{"id":60301,"date":"2026-03-12T17:00:00","date_gmt":"2026-03-12T17:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=145731"},"modified":"2026-03-12T17:00:00","modified_gmt":"2026-03-12T17:00:00","slug":"storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft\/","title":{"rendered":"Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft"},"content":{"rendered":"<aside class=\"table-of-contents-block accordion wp-block-bloginabox-theme-table-of-contents\" id=\"accordion-b3bb8ba6-212d-406b-bc89-dc1bcdbef560\" data-bi-an=\"table-of-contents\"> <button class=\"btn btn-collapse\" type=\"button\" aria-expanded=\"true\" aria-controls=\"accordion-collapse-b3bb8ba6-212d-406b-bc89-dc1bcdbef560\"> <span class=\"table-of-contents-block__label\">In this article<\/span> <span class=\"table-of-contents-block__current\" aria-hidden=\"true\"><\/span> <svg class=\"table-of-contents-block__arrow\" aria-label=\"Toggle arrow\" width=\"18\" height=\"11\" viewBox=\"0 0 18 11\" fill=\"none\"> <path d=\"M15.7761 11L18 8.82043L9 0L0 8.82043L2.22394 11L9 4.35913L15.7761 11Z\" fill=\"currentColor\" \/> <\/svg> <\/button> <span class=\"table-of-contents-block__progress-bar\"><\/span><br \/>\n<\/aside>\n<p class=\"wp-block-paragraph\">In mid-January 2026, Microsoft Defender Experts identified a credential theft campaign that uses fake virtual private network (VPN) clients distributed through search engine optimization (SEO) poisoning. The campaign redirects users searching for legitimate enterprise software to malicious ZIP files on attacker-controlled websites to deploy digitally signed trojans that masquerade as trusted VPN clients while harvesting VPN credentials. Microsoft Threat Intelligence attributes this activity to the cybercriminal threat actor Storm-2561.<\/p>\n<p class=\"wp-block-paragraph\">Active since May 2025, Storm-2561 is known for distributing malware through SEO poisoning and impersonating popular software vendors. The techniques they used in this campaign highlight how threat actors continue to exploit trusted platforms and software branding to avoid user suspicion and steal sensitive information. By targeting users who are actively searching for enterprise VPN software, attackers take advantage of both user urgency and implicit trust in search engine rankings. The malicious ZIP files that contain fake installer files are hosted on GitHub repositories, which have since been taken down. Additionally, the trojans are digitally signed by a legitimate certificate that has since been revoked.<\/p>\n<p class=\"wp-block-paragraph\">In this blog, we share our in-depth analysis of the tactics, techniques, and procedures (TTPs) and indicators of compromise in this Storm-2561 campaign, highlighting the social engineering techniques that the threat actor used to improve perceived legitimacy, avoid suspicion, and evade detection. We also share protection and mitigation recommendations, as well as <a href=\"https:\/\/www.microsoft.com\/security\/business\/microsoft-defender\">Microsoft Defender<\/a> detection and hunting guidance.<\/p>\n<h2 class=\"wp-block-heading\" id=\"from-search-to-stolen-credentials-storm-2561-attack-chain\">From search to stolen credentials: Storm-2561 attack chain<\/h2>\n<p class=\"wp-block-paragraph\">In this campaign, users searching for legitimate VPN software are redirected from search results to spoofed websites that closely mimic trusted VPN products but instead deploy malware designed to harvest credentials and VPN data. When users click to download the software, they are redirected to a malicious GitHub repository (no longer available) that hosts the fake VPN client for direct download.<\/p>\n<p class=\"wp-block-paragraph\">The GitHub repo hosts a ZIP file containing a Microsoft Windows Installer (MSI) installer file that mimics a legitimate VPN software and side-loads malicious dynamic link library (DLL) files during installation. The fake VPN software enables credential collection and exfiltration while appearing like a benign VPN client application.<\/p>\n<p class=\"wp-block-paragraph\">This campaign exhibits characteristics consistent with financially motivated cybercrime operations employed by Storm-2561. The malicious components are digitally signed by \u201cTaiyuan Lihua Near Information Technology Co., Ltd.\u201d<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/Fig1-Storm-2561-attack-chain.webp\" alt=\"Diagram showing the attack chain of the Storm-2561 campaign\" class=\"wp-image-145737 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/Fig1-Storm-2561-attack-chain.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 1. Storm-2561 campaign attack chain<\/em><\/figcaption><\/figure>\n<h3 class=\"wp-block-heading\" id=\"initial-access-and-execution\">Initial access and execution<\/h3>\n<p class=\"wp-block-paragraph\">The initial access vector relies on abusing SEO to push malicious websites to the top of search results for queries such as \u201cPulse VPN download\u201d or \u201cPulse Secure client,\u201d but Microsoft has observed spoofing of various VPN software brands and has observed the GitHub link at the following two domains: <em>vpn-fortinet[.]com<\/em> and <em>ivanti-vpn[.]org<\/em>.<\/p>\n<p class=\"wp-block-paragraph\">Once the user lands on the malicious website and clicks to download the software, the malware is delivered through a ZIP download hosted at <em>hxxps[:]\/\/github[.]com\/latestver\/vpn\/releases\/download\/vpn-client2\/VPN-CLIENT.zip.<\/em> At the time of this report, this repository is no longer active.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/Fig2-actor-controlled-website.webp\" alt=\"Screenshot of fake website posting as Fortinet\" class=\"wp-image-145738 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/Fig2-actor-controlled-website.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 2. Screenshot from actor-controlled website vpn-fortinet[.]com masquerading as Fortinet<\/em><\/figcaption><\/figure>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/Fig3-code-snippet.webp\" alt=\"Code snippet for downloading the fake VPN installer\" class=\"wp-image-145739 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/Fig3-code-snippet.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 3. Code snippet from vpn-fortinet[.]com showing download of VPN-CLIENT.zip hosted on GitHub<\/em><\/figcaption><\/figure>\n<p class=\"wp-block-paragraph\">When the user launches the malicious MSI masquerading as a legitimate Pulse Secure VPN installer embedded within the downloaded ZIP file, the MSI file installs <em>Pulse.exe<\/em> along with malicious DLL files to a directory structure that closely resembles a real Pulse Secure installation path: <em>%CommonFiles%\\Pulse Secure<\/em>. This installation path blends in with legitimate VPN software to appear trustworthy and avoid raising user suspicion.<\/p>\n<p class=\"wp-block-paragraph\">Alongside the primary application, the installer drops malicious DLLs, <em>dwmapi.dll<\/em> and <em>inspector.dll<\/em>, into the <em>Pulse Secure<\/em> directory. The <em>dwmapi.dll <\/em>file is an in-memory loader that drops and launches an embedded shellcode payload that loads and launches the <em>inspector.dll<\/em> file, a variant of the infostealer Hyrax. The Hyrax infostealer extracts URI and VPN sign-in credentials before exfiltrating them to attacker-controlled command-and-control (C2) infrastructure.<\/p>\n<p class=\"wp-block-paragraph\"><strong>Code signing abuse<\/strong><\/p>\n<p class=\"wp-block-paragraph\">The MSI file and the malicious DLLs are signed with a valid digital certificate, which is now revoked, from <em>Taiyuan Lihua Near Information Technology Co., Ltd.<\/em> This abuse of code signing serves multiple purposes:<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Bypasses default Windows security warnings for unsigned code<\/li>\n<li class=\"wp-block-list-item\">Might bypass application whitelisting policies that trust signed binaries<\/li>\n<li class=\"wp-block-list-item\">Reduces security tool alerts focused on unsigned malware<\/li>\n<li class=\"wp-block-list-item\">Provides false legitimacy to the installation process<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">Microsoft identified several other files signed with the same certificates. These files also masqueraded as VPN software. These IOCs are included in the below.<\/p>\n<h3 class=\"wp-block-heading\" id=\"credential-theft\">Credential theft<\/h3>\n<p class=\"wp-block-paragraph\">The fake VPN client presents a graphical user interface that closely mimics the legitimate VPN client, prompting the user to enter their credentials. Rather than establishing a VPN connection, the application captures the credentials entered and exfiltrates them to attacker-controlled C2 infrastructure (<em>194.76.226[.]93:8080<\/em>). This approach relies on visual deception and immediate user interaction, allowing attackers to harvest credentials as soon as the target attempts to sign in. The credential theft operation follows the below structured sequence:<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><strong>UI presentation<\/strong>: A fake VPN sign-in dialog is displayed to the user, closely resembling the legitimate Pulse Secure client.<\/li>\n<li class=\"wp-block-list-item\"><strong>Error display<\/strong>: After credentials are submitted, a fake error message is shown to the user.<\/li>\n<li class=\"wp-block-list-item\"><strong>Redirection<\/strong>: The user is instructed to download and install the legitimate Pulse Secure VPN client.<\/li>\n<li class=\"wp-block-list-item\"><strong>Access to stored VPN data<\/strong>: The <em>inspector.dll<\/em> component accesses stored VPN configuration data from <em>C:\\ProgramData\\Pulse Secure\\ConnectionStore\\connectionstore.dat<\/em>.<\/li>\n<li class=\"wp-block-list-item\"><strong>Data exfiltration<\/strong>: Stolen credentials and VPN configuration data are transmitted to attacker-controlled infrastructure.<\/li>\n<\/ul>\n<h3 class=\"wp-block-heading\" id=\"persistence\">Persistence<\/h3>\n<p class=\"wp-block-paragraph\">To maintain access, the MSI malware establishes persistence during installation through the Windows <em>RunOnce<\/em> registry key, adding the <em>Pulse.exe<\/em> malware to run when the device reboots.<\/p>\n<h3 class=\"wp-block-heading\" id=\"defense-evasion\">Defense evasion<\/h3>\n<p class=\"wp-block-paragraph\">One of the most sophisticated aspects of this campaign is the post-credential theft redirection strategy. After successfully capturing user credentials, the malicious application conducts the following actions:<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Displays a convincing error message indicating installation failure<\/li>\n<li class=\"wp-block-list-item\">Provides instructions to download the legitimate Pulse VPN client from official sources<\/li>\n<li class=\"wp-block-list-item\">In certain instances, opens the user\u2019s browser to the legitimate VPN website<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">If users successfully install and use legitimate VPN software afterward, and the VPN connection works as expected, there are no indications of compromise to the end user. Users are likely to attribute the initial installation failure to technical issues, not malware.<\/p>\n<h2 class=\"wp-block-heading\" id=\"defending-against-credential-theft-campaigns\">Defending against credential theft campaigns<\/h2>\n<p class=\"wp-block-paragraph\">Microsoft recommends the following mitigations to reduce the impact of this threat.<\/p>\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Turn on&nbsp;<a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/configure-block-at-first-sight-microsoft-defender-antivirus\" target=\"_blank\" rel=\"noreferrer noopener\">cloud-delivered protection<\/a>&nbsp;in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.&nbsp;<\/li>\n<li class=\"wp-block-list-item\">Run&nbsp;<a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/edr-in-block-mode\" target=\"_blank\" rel=\"noreferrer noopener\">endpoint detection and response (EDR) in block mode<\/a>&nbsp;so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.&nbsp;<\/li>\n<li class=\"wp-block-list-item\">Enable&nbsp;<a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/enable-network-protection\" target=\"_blank\" rel=\"noreferrer noopener\">network protection<\/a>&nbsp;in Microsoft Defender for Endpoint.&nbsp;<\/li>\n<li class=\"wp-block-list-item\">Turn on&nbsp;<a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/web-protection-overview\" target=\"_blank\" rel=\"noreferrer noopener\">web protection<\/a>&nbsp;in Microsoft Defender for Endpoint.&nbsp;<\/li>\n<li class=\"wp-block-list-item\">Encourage users to use Microsoft Edge and other web browsers that support&nbsp;<a href=\"https:\/\/learn.microsoft.com\/windows\/security\/operating-system-security\/virus-and-threat-protection\/microsoft-defender-smartscreen\/\" target=\"_blank\" rel=\"noreferrer noopener\">SmartScreen<\/a>, which&nbsp;identifies&nbsp;and blocks malicious websites, including phishing sites,&nbsp;scam&nbsp;sites, and sites that&nbsp;contain&nbsp;exploits and host malware.&nbsp;<\/li>\n<li class=\"wp-block-list-item\">Enforce multifactor authentication (MFA) on all accounts, remove users excluded from MFA, and strictly&nbsp;<a href=\"https:\/\/learn.microsoft.com\/entra\/id-protection\/howto-identity-protection-configure-mfa-policy\" target=\"_blank\" rel=\"noreferrer noopener\">require MFA<\/a>&nbsp;from all devices, in all locations,&nbsp;at all times.&nbsp;<\/li>\n<li class=\"wp-block-list-item\">Remind employees that enterprise or workplace credentials should not be stored in browsers or password vaults secured with personal credentials. Organizations can turn off password&nbsp;syncing&nbsp;in browser on managed devices using&nbsp;<a href=\"https:\/\/learn.microsoft.com\/deployedge\/microsoft-edge-enterprise-sync#sync-group-policies\" target=\"_blank\" rel=\"noreferrer noopener\">Group Policy<\/a>.&nbsp;<\/li>\n<li class=\"wp-block-list-item\">Turn on the following&nbsp;<a href=\"https:\/\/learn.microsoft.com\/defender-endpoint\/attack-surface-reduction\" target=\"_blank\" rel=\"noreferrer noopener\">attack surface reduction rule<\/a>&nbsp;to block or audit activity associated with this threat: <\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\" id=\"microsoft-defender-detection-and-hunting-guidance\">Microsoft Defender detection and hunting guidance<\/h2>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.microsoft.com\/security\/business\/microsoft-defender\">Microsoft Defender<\/a> customers can refer to the list of applicable detections below. Microsoft Defender coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.<\/p>\n<figure class=\"wp-block-table\"><\/figure>\n<h3 class=\"wp-block-heading\" id=\"microsoft-security-copilot\">Microsoft Security Copilot<\/h3>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/ai-machine-learning\/microsoft-security-copilot\">Microsoft Security Copilot<\/a> is <a href=\"https:\/\/learn.microsoft.com\/defender-xdr\/security-copilot-in-microsoft-365-defender\">embedded in Microsoft Defender<\/a> and provides security teams with AI-powered capabilities to summarize incidents, analyze files and scripts, summarize identities, use guided responses, and generate device summaries, hunting queries, and incident reports.<\/p>\n<p class=\"wp-block-paragraph\">Customers can also <a href=\"https:\/\/learn.microsoft.com\/defender-xdr\/security-copilot-agents-defender\">deploy AI agents<\/a>, including the following <a href=\"https:\/\/learn.microsoft.com\/copilot\/security\/agents-overview\">Microsoft Security Copilot agents<\/a>, to perform security tasks efficiently:<\/p>\n<p class=\"wp-block-paragraph\">Security Copilot is also available as a <a href=\"https:\/\/learn.microsoft.com\/en-us\/copilot\/security\/experiences-security-copilot\">standalone experience<\/a> where customers can perform specific security-related tasks, such as incident investigation, user analysis, and vulnerability impact assessment. In addition, Security Copilot offers <a href=\"https:\/\/learn.microsoft.com\/copilot\/security\/developer\/custom-agent-overview\">developer scenarios<\/a> that allow customers to build, test, publish, and integrate AI agents and plugins to meet unique security needs.<\/p>\n<h3 class=\"wp-block-heading\" id=\"threat-intelligence-reports\">Threat intelligence reports<\/h3>\n<p class=\"wp-block-paragraph\">Microsoft Defender XDR customers can use the following <a href=\"https:\/\/learn.microsoft.com\/defender-xdr\/threat-analytics\">threat analytics<\/a> reports in the Defender portal (requires license for at least one Defender XDR product) to get the most up-to-date information about the threat actor, malicious activity, and techniques discussed in this blog. These reports provide the intelligence, protection information, and recommended actions to prevent, mitigate, or respond to associated threats found in customer environments.<\/p>\n<p class=\"wp-block-paragraph\">Microsoft Security Copilot customers can also use the <a href=\"https:\/\/learn.microsoft.com\/defender\/threat-intelligence\/security-copilot-and-defender-threat-intelligence?bc=%2Fsecurity-copilot%2Fbreadcrumb%2Ftoc.json&amp;toc=%2Fsecurity-copilot%2Ftoc.json#turn-on-the-security-copilot-integration-in-defender-ti\">Microsoft Security Copilot integration<\/a> in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the <a href=\"https:\/\/learn.microsoft.com\/defender\/threat-intelligence\/using-copilot-threat-intelligence-defender-xdr\">embedded experience<\/a> in the Microsoft Defender portal to get more information about this threat actor.<\/p>\n<h3 class=\"wp-block-heading\" id=\"hunting-queries\">Hunting queries<\/h3>\n<p class=\"wp-block-paragraph\">Microsoft Defender XDR customers can run the following <a href=\"https:\/\/learn.microsoft.com\/defender-xdr\/advanced-hunting-overview\">advanced hunting<\/a> queries to find related activity in their networks:<\/p>\n<p class=\"wp-block-paragraph\"><strong>Files signed by <\/strong><strong><em>Taiyuan Lihua Near Information Technology Co., Ltd.<\/em><\/strong><\/p>\n<p class=\"wp-block-paragraph\">Look for files signed with <em>Taiyuan Lihua Near Information Technology Co., Ltd.<\/em> signer.<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"9\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; quick-code: false; notranslate\" title>\nlet a = DeviceFileCertificateInfo\n| where Signer == \"Taiyuan Lihua Near Information Technology Co., Ltd.\"\n| distinct SHA1;\nDeviceProcessEvents\n| where SHA1 in(a)\n<\/pre>\n<\/div>\n<p class=\"wp-block-paragraph\"><strong>Identify suspicious DLLs in <\/strong><strong><em>Pulse Secure<\/em> folder<\/strong><\/p>\n<p class=\"wp-block-paragraph\">Identify launching of malicious DLL files in folders masquerading as Pulse Secure.<\/p>\n<div class=\"wp-block-syntaxhighlighter-code \" readability=\"10\">\n<pre class=\"brush: plain; auto-links: false; gutter: false; title: ; quick-code: false; notranslate\" title>\nDeviceImageLoadEvents\n| where FolderPath contains \"Pulse Secure\" and FolderPath contains \"Program Files\" and (FolderPath contains \"\\\\JUNS\\\\\" or FolderPath contains \"\\\\JAMUI\\\\\")\n| where FileName has_any(\"inspector.dll\",\"dwmapi.dll\")\n<\/pre>\n<\/div>\n<h2 class=\"wp-block-heading\" id=\"indicators-of-compromise\">Indicators of compromise<\/h2>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<tbody readability=\"55\">\n<tr>\n<td><strong>Indicator<\/strong><\/td>\n<td><strong>Type<\/strong><\/td>\n<td><strong>Description<\/strong><\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>57a50a1c04254df3db638e75a64d5dd3b0d6a460829192277e252dc0c157a62f<\/td>\n<td>SHA-256<\/td>\n<td>ZIP file retrieved from GitHub (<em>VPN-Client.zip<\/em>)<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>862f004679d3b142d9d2c729e78df716aeeda0c7a87a11324742a5a8eda9b557<\/td>\n<td>SHA-256<\/td>\n<td>Suspicious MSI file downloaded from the masqueraded Ivanti pulse VPN client domain (<em>VPN-Client.msi<\/em>)<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td>6c9ab17a4aff2cdf408815ec120718f19f1a31c13fc5889167065d448a40dfe6<\/td>\n<td>SHA-256<\/td>\n<td>Suspicious DLL file loaded by the above executables; also signed by <em>Taiyuan Lihua Near Information Technology Co., Ltd.<\/em> (<em>dwmapi.dll<\/em>)<\/td>\n<\/tr>\n<tr readability=\"5\">\n<td>6129d717e4e3a6fb4681463e421a5603b640bc6173fb7ba45a41a881c79415ca<\/td>\n<td>SHA-256<\/td>\n<td>Malicious DLL that steals data from <em>C:\\ProgramData\\Pulse Secure\\ConnectionStore\\connstore.dat<\/em> and exfiltrating it (<em>inspector.dll<\/em>)<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td>44906752f500b61d436411a121cab8d88edf614e1140a2d01474bd587a8d7ba832397697c209953ef0252b95b904893cb07fa975<\/td>\n<td>SHA-256<\/td>\n<td>Malware signed by <em>Taiyuan Lihua Near Information Technology Co., Ltd. <\/em>(<em>Pulse.exe<\/em>)<\/td>\n<\/tr>\n<tr readability=\"5\">\n<td>85c4837e3337165d24c6690ca63a3274dfaaa03b2ddaca7f1d18b3b169c6aac1<\/td>\n<td>SHA-256<\/td>\n<td>Malware signed by <em>Taiyuan Lihua Near Information Technology Co., Ltd. <\/em>(<em>Sophos-Connect-Client.exe<\/em>)<\/td>\n<\/tr>\n<tr readability=\"5\">\n<td>98f21b8fa426fc79aa82e28669faac9a9c7fce9b49d75bbec7b60167e21963c9<\/td>\n<td>SHA-256<\/td>\n<td>Malware signed by <em>Taiyuan Lihua Near Information Technology Co., Ltd. <\/em>(<em>GlobalProtect-VPN.exe<\/em>)<\/td>\n<\/tr>\n<tr readability=\"5\">\n<td>cfa4781ebfa5a8d68b233efb723dbde434ca70b2f76ff28127ecf13753bfe011<\/td>\n<td>SHA-256<\/td>\n<td>Malware signed by <em>Taiyuan Lihua Near Information Technology Co., Ltd. <\/em>(<em>VPN-Client.exe<\/em>)<\/td>\n<\/tr>\n<tr readability=\"5\">\n<td>26db3fd959f12a61d19d102c1a0fb5ee7ae3661fa2b301135cdb686298989179<\/td>\n<td>SHA-256<\/td>\n<td>Malware signed by <em>Taiyuan Lihua Near Information Technology Co., Ltd.<\/em> (<em>vpn.exe<\/em>)<\/td>\n<\/tr>\n<tr readability=\"5\">\n<td>44906752f500b61d436411a121cab8d88edf614e1140a2d01474bd587a8d7ba8<\/td>\n<td>SHA-256<\/td>\n<td>Malware signed by <em>Taiyuan Lihua Near Information Technology Co., Ltd. <\/em>(<em>Pulse.exe<\/em>)<\/td>\n<\/tr>\n<tr readability=\"5\">\n<td>eb8b81277c80eeb3c094d0a168533b07366e759a8671af8bfbe12d8bc87650c9<\/td>\n<td>SHA-256<\/td>\n<td>Malware signed by <em>Taiyuan Lihua Near Information Technology Co., Ltd. <\/em>(<em>WiredAccessMethod.dll<\/em>)<\/td>\n<\/tr>\n<tr readability=\"5\">\n<td>8ebe082a4b52ad737f7ed33ccc61024c9f020fd085c7985e9c90dc2008a15adc<\/td>\n<td>SHA-256<\/td>\n<td>Malware signed by <em>Taiyuan Lihua Near Information Technology Co., Ltd.<\/em>(<em>PulseSecureService.exe<\/em>)<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>194.76.226[.]93<\/td>\n<td>IP address<\/td>\n<td>IP address where stolen data is sent<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>checkpoint-vpn[.]com<\/em><\/td>\n<td>Domain<\/td>\n<td>Suspect initial access domain<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>cisco-secure-client[.]es<\/em><\/td>\n<td>Domain<\/td>\n<td>Suspect initial access domain<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td><em>forticlient-for-mac[.]com<\/em><\/td>\n<td>Domain<\/td>\n<td>Suspect initial access domain<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>forticlient-vpn[.]de<\/em><\/td>\n<td>Domain<\/td>\n<td>Suspect initial access domain<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>forticlient-vpn[.]fr<\/em><\/td>\n<td>Domain<\/td>\n<td>Suspect initial access domain<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>forticlient-vpn[.]it<\/em><\/td>\n<td>Domain<\/td>\n<td>Suspect initial access domain<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>forticlient[.]ca<\/em><\/td>\n<td>Domain<\/td>\n<td>Suspect initial access domain<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>forticlient.co[.]uk<\/em><\/td>\n<td>Domain<\/td>\n<td>Suspect initial access domain<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>forticlient[.]no<\/em><\/td>\n<td>Domain<\/td>\n<td>Suspect initial access domain<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>fortinet-vpn[.]com<\/em><\/td>\n<td>Domain<\/td>\n<td>Suspect initial access domain<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>ivanti-vpn[.]org<\/em><\/td>\n<td>Domain<\/td>\n<td>Initial access domain (GitHub ZIP)<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td><em>ivanti-secure-access[.]de<\/em><\/td>\n<td>Domain<\/td>\n<td>Suspect initial access domain<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>ivanti-pulsesecure[.]com<\/em><\/td>\n<td>Domain<\/td>\n<td>Suspect initial access domain<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td><em>sonicwall-netextender[.]nl<\/em><\/td>\n<td>Domain<\/td>\n<td>Suspect initial access domain<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>sophos-connect[.]org<\/em><\/td>\n<td>Domain<\/td>\n<td>Suspect initial access domain<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>vpn-fortinet[.]com<\/em><\/td>\n<td>Domain<\/td>\n<td>Initial access domain (GitHub ZIP)<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>watchguard-vpn[.]com<\/em><\/td>\n<td>Domain<\/td>\n<td>Suspect initial access domain<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>v<em>pn-connection[.]pro<\/em><\/td>\n<td>Domain<\/td>\n<td>C2 where stolen credentials are sent<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td><em>myconnection[.]pro<\/em><\/td>\n<td>Domain<\/td>\n<td>C2 where stolen credentials are sent<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td><em>hxxps:\/\/github[.]com\/latestver\/vpn\/releases\/download\/vpn-client2\/VPN-CLIENT.zip<\/em><\/td>\n<td>URL<\/td>\n<td>GitHub URL hosting <em>VPN-CLIENT.zip<\/em> file (no longer available)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<h3 class=\"wp-block-heading\" id=\"references\">References<\/h3>\n<h3 class=\"wp-block-heading\" id=\"learn-more\">Learn more<\/h3>\n<p class=\"wp-block-paragraph\">For the latest security research from the Microsoft Threat Intelligence community, check out the <a href=\"https:\/\/aka.ms\/threatintelblog\">Microsoft Threat Intelligence Blog<\/a>.<\/p>\n<p class=\"wp-block-paragraph\">To get notified about new publications and to join discussions on social media, follow us on <a href=\"https:\/\/www.linkedin.com\/showcase\/microsoft-threat-intelligence\">LinkedIn<\/a>, <a href=\"https:\/\/x.com\/MsftSecIntel\">X (formerly Twitter)<\/a>, and <a href=\"https:\/\/bsky.app\/profile\/threatintel.microsoft.com\">Bluesky<\/a>. <\/p>\n<p class=\"wp-block-paragraph\">To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the <a href=\"https:\/\/thecyberwire.com\/podcasts\/microsoft-threat-intelligence\">Microsoft Threat Intelligence podcast<\/a>.<\/p>\n<p>READ MORE <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/03\/12\/storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Storm-2561 uses SEO poisoning to push fake VPN downloads that install signed trojans and steal VPN credentials. Active since 2025, Storm-2561 mimics trusted brands and abuses legitimate services. This post reviews TTPs, IOCs, and mitigation guidance.<br \/>\nThe post Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft appeared first on Microsoft Security Blog. READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[276],"tags":[5449,10798],"class_list":["post-60301","post","type-post","status-publish","format-standard","hentry","category-microsoft-secure","tag-credential-theft","tag-storm"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.7 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2026-03-12T17:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"432\" \/>\n\t<meta property=\"og:image:height\" content=\"435\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft\",\"datePublished\":\"2026-03-12T17:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft\\\/\"},\"wordCount\":2221,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.microsoft.com\\\/en-us\\\/security\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/Fig1-Storm-2561-attack-chain.webp\",\"keywords\":[\"Credential Theft\",\"Storm\"],\"articleSection\":[\"Microsoft Secure\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft\\\/\",\"name\":\"Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.microsoft.com\\\/en-us\\\/security\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/Fig1-Storm-2561-attack-chain.webp\",\"datePublished\":\"2026-03-12T17:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.microsoft.com\\\/en-us\\\/security\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/Fig1-Storm-2561-attack-chain.webp\",\"contentUrl\":\"https:\\\/\\\/www.microsoft.com\\\/en-us\\\/security\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/Fig1-Storm-2561-attack-chain.webp\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Credential Theft\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/credential-theft\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft\/","og_locale":"en_US","og_type":"article","og_title":"Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2026-03-12T17:00:00+00:00","og_image":[{"width":432,"height":435,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","type":"image\/jpeg"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft","datePublished":"2026-03-12T17:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft\/"},"wordCount":2221,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/Fig1-Storm-2561-attack-chain.webp","keywords":["Credential Theft","Storm"],"articleSection":["Microsoft Secure"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft\/","url":"https:\/\/www.threatshub.org\/blog\/storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft\/","name":"Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/Fig1-Storm-2561-attack-chain.webp","datePublished":"2026-03-12T17:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/Fig1-Storm-2561-attack-chain.webp","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2026\/03\/Fig1-Storm-2561-attack-chain.webp"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Credential Theft","item":"https:\/\/www.threatshub.org\/blog\/tag\/credential-theft\/"},{"@type":"ListItem","position":3,"name":"Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60301","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=60301"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60301\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=60301"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=60301"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=60301"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}