A threat actor tracked as Storm-2561 is using SEO poisoning to push malicious websites spoofing enterprise VPN clients from vendors like Cisco, Fortinet, and Ivanti to the top of search results; victims download a malicious MSI installer that sideloads credential-stealing DLLs, which capture and exfiltrate user credentials before redirecting the user to the legitimate vendor download site. The article does not describe a specific software vulnerability but rather a social engineering and malware campaign, therefore no CVSS score, affected versions, fixed version, or technical workaround are provided.
Cyber-crime Credential-stealing crew spoofs VPN clients from Cisco, Fortinet, and others And then they send victims to the legit VPN download to hide their tracks Jessica Lyons Fri 13 Mar 2026 // 17:17 UTC A group of cybercriminals tracked as Storm-2561 is using fake enterprise VPN clients from CheckPoint, Cisco, Fortinet, Ivanti, and other vendors to steal users' credentials, according to Microsoft. Storm-2561 is a newish criminal gang ("Storm" followed by a number is how Microsoft tracks groups still in development) that has been around since May 2025, and typically uses SEO positioning and vendor impersonation to distribute malware. This campaign, which started in mid-January, is no different. The crew gains initial access to victims by manipulating search results and pushes malicious websites masquerading as enterprise VPN updates to the top of the list. So when a user searches for a VPN client such as "Pulse VPN download" or "Pulse Secure client," the top results point to a spoofed website mimicking the real vendor's page. These include products from SonicWall, Sophos, and WatchGuard, in addition to the VPN vendors listed above. Clicking on the link redirects users to a malicious GitHub repository that hosts the fake VPN clients disguised as Microsoft Windows Installer (MSI) files. "Microsoft has observed spoofing of various VPN software brands and has observed the GitHub link at the following two domains: vpn-fortinet[.]com and ivanti-vpn[.]org," Redmond's threat intelligence team said in a Thursday blog. The GitHub repos have since been taken down. (Read the blog to the end for a long list of indicators of compromise.) The installer sideloads malicious dynamic link library (DLL) files, dwmapi.dll and inspector.dll, during installation, and the phony VPN software prompts the user to enter their credentials. This captures the usernames and passwords , and then sends them to an attacker-controlled command-and-control server, all the while appearing to be a legitimate client application. The MSI file and malicious DLLs are signed with a valid - and now revoked - digital certificate from Taiyuan Lihua Near Information Technology Co., Ltd. Microsoft spots ClickFix campaign getting users to self-pwn on Windows Terminal Critical Microsoft Excel bug weaponizes Copilot Agent for zero-click information disclosure attack Iran-linked cyber crew says they hit US med-tech firm Operation Lightning takes down SocksEscort proxy network blamed for tens of millions in fraud Then comes the trickiest part: Immediately after a user enters their credentials into the fake sign-in page, the application displays an error message saying the installation failed, and then instructs the victim to download the legitimate VPN client from the vendor's official website. In some cases, the app even opens the user's browser to the legitimate site. "If users successfully install and use legitimate VPN software afterward, and the VPN connection works as expected, there are no indications of compromise to the end user," according to the blog. "Users are likely to attribute the initial installation failure to technical issues, not malware." Unsurprisingly, since it's a Microsoft threat-intel report, the software giant recommends its products and services to prevent credential theft. But there are couple key (and vendor-neutral) security suggestions that we want to highlight. First - and we cannot stress this enough - enforce multi-factor authentication (MFA) on all accounts. Make sure to remove users excluded from MFA, and require MFA from all devices, everywhere, at all times. Second: remind employees NOT to store workplace credentials in browsers or password vaults secured with personal credentials. ® Share More about Cybercrime Microsoft Security More like these × More about Cybercrime Microsoft Security VPN Narrower topics 2FA Active Directory Advanced persistent threat Application Delivery Controller Authentication Azure BEC Bing Black Hat BSides BSoD Bug Bounty Center for Internet Security CHERI CISO Common Vulnerability Scoring System Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Encryption End Point Protection Excel Exchange Server Exploit Firewall Google Project Zero Hacker Hacking Hacktivism HoloLens Identity Theft Incident response Infosec Infrastructure Security Internet Explorer Kenna Security LinkedIn Microsoft 365 Microsoft Build Microsoft Edge Microsoft Fabric Microsoft Ignite Microsoft Office Microsoft Surface Microsoft Teams NCSAM NCSC .NET Office 365 OS/2 Outlook Palo Alto Networks Password Patch Tuesday Personally Identifiable Information Phishing Pluton Quantum key distribution Ransomware Remote Access Trojan REvil RSA Conference SharePoint Skype Software Bill of Materials Spamming Spyware SQL Server Surveillance TLS Trojan Trusted Platform Module Visual Studio Visual Studio Code Vulnerability Wannacry Windows Windows 10 Windows 11 Windows 7 Windows 8 Windows Server Windows Server 2003 Windows Server 2008 Windows Server 2012 Windows Server 2013 Windows Server 2016 Windows Subsystem for Linux Windows XP Xbox Xbox 360 Zero trust Broader topics Bill Gates Network More about Share POST A COMMENT More about Cybercrime Microsoft Security More like these × More about Cybercrime Microsoft Security VPN Narrower topics 2FA Active Directory Advanced persistent threat Application Delivery Controller Authentication Azure BEC Bing Black Hat BSides BSoD Bug Bounty Center for Internet Security CHERI CISO Common Vulnerability Scoring System Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Encryption End Point Protection Excel Exchange Server Exploit Firewall Google Project Zero Hacker Hacking Hacktivism HoloLens Identity Theft Incident response Infosec Infrastructure Security Internet Explorer Kenna Security LinkedIn Microsoft 365 Microsoft Build Microsoft Edge Microsoft Fabric Microsoft Ignite Microsoft Office Microsoft Surface Microsoft Teams NCSAM NCSC .NET Office 365 OS/2 Outlook Palo Alto Networks Password Patch Tuesday Personally Identifiable Information Phishing Pluton Quantum key distribution Ransomware Remote Access Trojan REvil RSA Conference SharePoint Skype Software Bill of Materials Spamming Spyware SQL Server Surveillance TLS Trojan Trusted Platform Module Visual Studio Visual Studio Code Vulnerability Wannacry Windows Windows 10 Windows 11 Windows 7 Windows 8 Windows Server Windows Server 2003 Windows Server 2008 Windows Server 2012 Windows Server 2013 Windows Server 2016 Windows Subsystem for Linux Windows XP Xbox Xbox 360 Zero trust Broader topics Bill Gates Network TIP US OFF Send us news