VPN Credential Theft

Storm-2561 runs an SEO‑poisoning campaign that lures users to spoofed vendor sites and attacker‑hosted repos serving digitally signed, trojanized VPN installers that sideload malicious DLLs (Hyrax), harvest and exfiltrate VPN credentials and config data, maintain persistence (e.g., RunOnce), and hide the compromise with decoy errors while researchers publish IOCs and mitigations.

List of posts related to this topic

Post Title	Date Published↓	Describes Incident	Feed
Attackers Use SEO Poisoning and Signed Trojans to Steal VPN Credentials	2026-03-17	True	cybersecurityNews.com Not Subscribed
The Fake VPN Trap: Microsoft Warns of Storm-2561 SEO Poisoning Campaigns Stealing Corporate Credentials	2026-03-17	True	securityonline.info Not Subscribed
Storm-2561 lures victims to spoofed VPN sites to harvest corporate logins	2026-03-14	True	Security Affairs Not Subscribed
Credential-stealing crew spoofs VPN clients from Cisco, Fortinet, and others	2026-03-13	True	The Register (Security) Not Subscribed
Storm-2561 Spreads Trojan VPN Clients via SEO Poisoning to Steal Credentials	2026-03-13	True	The Hacker News Not Subscribed
Fake enterprise VPN sites used to steal company credentials	2026-03-13	True	Bleeping Computer Not Subscribed
Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft	2026-03-12	True	Microsoft Security Not Subscribed
Ongoing Widespread Credential Harvesting Campaign Targets VPN Providers	2026-01-13	True	WatchGuard Secplicity Blog Not Subscribed