Storm-2561 Distributes Fake Enterprise VPN Clients From Cisco, Fortinet, and Ivanti via SEO Poisoning to Steal Corporate Credentials

Microsoft has disclosed a credential theft campaign by Storm-2561, a criminal group active since May 2025, that distributes fake enterprise VPN clients from major vendors through SEO poisoning — capturing corporate credentials before seamlessly redirecting victims to the real VPN download to erase any indication of compromise.

The campaign, running since mid-January 2026, spoofs VPN products from Cisco, Fortinet, Ivanti, CheckPoint, SonicWall, Sophos, Pulse Secure, and WatchGuard — covering the majority of enterprise VPN solutions in use globally.

How the Attack Works

1. SEO poisoning — Storm-2561 manipulates search engine results to push malicious websites to the top when users search for VPN client downloads (e.g., "Pulse VPN download" or "Pulse Secure client"). The spoofed sites mimic the real vendor's download pages.

2. GitHub-hosted installers — clicking the download link redirects to a malicious GitHub repository hosting fake VPN clients packaged as Microsoft Windows Installer (MSI) files. Microsoft observed spoofed domains including vpn-fortinet[.]com and ivanti-vpn[.]org.

3. Signed malicious DLLs — the MSI installer sideloads two malicious DLLs (dwmapi.dll and inspector.dll) during installation. Both the MSI and DLLs were signed with a valid digital certificate from Taiyuan Lihua Near Information Technology Co., Ltd., which has since been revoked.

4. Credential capture — the fake VPN client presents a legitimate-looking sign-in page that prompts the user to enter their corporate credentials. Usernames and passwords are exfiltrated to an attacker-controlled C2 server.

5. The cover-up — after capturing credentials, the application displays an error message claiming the installation failed and instructs the victim to download the legitimate VPN client from the vendor's official website. In some cases, it automatically opens the real vendor's download page in the user's browser.

Why Victims Never Suspect Compromise

This is what makes Storm-2561's approach particularly effective. If the user follows the error message's instructions and successfully installs the real VPN client, everything works as expected from that point forward. There are no persistent indicators of compromise on the endpoint.

"Users are likely to attribute the initial installation failure to technical issues, not malware," Microsoft noted.

The attacker walks away with valid corporate VPN credentials while the victim believes they simply had a glitchy first download attempt — a scenario every IT user has experienced and would dismiss without a second thought.

IOCs

• Spoofed domains: vpn-fortinet[.]com, ivanti-vpn[.]org
• Delivery: Malicious GitHub repositories (now taken down)
• Sideloaded DLLs: dwmapi.dll, inspector.dll
• Certificate: Taiyuan Lihua Near Information Technology Co., Ltd. (revoked)
• Installer format: Signed MSI files masquerading as VPN clients

Spoofed Vendors

• Cisco
• Fortinet
• Ivanti
• CheckPoint
• SonicWall
• Sophos
• Pulse Secure
• WatchGuard

Defender Recommendations

• Enforce MFA on all accounts without exception — stolen VPN credentials become far less useful when MFA is required; audit and remove any MFA exclusions
• Control VPN client distribution — deploy VPN clients through internal software distribution channels only; block employees from downloading VPN installers from the internet
• Monitor for SEO poisoning indicators — flag access to recently registered domains mimicking VPN vendor names
• Audit certificate trust — add the revoked Taiyuan Lihua certificate to blocklists and monitor for MSI files signed by unfamiliar Chinese certificate authorities
• Detect DLL sideloading — alert on dwmapi.dll and inspector.dll loaded by VPN installer processes
• Remind employees about credential hygiene — do not store workplace credentials in browsers or password managers secured with personal credentials
• Hunt for failed VPN installations — investigate endpoints where VPN installation failures were followed by successful installations from a different source, as this matches Storm-2561's attack pattern