216.73.217.80

Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft

· Published 16/03/2026 10:25 · Modified 16/03/2026 10:51

Export JSON

Essential information

Published
16/03/2026 10:25
Modified
16/03/2026 10:51
Tags
2026-03-16 code-signing credential-theft hyrax seo poisoning vpn
Related entities
12 observables, 1 intrusion sets (apt), 13 techniques (mitre), 1 malware, 16 others

Description

A credential theft campaign by Storm-2561 exploits to distribute fake clients. Users searching for legitimate software are redirected to malicious websites hosting ZIP files containing trojans masquerading as trusted clients. These digitally signed trojans harvest credentials and exfiltrate data to attacker-controlled infrastructure. The campaign uses GitHub repositories, legitimate certificates, and sophisticated post-theft redirection strategies to avoid detection. The attack chain involves initial access through SEO manipulation, execution of malicious MSI files, credential theft via fake interfaces, and data exfiltration. Defensive recommendations include enabling cloud-delivered protection, using EDR in block mode, and enforcing multi-factor authentication.

External references