Microsoft reports Storm-2561 campaign using fake VPN clients for credential theft

According to The Hacker News, Microsoft has revealed a sophisticated credential theft campaign orchestrated by a threat group known as Storm-2561. This campaign leverages search engine optimization (SEO) poisoning to trick users into downloading malicious software disguised as legitimate virtual private network (VPN) clients.

The attack begins with threat actors manipulating search engine results to redirect users seeking enterprise VPN software to fake websites. These sites host digitally signed trojans that impersonate trusted VPN clients. Once installed, these malicious programs are designed to harvest VPN credentials. Microsoft observed this activity starting in mid-January 2026.

Previous iterations of this campaign, documented by Cyjax and Zscaler, have targeted users searching for software from vendors like SonicWall, Hanwha Vision, and Ivanti Secure Access, often using fake installers that deploy malware like the Bumblebee loader or steal credentials directly. The attackers also abuse platforms like GitHub to host malicious installer files, which then use a variant of the Hyrax information stealer to exfiltrate data.

To mitigate these threats, organizations and users should prioritize multi-factor authentication, exercise extreme caution when downloading software, and verify the authenticity of all software sources.

Source: The Hacker News