Storm-2561 used search-engine–poisoned pages to redirect users to spoofed VPN download sites and a malicious GitHub repository that distributed signed MSI installers which side‑loaded malicious DLLs. The dropped components (dwmapi.dll and inspector.dll, a Hyrax infostealer variant) captured VPN credentials and connection data from Pulse Secure directories and exfiltrated them to attacker-controlled infrastructure (194.76.226[.]93:8080). #Storm-2561 #Hyrax
Keypoints
- Actors used SEO poisoning and spoofed websites (e.g., vpn-fortinet[.]com, ivanti-vpn[.]org) to push malicious downloads to targets searching for legitimate VPN clients.
- The malicious distribution used a GitHub-hosted ZIP (VPN-CLIENT.zip) containing an MSI that installed Pulse.exe and side‑loaded dwmapi.dll and inspector.dll into a Pulse Secure–like folder.
- dwmapi.dll acted as an in-memory loader that dropped and executed embedded shellcode to launch inspector.dll, a variant of the Hyrax infostealer that harvests credentials and VPN data.
- Stolen credentials and VPN configuration data (e.g., C:ProgramDataPulse SecureConnectionStoreconnectionstore.dat) were exfiltrated to attacker-controlled C2 infrastructure, including 194.76.226[.]93:8080.
- The MSI and malicious files were digitally signed by “Taiyuan Lihua Near Information Technology Co., Ltd.” (certificate later revoked), enabling evasion of security warnings and whitelisting defenses.
- Persistence was established via a RunOnce registry entry for Pulse.exe, and the campaign used post-theft redirection to legitimate VPN downloads to reduce detection and user suspicion.
MITRE Techniques
- No MITRE ATT&CK techniques are explicitly named in the article.
Indicators of Compromise
- [SHA-256 ] hashes of malicious binaries and installers – 57a50a1c04254df3db638e75a64d5dd3b0d6a460829192277e252dc0c157a62f (VPN-CLIENT.zip), 6129d717e4e3a6fb4681463e421a5603b640bc6173fb7ba45a41a881c79415ca (inspector.dll), and 10 more hashes.
- [IP address ] C2 where stolen data is sent – 194.76.226[.]93 (exfiltration endpoint, port 8080).
- [Domain ] actor-controlled or suspect initial access domains – vpn-fortinet[.]com (initial access/spoofed site), ivanti-vpn[.]org (initial access domain/GitHub ZIP redirect), and multiple other spoofed VPN domains.
- [URL ] download hosting for malicious ZIP – hxxps://github[.]com/latestver/vpn/releases/download/vpn-client2/VPN-CLIENT.zip (GitHub URL hosting VPN-CLIENT.zip, repository no longer available).
- [File name ] malicious files dropped or executed – inspector.dll (Hyrax infostealer variant), dwmapi.dll (in-memory loader), VPN-Client.msi (suspicious installer), and Pulse.exe (malicious executable masquerading as VPN client).