A credential theft operation uses lookalike VPN download sites and GitHub-hosted ZIPs to drop signed malware that harvests VPN logins and configuration data.
Credential theft | SEO poisoning | Initial access | Infostealer | VPN
Affected vendor / product: Multiple VPN client brands used as lures (Pulse Secure, Fortinet FortiClient, Ivanti, SonicWall NetExtender, Sophos Connect, Palo Alto GlobalProtect, WatchGuard, Check Point, Cisco Secure Client) (microsoft.com)
Primary issue: SEO poisoning leading to trojanised VPN installers and credential exfiltration (microsoft.com)
Exploitation status: Observed in the wild (Microsoft Defender Experts telemetry, mid-January 2026) (microsoft.com)
Confidence level: High (activity, tooling, and IOCs reported by Microsoft); attribution per Microsoft tracking as Storm-2561 (microsoft.com)
Severity: High (enterprise credential theft enabling downstream intrusion) (microsoft.com)
Patch / mitigation status: No software patch; mitigation is policy and control hardening (download hygiene, ASR/EDR, MFA, web filtering) (microsoft.com)
Executive Summary
Microsoft reports a mid-January 2026 credential theft campaign in which users searching for legitimate VPN clients are redirected to attacker-controlled websites positioned via SEO poisoning. (microsoft.com) The lures deliver ZIP archives hosted from GitHub repositories (since removed) that contain MSI installers masquerading as trusted VPN software but side-load malicious DLLs and run signed payloads. (microsoft.com)
The implanted components display a convincing VPN sign-in dialog, capture credentials, and exfiltrate them (alongside stored VPN configuration artefacts) to attacker-controlled infrastructure. (microsoft.com) A key operational detail is post-theft misdirection: victims are told the install failed and are redirected to install the legitimate VPN client, reducing the chance they suspect compromise. (microsoft.com)
Microsoft attributes this activity to Storm-2561, a financially motivated actor it has tracked since May 2025 for SEO-poisoning-driven malware distribution. (microsoft.com)
Context
Storm-2561’s campaign fits an increasingly common “search, click, install” initial access pattern: instead of pushing phishing emails, operators wait for enterprise users to self-select by searching for security and networking tools, then weaponise that trust in search rankings. (microsoft.com)
Independent reporting shows broadly similar SEO poisoning tradecraft being used to distribute trojanised VPN installers and other loaders, including Bing-referrer-dependent content and cloned download sites. (cyjax.com) That matters because credential theft from VPN tooling can become an initial access broker pathway, where stolen remote access credentials are later monetised or used to enable follow-on intrusions. (This is a general risk; Microsoft does not claim a specific follow-on outcome for this activity.) (microsoft.com)
Technical Analysis
1) Initial access: SEO poisoning to spoofed VPN download sites
Microsoft observed the actor abusing SEO to elevate malicious sites for queries such as “Pulse VPN download” and “Pulse Secure client”, with multiple VPN brands spoofed. (microsoft.com)
The reported initial access domains include brand-impersonation infrastructure across several TLDs, including UK and European variants (for example, forticlient.co[.]uk, forticlient-vpn[.]de, sonicwall-netextender[.]nl). (microsoft.com) This aligns with Stage Capabilities: SEO Poisoning (T1608.006). (MITRE ATT&CK)
2) Payload staging and delivery via GitHub-hosted ZIP
Victims clicking “download” were redirected to a GitHub release hosting a ZIP (VPN-CLIENT.zip) containing a malicious MSI. Microsoft states the relevant GitHub repositories were taken down. (microsoft.com)
This behaviour maps cleanly to Stage Capabilities: Upload Malware (T1608.001) and Acquire Infrastructure: Domains (T1583.001). (MITRE ATT&CK)
3) Execution and defence evasion: signed MSI + DLL side-loading
The MSI masquerades as a Pulse Secure installer and drops:
Pulse.exeplus malicious DLLs (dwmapi.dll,inspector.dll) into a directory structure resembling legitimate Pulse Secure paths (for example%CommonFiles%\Pulse Secure). (microsoft.com)- A loader chain where
dwmapi.dllloads shellcode that in turn loadsinspector.dll, described by Microsoft as a Hyrax infostealer variant. (microsoft.com)
The malware and DLLs were digitally signed using a certificate associated with “Taiyuan Lihua Near Information Technology Co., Ltd.”, which Microsoft says has since been revoked. (microsoft.com) This strongly supports Subvert Trust Controls: Code Signing (T1553.002). (MITRE ATT&CK)
The side-loading activity aligns with Hijack Execution Flow: DLL (T1574.001), and the installation path mimicry aligns with Masquerading: Match Legitimate Resource Name or Location (T1036.005). (MITRE ATT&CK)
4) Credential theft workflow and exfiltration
Microsoft reports the fake client presents a credential prompt, captures credentials, and exfiltrates them to attacker-controlled infrastructure, including 194.76.226[.]93:8080. (microsoft.com) The Hyrax component also accesses stored VPN configuration data from C:\ProgramData\Pulse Secure\ConnectionStore\connectionstore.dat. (microsoft.com)
This is consistent with User Execution: Malicious File (T1204.002) and Exfiltration Over C2 Channel (T1041). (MITRE ATT&CK)
5) Persistence and “clean exit” victim deception
Microsoft reports persistence via the Windows RunOnce registry key, configured to execute Pulse.exe on reboot. (microsoft.com) This aligns with Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001). (MITRE ATT&CK)
After stealing credentials, the malware displays an error and instructs the user to install the legitimate VPN client (sometimes opening the real vendor site). If the real client works, users may attribute the earlier failure to a benign issue, reducing reporting and IR trigger likelihood. (microsoft.com)
Impact Assessment
Primary impact: Theft of VPN usernames/passwords and VPN configuration data, enabling unauthorised remote access attempts and follow-on compromise. (microsoft.com)
Operational risk drivers:
- Users may self-remediate by installing the genuine client after compromise, masking the initial infection. (microsoft.com)
- The lure set targets widely deployed enterprise remote access software, so exposure is broad across sectors that rely on VPNs and have staff installing clients. (microsoft.com)
Indicators of Compromise
| Type | Value | Context / Notes | Source | Confidence |
|---|---|---|---|---|
| SHA-256 | 57a50a1c04254df3db638e75a64d5dd3b0d6a460829192277e252dc0c157a62f | GitHub-hosted ZIP (VPN-Client.zip) | Microsoft Security Blog | High (microsoft.com) |
| SHA-256 | 862f004679d3b142d9d2c729e78df716aeeda0c7a87a11324742a5a8eda9b557 | Malicious MSI (VPN-Client.msi) | Microsoft Security Blog | High (microsoft.com) |
| SHA-256 | 6c9ab17a4aff2cdf408815ec120718f19f1a31c13fc5889167065d448a40dfe6 | dwmapi.dll loader | Microsoft Security Blog | High (microsoft.com) |
| SHA-256 | 6129d717e4e3a6fb4681463e421a5603b640bc6173fb7ba45a41a881c79415ca | inspector.dll (Hyrax variant) | Microsoft Security Blog | High (microsoft.com) |
| SHA-256 | 44906752f500b61d436411a121cab8d88edf614e1140a2d01474bd587a8d7ba8 | Pulse.exe (signed) | Microsoft Security Blog | High (microsoft.com) |
| SHA-256 | 85c4837e3337165d24c6690ca63a3274dfaaa03b2ddaca7f1d18b3b169c6aac1 | Sophos-Connect-Client.exe (signed) | Microsoft Security Blog | High (microsoft.com) |
| SHA-256 | 98f21b8fa426fc79aa82e28669faac9a9c7fce9b49d75bbec7b60167e21963c9 | GlobalProtect-VPN.exe (signed) | Microsoft Security Blog | High (microsoft.com) |
| SHA-256 | cfa4781ebfa5a8d68b233efb723dbde434ca70b2f76ff28127ecf13753bfe011 | VPN-Client.exe (signed) | Microsoft Security Blog | High (microsoft.com) |
| SHA-256 | 26db3fd959f12a61d19d102c1a0fb5ee7ae3661fa2b301135cdb686298989179 | vpn.exe (signed) | Microsoft Security Blog | High (microsoft.com) |
| SHA-256 | eb8b81277c80eeb3c094d0a168533b07366e759a8671af8bfbe12d8bc87650c9 | WiredAccessMethod.dll (signed) | Microsoft Security Blog | High (microsoft.com) |
| SHA-256 | 8ebe082a4b52ad737f7ed33ccc61024c9f020fd085c7985e9c90dc2008a15adc | PulseSecureService.exe (signed) | Microsoft Security Blog | High (microsoft.com) |
| IP:Port | 194.76.226[.]93:8080 | Credential and VPN data exfil endpoint | Microsoft Security Blog | High (microsoft.com) |
| Domain | vpn-connection[.]pro | C2 where stolen credentials are sent | Microsoft Security Blog | Medium (microsoft.com) |
| Domain | myconnection[.]pro | C2 where stolen credentials are sent | Microsoft Security Blog | Medium (microsoft.com) |
| Domains | checkpoint-vpn[.]com, cisco-secure-client[.]es, forticlient.co[.]uk, ivanti-pulsesecure[.]com, sonicwall-netextender[.]nl, sophos-connect[.]org, watchguard-vpn[.]com (plus others listed by Microsoft) | Suspected initial access infrastructure | Microsoft Security Blog | Medium (microsoft.com) |
| URL | github[.]com/latestver/vpn/releases/download/vpn-client2/VPN-CLIENT.zip | GitHub release URL hosting ZIP (repo removed) | Microsoft Security Blog | Medium (microsoft.com) |
| Code signing subject | Taiyuan Lihua Near Information Technology Co., Ltd. | Certificate used to sign MSI/DLLs (revoked) | Microsoft Security Blog | High (microsoft.com) |
Detection and hunting guidance
Microsoft lists the following Defender detections associated with the activity:
Trojan:Win32/MalgentTrojanSpy:Win64/Hyrax(microsoft.com)
Microsoft also published hunting queries focused on:
- files signed by the implicated certificate subject, and
- suspicious DLL loads from folders masquerading as Pulse Secure paths. (microsoft.com)
Example (Microsoft Defender XDR Advanced Hunting, as published by Microsoft): (microsoft.com)
let a = DeviceFileCertificateInfo
| where Signer == "Taiyuan Lihua Near Information Technology Co., Ltd."
| distinct SHA1;
DeviceProcessEvents
| where SHA1 in(a)
DeviceImageLoadEvents
| where FolderPath contains "Pulse Secure" and FolderPath contains "Program Files"
and (FolderPath contains "\\JUNS\\" or FolderPath contains "\\JAMUI\\")
| where FileName has_any("inspector.dll","dwmapi.dll")
MITRE ATT&CK mapping (observed)
| Tactic | Technique ID | Technique name | Observed behaviour |
|---|---|---|---|
| Resource Development | T1608.006 (MITRE ATT&CK) | SEO Poisoning | Manipulated search rankings to drive victims to spoofed VPN download sites. (microsoft.com) |
| Resource Development | T1583.001 (MITRE ATT&CK) | Domains | Registered/used lookalike VPN domains across multiple TLDs. (microsoft.com) |
| Resource Development | T1608.001 (MITRE ATT&CK) | Upload Malware | Hosted malware ZIP via GitHub releases for direct download. (microsoft.com) |
| Execution | T1204.002 (MITRE ATT&CK) | User Execution: Malicious File | User runs downloaded MSI masquerading as VPN installer. (microsoft.com) |
| Defence Evasion | T1553.002 (MITRE ATT&CK) | Code Signing | Signed MSI/DLLs to reduce warnings and bypass weak allow rules. (microsoft.com) |
| Defence Evasion | T1036.005 (MITRE ATT&CK) | Match Legitimate Name or Location | Mimicked Pulse Secure directory structure and UI. (microsoft.com) |
| Defence Evasion / Execution Flow | T1574.001 (MITRE ATT&CK) | DLL (incl. sideloading) | Dropped dwmapi.dll and inspector.dll to execute payload chain. (microsoft.com) |
| Persistence | T1547.001 (MITRE ATT&CK) | Registry Run Keys / Startup Folder | RunOnce persistence for Pulse.exe. (microsoft.com) |
| Exfiltration | T1041 (MITRE ATT&CK) | Exfiltration Over C2 Channel | Exfiltrated credentials and VPN data to attacker infrastructure. (microsoft.com) |
Incident Response Guidance
If you suspect exposure (especially endpoints where users recently installed or “reinstalled” VPN clients after an apparent failure), prioritise:
- Credential containment
- Treat VPN credentials entered into the fake client as compromised and rotate immediately.
- Review VPN authentication logs for anomalous access attempts, including from unfamiliar geographies and IPs.
- Endpoint scoping
- Hunt for signed artefacts associated with the reported certificate subject and the specific DLL names (
dwmapi.dll,inspector.dll) in Pulse Secure-like paths. (microsoft.com) - Check for RunOnce persistence entries launching
Pulse.exe. (microsoft.com)
- Hunt for signed artefacts associated with the reported certificate subject and the specific DLL names (
- Network scoping
- Block and retrospectively search for outbound connections to
194.76.226[.]93:8080,vpn-connection[.]pro, andmyconnection[.]pro. (microsoft.com) - Add the spoofed domains to web filtering and DNS controls, and monitor for user navigation to brand-impersonation VPN download sites. (microsoft.com)
- Block and retrospectively search for outbound connections to
Mitigation Recommendations
Microsoft’s recommended control set is a good baseline, particularly:
- Enable cloud-delivered protection, EDR in block mode, network protection, and web protection.
- Encourage browsers and controls that enforce site reputation checking (for example SmartScreen).
- Enforce MFA everywhere and remove exceptions; prevent enterprise passwords from being stored or synced in browsers.
- Enable ASR rules that block low-prevalence or untrusted executables. (microsoft.com)
In addition, organisations should:
- Standardise software acquisition: mandate VPN installers come from internal software catalogues, device management, or vendor portals, not search results.
- Restrict installer execution: limit MSI execution to managed workflows, and audit user-driven installs on corporate endpoints.
- Brand impersonation monitoring: track newly registered, lookalike domains for key remote access vendors used in your environment.
Historical Context
This campaign overlaps with broader industry reporting on SEO poisoning used to deliver trojanised installers and loaders. CYJAX documented Bing-referrer-based SEO poisoning chains delivering trojanised MSI packages for multiple software brands, including PulseSecure and SonicWall-themed lures. (cyjax.com) Zscaler separately reported SEO poisoning that delivered a signed, trojanised Ivanti/Pulse Secure-themed VPN installer and targeted connectionstore.dat, similar to the artefact accessed in Microsoft’s reporting. (zscaler.com)
Future Outlook
Expect continued expansion in:
- Brand coverage: more security and IT tooling brands used as lures, especially those frequently searched during incident response or remote onboarding.
- Trust abuse: signed malware, reputable hosting platforms, and post-compromise “legitimisation” steps designed to minimise user suspicion.
Further Reading
- Microsoft analysis of Storm-2561’s fake VPN client credential theft campaign (microsoft.com)
- Zscaler research on spoofed Ivanti VPN client sites and credential theft (zscaler.com)
- CYJAX analysis of Bing SEO poisoning delivering trojanised MSI packages (cyjax.com)
- MITRE ATT&CK: SEO Poisoning (T1608.006) (MITRE ATT&CK)