Storm-2561 lures victims to spoofed VPN sites to harvest corporate logins

Microsoft reported that Storm-2561 has run an active credential-theft campaign since May 2025 that uses SEO-poisoned search results to redirect users seeking legitimate VPN clients (Ivanti, Cisco, Fortinet/Pulse Secure) to spoofed vendor pages hosting trojanized ZIP/MSI installers. The installers, signed with a now-revoked certificate, side-load malicious DLLs and deploy the Hyrax infostealer to harvest VPN credentials and related connection data (exfiltrating to attacker-controlled infrastructure), then present a fake error and redirect victims to the real vendor to hide the compromise; Microsoft published IoCs and mitigation guidance.