Microsoft has warned of a sophisticated cybercrime campaign targeting enterprise VPN users by distributing malicious software through search engine optimization (SEO) poisoning. The operation, attributed to the threat actor cluster Storm-2561, tricks users into downloading fake VPN clients that steal login credentials.
The attack redirects users searching for legitimate enterprise VPN software—such as Ivanti Pulse Secure, SonicWall, and Hanwha Vision—toward attacker-controlled websites hosting ZIP files. These files contain MSI installers that appear legitimate but secretly install a trojanized loader known as Bumblebee. Once executed, the malware sideloads malicious DLL files and displays a convincing fake VPN login prompt to capture credentials. Victims are then shown an error message and, in some cases, redirected to the real VPN client’s website.
Observed since May 2025, the Storm-2561 campaign has relied on abusing user trust in search engine rankings and software branding. Attackers have also leveraged trusted platforms like GitHub to host the malicious installer files. The malware establishes persistence on infected systems via the Windows RunOnce registry key, allowing it to execute automatically after a reboot.
Microsoft noted that the campaign appears financially motivated and that the malicious components were digitally signed using a certificate from Taiyuan Lihua Near Information Technology Co., Ltd. The company has taken down the attacker-hosted GitHub repositories and revoked the certificate to disrupt the campaign.
To protect against such threats, Microsoft recommends organizations and users implement multi-factor authentication (MFA), verify software sources, and exercise caution when downloading applications, even when they appear from trusted vendors.
This campaign underscores the growing sophistication of cybercriminals in exploiting both search engines and software trust to harvest sensitive credentials, highlighting the need for vigilant cybersecurity practices in enterprise environments.
