IN a Malwarebytes piece dated 17 March 2026, Pieter Arntz explains how seeking a VPN can wind up delivering credential-stealing malware, with victims trusting search results, logos and signatures that look legitimate. The fake VPN page often redirects to a GitHub release download, delivering a ZIP file named something like VPN-CLIENT[.]zip, signed with a certificate that has since been revoked, and containing an MSI that side-loads malicious DLLs.
One loader, dwmapi[.]dll, launches embedded shellcode that runs inspector[.]dll, a Hyrax infostealer variant, so the VPN client becomes a credential thief from the moment installation finishes. The malware captures usernames, passwords and target URIs, scoops up stored VPN credentials, and exfiltrates them to attacker-controlled infrastructure, allowing the attacker to log into the corporate VPN from within normal remote-access traffic.
The article advocates vigilance, advising users to avoid trusting search results for security software, verify domains, report failed installs to IT and never store corporate VPN credentials in personal password managers. According to Microsoft, SEO poisoning can be used to distribute fake VPN clients for credential theft.