Full Report
A threat actor tracked as Storm-2561 is distributing fake enterprise VPN clients from Ivanti, Cisco, and Fortinet to steal VPN credentials from unsuspecting users. [...]
Analysis Summary
# Threat Actor: Storm-2561
## Attribution & Identity
Storm-2561 is a threat actor tracked by Microsoft. It is currently categorized as a "Storm" group, a designation typically used for emerging, developing, or uniquely identified clusters of threat activity where a permanent naming convention (e.g., a "Forest" or "Blizzard" name) has not yet been assigned.
## Activity Summary
In early 2026, Storm-2561 was observed conducting a large-scale credential theft campaign. The actor leverages Search Engine Optimization (SEO) poisoning to lure users searching for enterprise VPN software to malicious, spoofed websites. These sites host fake installers that deploy infostealing malware while mimicking legitimate VPN brands to harvest corporate login credentials.
## Tactics, Techniques & Procedures
* **SEO Poisoning:** Manipulating search engine results for terms like "Pulse VPN download" to direct traffic to malicious infrastructure.
* **Brand Impersonation:** Creating high-fidelity spoofed websites mimicking legitimate security vendors.
* **DLL Side-Loading:** Use of a malicious loader (`dwmapi.dll`) to execute the primary payload.
* **Credential Harvesting:** Utilizing fake login interfaces to capture user inputs in real-time.
* **Persistence:** Establishing persistence via the Windows `RunOnce` registry key to ensure the malware survives reboots.
* **Social Engineering:** Displaying fake installation errors and redirecting victims to legitimate download sites to mask the infection.
* **Code Signing:** Using a legitimate (now revoked) digital certificate from *Taiyuan Lihua Near Information Technology Co., Ltd.*
* **MITRE ATT&CK IDs:**
* T1583 (Acquire Infrastructure)
* T1566.002 (Phishing: Spearfishing Link/Web)
* T1574.002 (Hijack Execution Flow: DLL Side-Loading)
* T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder)
* T1555 (Credentials from Password Stores)
## Targeting
* **Sectors:** Broadly targets multiple enterprise sectors, specifically focusing on organizations utilizing remote access solutions.
* **Geography:** Global (implied by the use of international VPN brands).
* **Victims:** Users and employees of organizations utilizing the following VPN solutions:
* Ivanti / Pulse Secure
* Cisco
* Fortinet
* Sophos
* SonicWall
* Check Point
* WatchGuard
## Tools & Infrastructure
* **Malware Families:**
* **Hyrax Infostealer:** A variant (identified as `inspector.dll`) used to capture credentials and configuration files.
* **Payloads:** `Pulse.exe` (malicious installer), `dwmapi.dll` (loader).
* **Infrastructure:**
* GitHub (previously used to host malicious ZIP archives).
* Spoofed domains mimicking legitimate vendors (e.g., `ivanti[.]com` or `fortinet[.]com` clones).
* Defanged C2/Filestore Indicators: `connectionsstore[.]dat` (file targeted for exfiltration).
## Implications
Storm-2561 represents a significant risk to the integrity of the corporate perimeter. By stealing VPN credentials and configuration data (`connectionsstore.dat`), the actor gains the ability to bypass external defenses and gain unauthorized access to internal corporate networks. The use of revoked but legitimate certificates and SEO poisoning reflects a sophisticated approach to bypassing traditional web filtering and user skepticism.
## Mitigations
* **Endpoint Defense:** Enable cloud-delivered protection and ensure EDR (Endpoint Detection and Response) is set to "block mode."
* **Identity Management:** Enforce Multi-Factor Authentication (MFA) to prevent stolen credentials from being used to access the network.
* **Web Security:** Use browsers with SmartScreen or similar reputation-based filtering web categories enabled to block access to spoofed domains.
* **Software Provisioning:** Educate users to download software only from internal company portals or verified, official vendor URLs.
* **Monitoring:** Use the provided Microsoft IoCs (Indicators of Compromise) to hunt for unauthorized registry modifications in `RunOnce` or suspicious DLLs in `%CommonFiles%` directories.