Storm-2561 Spreads Trojan VPN Clients via SEO Poisoning to Steal Credentials

Microsoft disclosed a credential-theft campaign by the Storm-2561 cluster that uses SEO poisoning to redirect users searching for legitimate enterprise VPN clients to attacker-controlled sites and GitHub-hosted ZIPs containing digitally signed MSI installers. The trojanized installers sideload malicious DLLs, present fake VPN sign-in dialogs to capture credentials, use RunOnce for persistence, and deploy a Hyrax variant to exfiltrate VPN credentials; Microsoft removed the repositories and revoked the signing certificate.