Storm-2561 Spreads Trojan VPN

Fake VPNs: because regular phishing apparently wasn’t enough

Microsoft detailed a campaign by Storm-2561 that used SEO poisoning and fake software sites to push trojanised VPN clients. Victims searching for legitimate enterprise VPN tools were redirected to malicious ZIP files and MSI installers, in some cases hosted via GitHub, that masqueraded as trusted products. The malware used DLL sideloading and a fake sign-in prompt to steal VPN credentials with a Hyrax information-stealer variant, while also using the Windows RunOnce key for persistence. The campaign demonstrates how attackers exploit trust in search rankings and familiar software brands to capture valuable enterprise credentials.

If you go looking online for enterprise VPN software, you might reasonably expect to find enterprise VPN software. Sadly, the internet continues to be a place where optimism goes to die.
Microsoft says threat group Storm-2561 has been using SEO poisoning to push fake VPN installers at people searching for legitimate products. Victims are nudged towards malicious ZIP archives and MSI files that appear to be trusted software but are actually credential-stealing trojans. In some cases, GitHub was used to host the installer files, which adds a helpful layer of false reassurance for anyone who still believes a well-known platform automatically equals safety.

How the scam works

The malicious installer poses as a VPN client, then sideloads rogue DLLs during installation. After that, the victim is shown a convincing sign-in prompt designed to capture their VPN credentials. Once those details are entered, the user may receive an error and even be redirected to the real VPN website, making the whole process look like a simple technical hiccup rather than a full-on credential theft operation. The malware also uses the Windows RunOnce registry key to ensure it returns after a reboot.
Microsoft linked the campaign to Hyrax, an information-stealer variant used to exfiltrate VPN credentials. The wider lesson is that search-engine placement and respectable branding are now part of the attacker toolkit. If criminals can rank well enough or spoof a familiar vendor effectively, users will often do the rest.

What to do about it

Organisations should enforce MFA on VPN access, limit software downloads to approved sources and warn staff against downloading “helpful” installers from search results. For defenders, monitoring for fake sign-in prompts and unauthorised DLL sideloading would also be sensible. It turns out “download the VPN” is no longer a routine sentence.