The Fake VPN Trap: Microsoft Warns of Storm-2561 SEO Poisoning Campaigns Stealing Corporate Credentials

Microsoft Defender Experts report that Storm-2561 is running an active SEO-poisoning campaign that lures remote workers searching for enterprise VPN software to attacker-controlled GitHub repositories hosting signed, fake Pulse Secure installers; when executed, the installer harvests VPN credentials, exfiltrates VPN configuration data via an "inspector.dll" component, persists using the Windows RunOnce registry key, and then displays a deceptive failure message to conceal the theft. Defenses recommended include obtaining software only from official enterprise sources, monitoring endpoint activity (notably RunOnce modifications and access to VPN config stores), and verifying certificate revocation in real time.