Threat actor Storm-2561 is distributing spoofed enterprise VPN clients impersonating vendors like Ivanti, Cisco, and Fortinet by poisoning search results to redirect users to malicious sites. The fake MSI installs Pulse.exe, a loader (dwmapi.dll) and a Hyrax infostealer (inspector.dll) that captures credentials and VPN configuration data, uses a revoked Taiyuan Lihua certificate, and persists via RunOnce while redirecting victims to the real vendor site after stealing data. #Storm-2561 #Hyrax
Keypoints
- Storm-2561 uses SEO poisoning to redirect users searching for legitimate VPN clients to convincing spoofed vendor sites.
- The campaign targeted multiple vendors including Ivanti, Cisco, Fortinet, Sophos, SonicWall, Check Point, and WatchGuard.
- A GitHub-hosted ZIP delivered a fake MSI that installs Pulse.exe, drops dwmapi.dll, and deploys a Hyrax infostealer (inspector.dll).
- The malware steals entered credentials and the VPN connectionsstore.dat file, is signed with a now-revoked Taiyuan Lihua certificate, and creates RunOnce persistence.
- Microsoft advises enabling cloud-delivered Defender protection, running EDR in block mode, enforcing MFA, using SmartScreen-enabled browsers, and applying provided IoCs and hunting guidance.