"The campaign redirects users searching for legitimate enterprise software to malicious ZIP files on attacker-controlled websites to deploy digitally signed trojans that masquerade as trusted VPN clients while harvesting VPN credentials."
"Microsoft said the activity highlights how threat actors exploit trust in search engine rankings and software branding as a social engineering tactic to steal data from users looking for enterprise VPN software. Compounding matters is the abuse of trusted platforms like GitHub to host the installer files."
"The GitHub repository hosts a ZIP file containing an MSI installer file that masquerades as legitimate VPN software, but sideloads malicious DLL files during installation. The end goal, as before, is to collect and exfiltrate VPN credentials."
Storm-2561, a threat activity cluster active since May 2025, conducts credential theft campaigns using SEO poisoning techniques. The group redirects users searching for legitimate enterprise VPN software to attacker-controlled websites hosting malicious ZIP files containing trojans disguised as trusted VPN clients. These digitally signed malware installers harvest VPN credentials from infected machines. Microsoft observed this activity in mid-January 2026. The campaign exploits user trust in search engine rankings and software branding as social engineering tactics. Attackers abuse legitimate platforms like GitHub to host installer files, with MSI installers sideloading malicious DLL files during installation to collect and exfiltrate VPN credentials.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]