A group of cybercriminals tracked as Storm-2561 is using fake enterprise VPN clients from CheckPoint, Cisco, Fortinet, Ivanti, and other vendors to steal users’ credentials, according to Microsoft.
Storm-2561 is a newish criminal gang (“Storm” followed by a number is how Microsoft tracks groups still in development) that has been around since May 2025, and typically uses SEO positioning and vendor impersonation to distribute malware. This campaign, which started in mid-January, is no different.
The crew gains initial access to victims by manipulating search results and pushes malicious websites masquerading as enterprise VPN updates to the top of the list. So when a user searches for a VPN client such as “Pulse VPN download” or “Pulse Secure client,” the top results point to a spoofed website mimicking the real vendor’s page. These include products from SonicWall, Sophos, and WatchGuard, in addition to the VPN vendors listed above.
Clicking on the link redirects users to a malicious GitHub repository that hosts the fake VPN clients disguised as Microsoft Windows Installer (MSI) files.
“Microsoft has observed spoofing of various VPN software brands and has observed the GitHub link at the following two domains: vpn-fortinet[.]com and ivanti-vpn[.]org,” Redmond’s threat intelligence team said in a Thursday blog. The GitHub repos have since been taken down. (Read the blog to the end for a long list of indicators of compromise.)
The installer sideloads malicious dynamic link library (DLL) files, dwmapi.dll and inspector.dll, during installation, and the phony VPN software prompts the user to enter their credentials. This captures the usernames and passwords, and then sends them to an attacker-controlled command-and-control server, all the while appearing to be a legitimate client application.
The MSI file and malicious DLLs are signed with a valid – and now revoked – digital certificate from Taiyuan Lihua Near Information Technology Co., Ltd.
Then comes the trickiest part: Immediately after a user enters their credentials into the fake sign-in page, the application displays an error message saying the installation failed, and then instructs the victim to download the legitimate VPN client from the vendor’s official website. In some cases, the app even opens the user’s browser to the legitimate site.
“If users successfully install and use legitimate VPN software afterward, and the VPN connection works as expected, there are no indications of compromise to the end user,” according to the blog. “Users are likely to attribute the initial installation failure to technical issues, not malware.”
Unsurprisingly, since it’s a Microsoft threat-intel report, the software giant recommends its products and services to prevent credential theft. But there are couple key (and vendor-neutral) security suggestions that we want to highlight.
First – and we cannot stress this enough – enforce multi-factor authentication (MFA) on all accounts. Make sure to remove users excluded from MFA, and require MFA from all devices, everywhere, at all times.
Second: remind employees NOT to store workplace credentials in browsers or password vaults secured with personal credentials. ®