM-07 (User Access Provisioning), and IAM-09 (User Access Reviews) directly map to the MFA enforcement, least-privilege access provisioning, and periodic access review recommendations above [9]. CCM domain UEM (Universal Endpoint Management) also addresses the endpoint configuration controls — application control, software distribution policy, and endpoint detection — that would prevent or detect the Storm-2561 delivery chain.

The CSA Cloud Threat Modeling 2025 publication provides threat model patterns for credential theft attacks targeting cloud-connected environments that are relevant to organizations using cloud-brokered VPN or ZTNA solutions [10]. The Software-Defined Perimeter (SDP) Architecture Guide and SDP Specification document the authenticate-before-connect access control model that structurally limits the value of stolen VPN credentials by requiring both certificate-based device authentication and identity verification before any network access is permitted — a model that most traditional IPsec and SSL-VPN deployments do not implement [11][12].

Organizations that rely primarily on signature-based detection will have limited coverage against novel campaign variants using new certificates and modified binaries. Behavioral detection capability — covering DLL load anomalies, low-prevalence newly signed executables, and post-execution credential dialog activity — is the necessary complement to signature-based approaches, and represents the most durable investment against the technique class Storm-2561 exemplifies.

References

1. Microsoft Threat Intelligence, “Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft,” Microsoft Security Blog, March 12, 2026. https://www.microsoft.com/en-us/security/blog/2026/03/12/storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft/

2. GBHackers Security, “Storm-2561 Uses SEO Poisoning, Fake Signed VPN Apps to Steal Enterprise Credentials,” March 13, 2026. https://gbhackers.com/storm-2561-uses-seo-poisoning/

3. Zscaler ThreatLabz, “Search, Click, Steal: The Hidden Threat of Spoofed Ivanti VPN Client Sites,” October 2025. https://www.zscaler.com/blogs/security-research/spoofed-ivanti-vpn-client-sites

4. The Hacker News, “Storm-2561 Spreads Trojan VPN Clients via SEO Poisoning to Steal Credentials,” March 2026. https://thehackernews.com/2026/03/storm-2561-spreads-trojan-vpn-clients.html

5. CSO Online, “Storm-2561 targets enterprise VPN users with SEO poisoning, fake clients,” March 2026. https://www.csoonline.com/article/4144783/storm-2561-targets-enterprise-vpn-users-with-seo-poisoning-fake-clients.html

6. Arctic Wolf, “GPUGate Malware: Malicious GitHub Desktop Implants Use Hardware-Specific Decryption, Abuse Google Ads, Target Western Europe,” September 2025. https://arcticwolf.com/resources/blog/gpugate-malware-malicious-github-desktop-implants-use-hardware-specific-decryption-abuse-google-ads-target-western-europe/

7. The Register, “Credential-stealing crew spoofs VPN clients from Cisco, Fortinet, and others,” March 13, 2026. https://www.theregister.com/2026/03/13/vpn_clients_spoofed/

8. Cloud Security Alliance, “An Executive View on How Zero Trust Protects Organizations by Securely Connecting Users to Resources from Anywhere,” CSA Research. https://cloudsecurityalliance.org/research/artifacts/an-executive-view-on-how-zero-trust-protects-organizations-by-securely-connecting-users-to-resources-from-anywhere/

9. Cloud Security Alliance, “Cloud Controls Matrix v4.0,” CSA Research. https://cloudsecurityalliance.org/research/cloud-controls-matrix/

10. Cloud Security Alliance, “Cloud Threat Modeling 2025,” CSA Research, 2025. https://cloudsecurityalliance.org/research/artifacts/cloud-threat-modeling-2025/

11. Cloud Security Alliance, “Software Defined Perimeter Architecture Guide v3,” CSA Research. https://cloudsecurityalliance.org/research/artifacts/software-defined-perimeter-architecture-guide-v3/

12. Cloud Security Alliance, “SDP Specification v1.0,” CSA Research. https://cloudsecurityalliance.org/research/artifacts/sdp-specification-v1-0/