A new-age credential theft trend is hitting workers who search online for enterprise VPN tools. Bad actors redirect them to fake sites and trick them into installing malware instead of the appropriate client tool.
Microsoft Threat Intelligence traced this trend to a group with the name Storm-2561, active since May 2025. Their expertise spans manipulating search engines and impersonating software.
Hackers manipulate search results to distribute malware
Storm-2561 operates by gaming search engine algorithms. Users searching for terms like “Pulse VPN download” or “Pulse Secure client” find malicious websites ranking at the top of their results. Microsoft observed the group spoofing multiple VPN brands, including Fortinet, Ivanti, and Sophos.
The fake sites look remarkably authentic. They copy the branding and layout of legitimate VPN providers. When visitors click the download button, the sites redirect them to a GitHub repository hosting malicious ZIP files. Microsoft identified two primary domains in this campaign: ivanti-vpn[.]org and vpn-fortinet[.]com.
The ZIP file contains an MSI installer that appears to be genuine VPN client software. The installer’s digital signature reads “Taiyuan Lihua Near Information Technology Co., Ltd.” This signature helps the malware bypass Windows security warnings and makes users trust the setup even more.
Upon installation, it creates a directory structure that deeply mirrors an authentic Pulse Secure setup at %CommonFiles%\Pulse Secure. Together with the main app, the installer deploys two fishy DLL files: inspector.dll and dwmapi.dll.
The dwmapi.dll works like a loader. It launches shellcode that activates inspector.dll, which is a variant of the Hyrax infostealer. This malware variant specifically targets VPN credentials and configuration data.
How the fake VPN client steals data
The malicious app comes with a user homepage that perfectly looks like the client software of a legit VPN. To users, it’s a normal sign-in page. They enter their credentials expecting to connect to their company network.
Instead, the application captures everything they type. The Hyrax infostealer digs into stored VPN configuration data from C:\ProgramData\Pulse Secure\ConnectionStore\connectionstore.dat. Afterwards, it sends hijacked credentials as well as configuration files to attacker-managed servers at 194.76.226[.]93:8080.
After harvesting the credentials, the fake client pops up a convincing error notice saying the installation failed. The application then instructs them to download the legitimate VPN client from official sources. In some cases, it even opens their browser to the real VPN website.
This clever ruse works because users assume the problem was technical, not malicious, but even if they install the legitimate software, they may still be at risk if the VPN itself has unpatched flaws that hackers exploit as a primary entry point for ransomware.
This redirect strategy is remarkably clever. Users who successfully install and use the legitimate software afterward see no signs of compromise. Microsoft Defender Experts noted that users “are likely to attribute the initial installation failure to technical issues, not malware.”
The malware also establishes persistence through the Windows RunOnce registry key. This ensures Pulse.exe runs again when the device reboots.
What users can do to stay protected
Microsoft recommends several defensive measures. Organizations should enable cloud-delivered protection in Microsoft Defender Antivirus. This feature blocks rapidly evolving attacker tools through machine learning.
The next generation of Endpoint Detection and Response (EDR), provides even greater protection because this feature will allow Microsoft Defender for Endpoint to block unwanted files or programs even though they were not caught by an antivirus program.
The added layers of defense provided by both Microsoft Defender for Endpoint’s network protection and web protection work together to protect employees when accessing the internet. By encouraging your employees to use browsers that have SmartScreen, this feature can help prevent users from accessing potentially harmful web content.
Multifactor authentication remains critical. Organizations should enforce MFA on all accounts and require it from all devices and locations. Companies should also remind employees never to store workplace credentials in password vaults or browsers protected with personal details.
Microsoft customers can block this threat using attack surface reduction rules. The rule “Block executable files from running unless they meet a prevalence, age, or trusted list criterion” specifically targets this type of attack.
The campaign by Storm-2561 highlights that cybercriminals are always figuring out new ways to use tools that we trust (such as search engines, digital signatures, and brand names). Therefore, we must be more responsible in knowing where we download from more than ever before.
