Security researchers have uncovered a new cyber campaign in which threat actors distribute trojanized VPN clients using search engine manipulation techniques to steal login credentials from unsuspecting users.
According to findings published by Microsoft, the operation uses search engine optimization (SEO) poisoning to redirect users searching for legitimate enterprise software to malicious websites that deliver infected installers disguised as trusted VPN applications.
How the Attack Works
The campaign, first detected in January 2026, has been attributed to a threat group known as Storm-2561, which has previously been linked to malware distribution campaigns that impersonate well known software vendors.
Attackers manipulate search engine rankings so that victims looking for VPN tools are redirected to attacker controlled websites. These sites host ZIP archives containing malicious installers that appear to be legitimate VPN software.
Once downloaded and executed, the installers deploy digitally signed trojans that impersonate trusted VPN clients while secretly collecting authentication credentials.
Fake Software Targeting Enterprise VPN Users
Earlier investigations by Cyjax revealed that the attackers targeted users searching for software associated with companies such as:
- SonicWall
- Hanwha Vision
- Ivanti Secure Access (formerly Pulse Secure)
Victims searching for these products were redirected from search results, particularly on Microsoft Bing, to fraudulent websites hosting malicious installers.
In many cases, these installers delivered the Bumblebee malware loader, which is frequently used to deploy additional malicious payloads.
Abuse of GitHub to Host Malware
Researchers also observed attackers abusing the legitimate platform GitHub to host malicious files.
The repository contained a ZIP package that included an MSI installer posing as a VPN client. During installation, the application executed DLL side loading, allowing malicious components to run alongside legitimate software files.
The malware ultimately installs a variant of the Hyrax information stealer, designed specifically to capture and exfiltrate VPN credentials from compromised systems.
Credential Theft Through Fake Login Windows
To collect credentials, the malware displays a convincing fake VPN login window. Victims are prompted to enter their username and password as if they were signing into a legitimate VPN client.
Once the credentials are entered, the application displays an error message claiming the installation failed and instructs the user to download the official VPN software.
In some cases, users are redirected to the genuine vendor website, making the attack appear legitimate while attackers already possess the stolen credentials.
Persistence Mechanism
The malicious software ensures it remains active on infected machines by modifying the Windows RunOnce registry key, which allows it to execute automatically whenever the system restarts.
Microsoft researchers also noted that the malicious files were digitally signed using a certificate issued to “Taiyuan Lihua Near Information Technology Co., Ltd.”, giving the malware an appearance of legitimacy.
Disruption of the Campaign
Microsoft has since taken action to disrupt the operation by:
- Removing attacker controlled repositories from GitHub
- Revoking the abused digital certificate used to sign the malware
These steps were taken to prevent further distribution of the trojanized VPN installers.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
