MICROSOFT disclosed details of a credential theft campaign that distributes fake VPN clients via SEO poisoning, redirecting users searching for legitimate enterprise software to malicious ZIP files on attacker‑controlled sites to deploy digitally signed trojans that masquerade as trusted VPN clients while harvesting VPN credentials, according to Microsoft Threat Intelligence and Microsoft Defender Experts teams.
The activity, observed in mid‑January 2026, has been attributed to Storm‑2561, a threat activity cluster known for propagating malware through SEO poisoning and impersonating software vendors since May 2025. A GitHub repository hosts a ZIP containing an MSI installer that masquerades as legitimate VPN software but sideloads malicious DLLs, with the end goal of exfiltrating VPN credentials via a variant of the Hyrax information stealer.
Users are shown a fake VPN sign‑in dialog and may be redirected to the legitimate VPN site after credential entry, and the malware uses the Windows RunOnce registry key to ensure persistence after reboots. Microsoft said the campaign exploits trust in search rankings and branding, and notes that attacker‑controlled GitHub repositories were taken down and the legitimate certificate revoked to neutralise the operation, with MFA recommended for organisations and caution advised when downloading software from websites.