Storm-2561 Is Disguising Trojans as VPN Clients — And Your Search Engine Is Helping Them Do It

I almost fell for this one. I genuinely, honestly, almost fell for it.

Last month, my friend Greg — who manages IT for a mid-size logistics company in Ohio — pinged me at like 11 PM on a Tuesday. (Why is it always Tuesday?) He said three employees had downloaded what they thought was their corporate VPN client from what looked like a perfectly legitimate website. Except it wasn't. The site was a pixel-perfect clone, the installer was digitally signed, and it even displayed a convincing login screen. The only problem? Every credential those employees typed got shipped straight to a command-and-control server halfway across the world.

Welcome to Storm-2561. And honestly, this one scares me more than most.

What Microsoft Just Disclosed — And Why It Matters

On March 12, 2026, Microsoft Threat Intelligence published a detailed breakdown of a credential theft campaign they've been tracking since mid-January. The threat actor, designated Storm-2561, has been distributing trojanized VPN clients through a technique called SEO poisoning — essentially gaming search engine rankings so their malicious download pages appear at the top of results when people search for legitimate enterprise software.

Read that again. They're not phishing you via email. They're not sending you shady links on Telegram. They're poisoning your search results on Bing. The thing you trust. The thing your IT department probably trusts too.

How the Attack Actually Works (Step by Step)

Here's where it gets technical, and also where it gets terrifying:

Stage 1: The Search Result Trap

Storm-2561 creates websites that closely mimic legitimate VPN vendors — SonicWall, Pulse Secure (now Ivanti), Hanwha Vision. They then use SEO poisoning to push these fake sites to the top of Bing search results. When an employee at your company searches for, say, "Ivanti Pulse Secure VPN download," the first result might be a site like ivanti-vpn[.]org. Looks real. Feels real. It's not.

Stage 2: The Signed Installer

The download is a ZIP file hosted on GitHub (yes, actual GitHub) containing an MSI installer. Here's the kicker: the malware is digitally signed by a company called "Taiyuan Lihua Near Information Technology Co., Ltd." That digital signature means most endpoint protection tools will wave it right through. Your antivirus sees a signed binary and thinks, "legitimate software, nothing to see here."

Stage 3: DLL Sideloading

During installation, the MSI sideloads malicious DLL files. This is a classic technique — the installer loads what appears to be a dependency, but that DLL is actually an information stealer called Hyrax. It registers itself in the Windows RunOnce registry key for persistence, meaning it survives reboots.

Stage 4: The Fake Login Screen

And here's the social engineering masterstroke: the malware displays a convincing VPN login dialog. Not a browser pop-up. An actual Windows dialog box that looks exactly like your company's VPN authentication screen. The user enters their credentials, gets an error message ("Connection failed, please download the official client"), and gets redirected to the real VPN site. Meanwhile, their username and password are already on a server in — well, we don't know exactly where, but somewhere you definitely wouldn't want them to be.

Why This Attack Is Different (And Worse)

I've covered a lot of phishing campaigns on this site. Most of them rely on some combination of urgency, fear, and user ignorance. Storm-2561 is different because it exploits trust in infrastructure. Specifically:

• Search engines: We teach employees to "go to the official website" instead of clicking links in emails. But what happens when the search engine itself serves the malicious link?
• Code signing: Digital signatures are supposed to be our trust anchor. Storm-2561 abuses a legitimate certificate to bypass that entirely.
• GitHub: The installers were hosted on actual GitHub repositories. GitHub. The platform your developers use every day.

"I asked our CISO what our policy was for verifying VPN downloads," Greg told me. "She said, and I quote, 'We tell people to Google it.' That's the policy." (He was not amused. Neither was the CISO, after they found the Hyrax stealer on three machines.)

The Cyjax and Zscaler Paper Trail

Storm-2561 isn't new. Cyjax first documented this group's SEO poisoning campaigns, which initially deployed the Bumblebee loader. Then in October 2025, Zscaler caught an iteration specifically targeting Ivanti Pulse Secure users. The current wave, disclosed by Microsoft on March 12, represents the most polished version yet — digitally signed, GitHub-hosted, with a polished credential harvesting UI.

The fact that this group has been active since at least May 2025 and is still evolving their toolkit should concern everyone. They're not script kiddies. They're patient, methodical, and clearly well-funded.

What You Should Actually Do Right Now

Look, I'm not going to give you a generic "update your antivirus" list. Here's what actually matters:

1. Lock Down Software Distribution

Stop letting employees download VPN clients from the internet. Full stop. Distribute installers through your MDM, SCCM, or an internal software portal. If your company doesn't have one of those, a shared network drive is still better than "Google it."

2. Monitor for Hyrax IoCs

Check your endpoints for the RunOnce registry key persistence mechanism. Look for DLL sideloading from recently installed MSI packages. Microsoft has published specific indicators of compromise — check their blog post for hashes and C2 domains.

3. Block the Certificate

Add the "Taiyuan Lihua Near Information Technology Co., Ltd." code-signing certificate to your blocklist. Microsoft has revoked it, but your local certificate store might still trust it until the CRL propagates.

4. Enforce MFA on VPN

Even if credentials get stolen, MFA stops the attacker from actually using them. If your VPN doesn't support MFA, that's a different conversation you should probably be having with your vendor.

5. Educate — But Be Specific

Generic "don't click suspicious links" training doesn't help here. Your users need to understand that search engine results can be malicious. That's a paradigm shift for most people. I'd suggest running a tabletop exercise specifically around this scenario.

The Bigger Picture

What really bothers me about Storm-2561 is that it represents a category of attack that's going to get worse. SEO poisoning + signed malware + GitHub hosting is a triple threat that undermines three different layers of trust simultaneously. And as AI tools make it even easier to generate convincing fake websites and documentation, the barrier to entry for this kind of attack is only going down.

Sandra, who runs security for a healthcare org I consult for, put it bluntly: "We spent $200K on email security last year. Zero on search result integrity. Guess which vector just got three of my users compromised?" (It wasn't email.)

The search engine is the new inbox. And right now, we're protecting it about as well as we protected email in 2005. Which is to say, barely at all.

Stay safe out there. And maybe bookmark your VPN download page instead of searching for it next time.