A sophisticated cybercrime operation is hijacking search results to distribute malicious software disguised as trusted VPN applications. Users searching for legitimate virtual private network tools are landing on fake websites that look identical to the real thing.
Microsoft just exposed this campaign. The tech giant warns that hackers use SEO poisoning techniques to manipulate search rankings. This pushes their malicious sites to the top of search results, right where unsuspecting users click first.
Hackers weaponize search results
Microsoft discovered that cybercriminals actively game search engine algorithms to promote fraudulent websites. The attackers specifically target people looking for enterprise VPN software from well-known security vendors.
The campaign mimics legitimate VPN clients from Ivanti, Cisco, Check Point, SonicWall, Fortinet, WatchGuard, as well as Sophos. Hackers create convincing replica websites that mirror the authentic vendor pages almost perfectly.
This same technique of creating convincing replica websites is used in Facebook password phishing schemes, where attackers build fake login pages that look exactly like the real Facebook site, hoping users won’t notice the difference before entering their credentials.
Users who click these poisoned search results get redirected to the spoofed sites. The fake pages host download links that appear legitimate. However, the download actually points to a malicious GitHub repository controlled by the attackers.
The repository contains a ZIP file with a Microsoft Windows Installer (MSI) file inside. This installer runs a malicious payload during the setup process. It sideloads harmful dynamic link library (DLL) files onto the victim’s system without raising immediate suspicion.
How the fake VPN operates
The fraudulent VPN software doesn’t provide any actual VPN services. Instead, it functions as a credential harvester. The malware captures login credentials as soon as victims enter their passwords and VPN configuration details.
The program displays a login window that closely resembles the authentic VPN client interface. This visual deception convinces users they’re interacting with legitimate software. Meanwhile, the malware silently exfiltrates their credentials to the attackers’ command-and-control servers.
To ensure persistent access, the malware establishes a backdoor during installation. It modifies the Windows RunOnce registry key, which adds the malicious program to execute automatically whenever the infected device reboots.
After successfully stealing the credentials, the fake installer displays a realistic error message. The message informs users that the installation failed due to technical issues. It then helpfully instructs them to download the genuine VPN client from the official vendor website.
“Users are likely to attribute the initial installation failure to technical issues, not malware,” Microsoft explained in a recent security blog post. “If users succeed in installing and using legit VPN software later on, and the connection doesn’t flop as anticipated, there are no signs of compromise to the end user.”
This clever social engineering tactic masks the attack completely. Victims install the real VPN client next, which works perfectly. They never suspect that malware has already compromised their system and stolen their credentials.
The threat actor behind the campaign
Microsoft Threat Intelligence and Microsoft Defender Experts traced these attacks to Storm-2561. This threat actor started operations in May 2025 and has built a reputation for impersonating popular software vendors.
Storm-2561 specifically targets enterprise users who need VPN access for remote work. Corporate credentials provide attackers with valuable entry points into business networks. Once criminals obtain these credentials, they can access sensitive company resources, steal proprietary data, or deploy ransomware.
The use of SEO poisoning makes this campaign particularly dangerous. Most users trust search engines to deliver legitimate results. They rarely scrutinize the top-ranking links, especially when searching for well-known software.
Organizations need to educate employees about these risks. Always verify download sources carefully. Navigate directly to vendor websites rather than clicking search results. Enable multi-factor authentication on all VPN connections to add an extra security layer.
Storm-2561’s tactics show how cybercriminals continue evolving their methods. They exploit the trust users place in search engines and familiar brand names. Staying alert and questioning unexpected installation errors could be the difference between a close call and a major security breach.
