ACCORDING to Microsoft Threat Intelligence, Storm-2561 is behind a credential‑theft campaign in which fake VPN clients are distributed via SEO poisoning. Identified in mid‑January 2026 by Microsoft Defender Experts, the campaign redirects users searching for legitimate enterprise VPN software to attacker‑controlled sites hosting a malicious ZIP file that deploys digitally signed trojans masquerading as trusted VPN clients.
The ZIP delivers an MSI that installs Pulse[.]exe and drops malicious DLLs (dwmapi[.]dll and inspector[.]dll) into a Pulse Secure‑named directory, with inspector[.]dll, a Hyrax variant, exfiltrating VPN credentials to attacker‑controlled infrastructure. The installers and DLLs are signed with a valid certificate from Taiyuan Lihua Near Information Technology Co., Ltd., a abuse used to bypass warnings and evade detection.
Initial access occurs via spoofed VPN brand domains such as vpn‑fortinet[.]com and ivanti‑vpn[.]org, with the ZIP hosted on a GitHub repository that has since been taken down. Microsoft notes the campaign’s persistence through RunOnce and highlights several indicators of compromise, including credentials and data exfiltration to 194.76.226[.]93:8080.