"Active since at least May 2025, Storm-2561 is known for using search engine optimization (SEO) poisoning for malware distribution and for impersonating popular software vendors to attract victims to malicious websites. The newly observed campaign started in mid-January, aimed at luring individuals looking for VPN software into downloading trojans that have been signed with a legitimate digital certificate to evade detection."
"Using SEO poisoning, the threat actor ensured that victims searching for 'Pulse VPN download' or 'Pulse Secure client' would receive malicious results at the top of the search page. Users clicking on a poisoned result were taken to a malicious download website, but the payload was served as the ZIP archive fetched from GitHub."
"During installation, the MSI inside the ZIP file sideloaded a DLL to drop and launch a variant of the Hyrax information stealer that would collect URI and VPN credentials and exfiltrate them to an attacker-controlled command-and-control (C&C) server. Both the MSI and the DLL were signed with a valid certificate from Taiyuan Lihua Near Information Technology Co., Ltd., which has since been revoked."
Storm-2561, a threat actor active since May 2025, launched a credential theft campaign in mid-January targeting VPN users. The group employs SEO poisoning to rank malicious websites high in search results for popular VPN software like Pulse Secure. Victims are directed to download trojans disguised as legitimate VPN applications, with payloads hosted on GitHub repositories. The malware, signed with a valid digital certificate from Taiyuan Lihua Near Information Technology Co., Ltd., installs the Hyrax information stealer to collect VPN credentials and URIs. The stolen data is exfiltrated to attacker-controlled servers. The certificate has since been revoked, but similar files signed with it were discovered.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]