SECURITYWEEK reports that a threat actor tracked as Storm-2561 has been targeting VPN users in a new credential theft campaign, using SEO poisoning to distribute malicious VPN clients. Active since at least May 2025, the group began a campaign in mid-January that lures victims seeking VPN software into downloading trojans signed with a legitimate digital certificate, with payloads hosted on GitHub.
The MSI installer, masquerading as Pulse Secure, sideloads a DLL that launches a variant of the Hyrax information stealer to harvest URI and VPN credentials and exfiltrate them to a control server, with the MSI and DLL signed by Taiyuan Lihua Near Information Technology Co., Ltd., a certificate that has since been revoked.
The fake VPN client mimics the legitimate app and uses a RunOnce persistence mechanism to start at boot, and after credential collection, the software sometimes guides users back to the legitimate Pulse VPN site. According to Microsoft, even if users subsequently install legitimate VPN software, there may be no obvious signs of compromise to the end user.