Fake enterprise VPN sites used to steal company credentials

Microsoft observed the Storm-2561 campaign distributing fake enterprise VPN clients (spoofing vendors like Ivanti, Cisco, Fortinet, Sophos, SonicWall, etc.) via SEO-poisoned sites that link to a malicious ZIP containing a trojanized MSI. When executed the installer deploys a fake Pulse client (Pulse.exe), a loader (dwmapi.dll) and a Hyrax infostealer (inspector.dll), captures VPN credentials and connectionsstore.dat, achieves persistence via RunOnce, and then attempts to hide the compromise by showing an installation error and redirecting victims to the legitimate vendor site; Microsoft published IoCs and mitigation guidance including Defender/EDR protections and MFA.