Microsoft disclosed a credential theft campaign that uses SEO poisoning to trick users into downloading fake VPN clients that harvest VPN credentials. The activity, attributed to Storm-2561, delivers digitally signed trojans via attacker-controlled sites and abused GitHub repositories to sideload malicious DLLs and deploy information stealers. #Storm-2561 #Hyrax #Bumblebee #Ivanti #SonicWall #GitHub
Keypoints
- Attackers used SEO poisoning to redirect searches for legitimate VPN software to malicious ZIP files on attacker-controlled sites and GitHub.
- Trojanized MSI installers are digitally signed and sideload malicious DLLs to deploy loaders like Bumblebee and the Hyrax stealer.
- A fake VPN sign-in dialog captures credentials, then displays an error and may redirect victims to the legitimate vendor site.
- The malware establishes persistence via the Windows RunOnce registry key and exfiltrates collected VPN credentials.
- Microsoft removed malicious GitHub repositories and revoked the signing certificate; organizations should enforce MFA and verify download sources.
Read More: https://thehackernews.com/2026/03/storm-2561-spreads-trojan-vpn-clients.html