Credential-stealing crew spoofs VPN clients from Cisco, Fortinet, and others

Microsoft warns that the Storm-2561 criminal group is running an active campaign that pushes spoofed enterprise VPN installers (MSI) to the top of search results; these installers sideload malicious DLLs, present fake sign-in prompts to capture credentials, exfiltrate them to attacker-controlled C2 servers, and then display an installation failure while directing victims to the legitimate vendor site. The report includes IOCs (malicious domains and signed-but-revoked certificate details) and vendor-neutral mitigations such as enforcing MFA and avoiding storing workplace credentials in personal browser/password vaults.