"Storm-2561 is a newish criminal gang that has been around since May 2025, and typically uses SEO positioning and vendor impersonation to distribute malware. The crew gains initial access to victims by manipulating search results and pushes malicious websites masquerading as enterprise VPN updates to the top of the list."
"Clicking on the link redirects users to a malicious GitHub repository that hosts the fake VPN clients disguised as Microsoft Windows Installer (MSI) files. The installer sideloads malicious dynamic link library (DLL) files, dwmapi.dll and inspector.dll, during installation, and the phony VPN software prompts the user to enter their credentials."
"This captures the usernames and passwords, and then sends them to an attacker-controlled command-and-control server, all the while appearing to be a legitimate client application. The MSI file and malicious DLLs are signed with a valid - and now revoked - digital certificate."
Storm-2561, a criminal group active since May 2025, conducts credential theft campaigns using fake enterprise VPN clients from major vendors including CheckPoint, Cisco, Fortinet, and Ivanti. The group manipulates search engine results to position malicious websites impersonating legitimate VPN vendors at the top of search rankings. When users search for VPN clients like "Pulse VPN download," they encounter spoofed vendor pages that redirect to malicious GitHub repositories hosting fake VPN clients as MSI installer files. During installation, these files sideload malicious DLL files that prompt users to enter credentials, capturing usernames and passwords sent to attacker-controlled servers while appearing as legitimate applications.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]