Attackers Use SEO Poisoning and Signed Trojans to Steal VPN Credentials

**Executive summary:** Storm-2561 is conducting an active SEO-poisoning campaign that lures enterprise users to spoofed VPN vendor sites serving signed fake MSI installers; the dropped payload (Pulse.exe with dwmapi.dll and inspector.dll) acts as an in-memory loader and Hyrax-based infostealer, capturing VPN credentials and configuration data (e.g., C:\ProgramData\Pulse Secure\ConnectionStore\connectionstore.dat) and exfiltrating to 194.76.226.93:8080 while using RunOnce persistence and valid-looking digital signatures to evade detection.