Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft
ID: d5e842db-3509-531a-b7e5-07e630cf5800
STIX ID: report--d5e842db-3509-531a-b7e5-07e630cf5800
Feed Name: Microsoft Security
Date Published: 2026-03-12
Date Updated: 2026-04-28
Author: Microsoft Threat Intelligence and Microsoft Defender Experts
### Executive summary Microsoft Defender discovered an active Storm-2561 campaign that uses SEO poisoning to push malicious ZIPs (hosted via attacker GitHub repositories) containing digitally signed MSI installers that side-load malicious DLLs (a Hyrax infostealer variant) to capture and exfiltrate VPN credentials; the report provides attack chain details, IOCs (file hashes, domains, IP), persistence and defense-evasion methods, and recommended detection and mitigation steps.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.