Microsoft Threat Intelligence has issued a warning about Storm-2561, a financially motivated cybercriminal group active since May 2025. The group uses SEO poisoning to push spoofed VPN download pages to the top of search results, impersonating vendors like Fortinet, Ivanti, Cisco, SonicWall, and others. Victims download trojanized ZIP installers hosted on GitHub that deploy the Hyrax infostealer via DLL side-loading. The malware is signed with a valid (now revoked) digital certificate to bypass Windows security warnings. After stealing credentials, the fake client displays a fake error and redirects users to the legitimate vendor site, leaving no obvious trace of compromise. Persistence is established via the Windows RunOnce registry key. Recommended mitigations include enforcing MFA, disabling browser password syncing on managed devices, and enabling Microsoft Defender for Endpoint protections.
Sort: