Storm-2561 Uses SEO Poisoning to Distribute Fake VPN Clients for Credential Theft
Executive Summary
In a sophisticated campaign targeting enterprise environments, the threat actor Storm-2561 has resumed operations by leveraging Search Engine Optimization (SEO) poisoning to distribute malicious VPN clients. Active since May 2025, this cybercriminal group has refined its tactics to bypass user skepticism and detection mechanisms. By manipulating search engine rankings to redirect users searching for legitimate enterprise software to malicious ZIP files, Storm-2561 deploys digitally signed trojans that masquerade as trusted VPN clients. These malicious payloads are designed to harvest VPN credentials, posing a significant risk to organizations relying on remote access solutions. As security professionals, it is critical to understand the attack chain, the specific infrastructure utilized, and how SecLookup is actively mitigating this threat.
Threat Analysis
The Storm-2561 attack chain represents a blend of social engineering and supply chain compromise. Unlike generic phishing attempts, this campaign targets users with high intent—individuals actively searching for specific enterprise VPN solutions. This intent reduces the user's hesitation to download and execute software, creating a high-success-rate vector for credential theft.
TTPs and Attack Chain
The campaign begins with SEO Poisoning (T1566.001 - Spearphishing Link). Attackers register domains that closely resemble legitimate software vendors, utilizing slight misspellings or geographic suffixes (e.g., forticlient-vpn.de instead of forticlient.de). When users search for standard enterprise software, these malicious domains often rank higher in search results than the legitimate vendor sites.
Once a user clicks the malicious link, they are directed to a landing page hosting a malicious ZIP file. According to the Microsoft Threat Intelligence report, these files are hosted on GitHub repositories (which have since been taken down) and attacker-controlled websites.
The critical phase of this attack involves Code Signing Abuse (T1546.004). The extracted installer is a trojan that is digitally signed. While the attacker used a legitimate certificate, it has since been revoked. This digital signature is intended to bypass standard operating system warnings and heuristic antivirus engines, which often flag unsigned executables as suspicious. By leveraging a trusted signature, the malware gains a "halo effect," making it appear legitimate to the user and the system's security stack.
Technical Implementation
The malware payload, once executed, behaves exactly like a standard VPN client. However, instead of establishing a secure tunnel, it captures the user's credentials—typically usernames and passwords—and exfiltrates them to a C2 (Command and Control) server. This technique is particularly dangerous because it targets users who are actively trying to access their corporate networks, making them vulnerable to credential harvesting during a time of high urgency.
MITRE ATT&CK Mapping
T1566.001: Spearphishing Link: Attackers manipulate search results to deliver malicious payloads.
T1195: Supply Chain Compromise: The distribution mechanism involves exploiting the trust associated with software vendors.
T1546.004: Event Triggered Execution via Code Signing: The malware utilizes a revoked certificate to evade detection and gain execution privileges.
Indicators of Compromise (IOCs)
SecLookup's threat intelligence platform has analyzed the infrastructure associated with this Storm-2561 campaign. We have identified numerous malicious domains, files, and infrastructure elements designed to facilitate this credential theft campaign. All of the following IOCs have been confirmed malicious.
Malicious Domains
cisco-secure-client.es
forticlient-vpn.de
sophos-connect.org
myconnection.pro
sonicwall-netextender.nl
pn-connection.pro
forticlient-vpn.it
ivanti-vpn.org
forticlient.co.uk
forticlient-vpn.fr
forticlient.ca
ivanti-secure-access.de
IP Addresses
194.76.226.93
File Hashes (SHA-256)
862f004679d3b142d9d2c729e78df716aeeda0c7a87a11324742a5a8eda9b557
26db3fd959f12a61d19d102c1a0fb5ee7ae3661fa2b301135cdb686298989179
85c4837e3337165d24c6690ca63a3274dfaaa03b2ddaca7f1d18b3b169c6aac1
8ebe082a4b52ad737f7ed33ccc61024c9f020fd085c7985e9c90dc2008a15adc
57a50a1c04254df3db638e75a64d5dd3b0d6a460829192277e252dc0c157a62f
eb8b81277c80eeb3c094d0a168533b07366e759a8671af8bfbe12d8bc87650c9
cfa4781ebfa5a8d68b233efb723dbde434ca70b2f76ff28127ecf13753bfe011
6129d717e4e3a6fb4681463e421a5603b640bc6173fb7ba45a41a881c79415ca
44906752f500b61d436411a121cab8d88edf614e1140a2d01474bd587a8d7ba8
6c9ab17a4aff2cdf408815ec120718f19f1a31c13fc5889167065d448a40dfe6
98f21b8fa426fc79aa82e28669faac9a9c7fce9b49d75bbec7b60167e21963c9
URLs
https://github.com/latestver/vpn/releases/download/vpn-client2/VPN-CLIENT.zip
SecLookup Detection
SecLookup is actively monitoring the threat landscape and has integrated these IOCs into our threat intelligence platform. We have successfully detected and blocked the following malicious domains (cisco-secure-client.es, forticlient-vpn.de, sophos-connect.org, myconnection.pro, sonicwall-netextender.nl, pn-connection.pro, forticlient-vpn.it, ivanti-vpn.org, forticlient.co.uk, forticlient-vpn.fr, forticlient.ca, ivanti-secure-access.de) and their associated file hashes to protect our users from this credential theft campaign. Our systems are configured to prevent connections to these IPs and block the execution of the identified malicious binaries.
Recommendations
To defend against the Storm-2561 campaign and similar SEO poisoning attacks, we recommend the following security measures:
Verify Official Sources: Always verify software downloads through official vendor websites. If you cannot find the software on the official vendor's site, do not download it from search results.
Check Certificate Revocation: Even if an executable is digitally signed, verify that the certificate is not revoked. You can do this using tools like
certutil -verifyor by checking the certificate chain in your endpoint protection software.Monitor Network Traffic: Use network monitoring tools to detect connections to domains that closely resemble legitimate software vendors but are not on your allowlist.
Enable Phishing-Resistant MFA: Ensure that Multi-Factor Authentication (MFA) is enforced for VPN access. If credentials are stolen, MFA adds a critical layer of defense, preventing unauthorized access even if the user's password is compromised.
Endpoint Detection and Response (EDR): Ensure your EDR solution is configured to detect and block the execution of unsigned or suspicious binaries, and monitor for credential dumping activities.
References
- Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft by Microsoft Threat Intelligence and Microsoft Defender Experts, Microsoft Security Blog
