Storm-2561 targets users with a fake VPN campaign

Microsoft has disclosed that it has uncovered a cybercrime campaign involving the distribution of fake virtual private network (VPN) applications through search engine optimization (SEO) poisoning techniques, aimed at harvesting user account credentials.

According to the information provided, users searching for legitimate enterprise software are redirected to malicious ZIP files hosted on attacker-controlled websites. These files are used to deploy digitally signed trojans masquerading as trusted VPN clients. The malicious software is designed to harvest users’ VPN credentials.

Microsoft stated that the activity was observed in mid-January 2026 and has been attributed to Storm-2561, a threat actor known since May 2025 for distributing malware through SEO poisoning and impersonating well-known software vendors. It is noted that the group has previously used similar methods to lure users into downloading fake software and to steal their authentication credentials.

According to Microsoft’s assessment, the activity demonstrates how threat actors exploit trust in search engine rankings and well-known software branding as a social engineering tactic. One of the factors compounding the threat is the abuse of trusted platforms such as GitHub to host installer files.

Technical analysis shows that the ZIP archive hosted in the GitHub repository contains an MSI installer file presented as legitimate VPN software. However, during installation, the file sideloads malicious DLLs into the system. The ultimate objective of the campaign is to collect and exfiltrate VPN credentials using a modified variant of the Hyrax information stealer.

To capture users’ credentials, a fake yet convincing VPN sign-in dialog is displayed. Once the victim enters their credentials, an error message is shown and they are instructed to download the legitimate VPN client this time. In some cases, the user is redirected directly to the legitimate VPN website.

Microsoft noted that the malicious components were digitally signed with a certificate issued to “Taiyuan Lihua Near Information Technology Co., Ltd”.  Microsoft further stated that it has taken down the attacker-controlled GitHub repositories and revoked the legitimate certificate used in the operation in order to neutralize the threat.

In addition, it was determined that the malware uses the Windows RunOnce registry key to establish persistence, enabling the malicious component to be executed automatically after a system reboot.

To mitigate such threats, users and organizations are advised to implement multi-factor authentication (MFA) on all accounts, download software only from official and trusted sources and carefully verify the authenticity of downloaded files.