Full Report
And then they send victims to the legit VPN download to hide their tracks A group of cybercriminals tracked as Storm-2561 is using fake enterprise VPN clients from CheckPoint, Cisco, Fortinet, Ivanti, and other vendors to steal users' credentials, according to Microsoft.…
Analysis Summary
# Threat Actor: Storm-2561
## Attribution & Identity
* **Identification:** Storm-2561 is a developing cybercriminal group first tracked by Microsoft.
* **Status:** "Storm" designation indicates a cluster of activity that is currently in development or under evaluation by Microsoft threat intelligence.
* **Aliases/Associations:** No specific aliases or state-sponsored associations are currently identified; however, the group operates as a "criminal gang" focused on credential theft.
## Activity Summary
* **Timeline:** Active since May 2025. The specific campaign described in the article began in mid-January 2026.
* **Recent Campaigns:** Mass impersonation of enterprise VPN vendors to harvest corporate credentials. The actor utilizes SEO poisoning and spoofed websites to lure victims into downloading malicious installers.
## Tactics, Techniques & Procedures
* **Search Engine Optimization (SEO) Poisoning:** Manipulating search results for terms like "Pulse VPN download" to direct users to malicious sites. (T1608.006)
* **Impersonation:** Creating spoofed landing pages that mimic legitimate vendors (Cisco, Fortinet, Ivanti, etc.).
* **Malicious Repositories:** Hosting installer files on GitHub to appear legitimate.
* **DLL Sideloading:** Using malicious MSI files to sideload `dwmapi.dll` and `inspector.dll`. (T1574.002)
* **Digital Certificate Abuse:** Signing malicious files with a valid (now revoked) certificate from "Taiyuan Lihua Near Information Technology Co., Ltd." (T1553.002)
* **Social Engineering/Post-Exploitation Redirection:** Displaying a "failed installation" error after credential theft and redirecting the user to the legitimate vendor site to provide the real software, effectively masking the compromise.
## Targeting
* **Sectors:** Broadly targets enterprise employees and remote workers across various industries.
* **Geography:** Global (though specific regions were not specified, the use of English-language search terms and global VPN brands suggests a wide reach).
* **Victims:** Users of enterprise VPN solutions including:
* CheckPoint
* Cisco
* Fortinet
* Ivanti (Pulse Secure)
* SonicWall
* Sophos
* WatchGuard
## Tools & Infrastructure
* **Malware:** Malicious MSI installers and DLLs (`dwmapi.dll`, `inspector.dll`).
* **Infrastructure (Defanged):**
* `vpn-fortinet[.]com`
* `ivanti-vpn[.]org`
* GitHub repositories (used for hosting binaries).
* Attacker-controlled Command-and-Control (C2) servers for credential exfiltration.
## Implications
Storm-2561 demonstrates high-level operational security (OPSEC) by providing victims with the legitimate software after stealing their credentials. This "bait-and-switch" technique significantly reduces the likelihood of detection, as users assume the first failure was a technical glitch. The gain of enterprise VPN credentials provides the actor with the potential for secondary access, network lateral movement, or the sale of access to ransomware affiliates.
## Mitigations
* **Enforce MFA:** Implement Multi-Factor Authentication (MFA) across all accounts, ensuring no users are excluded.
* **Identity Protection:** Require MFA for all device types and locations to mitigate the impact of stolen credentials.
* **Credential Hygiene:** Educate employees against storing workplace credentials in personal browsers or unprotected password vaults.
* **Software Sourcing:** Mandate that employees only download software from internal enterprise portals or verified official vendor domains.
* **Certificate Monitoring:** Monitor for and block files signed by recently revoked or suspicious certificates, such as those associated with "Taiyuan Lihua Near Information Technology Co., Ltd."