Microsoft threat intelligence team has uncovered a cyber-espionage campaign attributed to a threat actor tracked as Storm-2561 that distributes counterfeit enterprise VPN clients to harvest user credentials.
Attackers are using SEO poisoning to manipulate search results for terms such as “Pulse VPN download” or “Pulse Secure client.” Victims who click the malicious links are redirected to spoofed websites that imitate legitimate VPN vendors including Ivanti, Cisco, and Fortinet.
The fake sites previously linked to a repository hosted on GitHub containing a ZIP archive with a malicious MSI installer. When executed, the installer places a fake Pulse.exe file in the system directory and deploys additional malicious components, including a loader and a variant of the Hyrax infostealer.
Victims are presented with a realistic VPN login interface that prompts them to enter their credentials. The information is then exfiltrated to attacker-controlled command-and-control servers. Researchers also discovered domains mimicking several major security vendors, including Sophos, SonicWall, Check Point Software Technologies, and WatchGuard Technologies, suggesting the campaign targets users across multiple enterprise VPN platforms.
The malicious installer was digitally signed using a legitimate certificate issued to Taiyuan Lihua Near Information Technology Co., Ltd., which has since been revoked. In addition to stealing login credentials, the malware collects VPN configuration data from the connectionsstore.dat file used by legitimate VPN software.
To avoid suspicion, the fake installer displays an error message after capturing credentials and then redirects victims to the official vendor website to download the real VPN client. If the legitimate software installs successfully, users are unlikely to suspect that their credentials were already compromised.
Meanwhile, the malware establishes persistence by creating a Windows RunOnce registry entry for Pulse.exe, allowing the infection to survive system reboots.