THE article discusses a credential-theft campaign linked to the threat actor dubbed Storm-2561, which has been targeting users through SEO-poisoning techniques. The attackers create fake VPN client websites mimicking trusted vendors like Ivanti, Cisco, and Fortinet. By manipulating search engine results, they redirect users searching for legitimate VPN downloads to malicious sites hosting trojanized installers.
The malware, once executed, steals corporate login credentials and establishes persistence to maintain access. Additionally, this campaign features a tactic where users are deceived into believing they have encountered a legitimate software error, encouraging them to download the actual VPN client without noticing the compromise.