Attackers Use SEO Poisoning and Signed Trojans to Steal VPN Credentials

Storm-2561 is a financially motivated hacker who has been stealing credentials since May 2025 This article explores storm 2561 uses. . They do this by changing search engine rankings to push fake VPN software to business users.

The campaign goes after employees who are looking for tools like Pulse Secure, Fortinet, and Ivanti and sends them to fake websites that host harmful download packages. As soon as the victim installs the fake software, it quietly collects VPN credentials and sends them to servers controlled by the attacker without showing any warning. Storm-2561 uses SEO to make fake websites show up at the top of search results for searches like "Pulse VPN download" or "Pulse Secure client." When users click on these links, they go to pages that are designed to look like real VPN vendor portals, with logos and download buttons that match.

GitHub repositories that hosted the malicious ZIP files have since been deleted. Enforcing multi-factor authentication on all accounts is essential because, when MFA is in place, access cannot be granted by stolen VPN passwords alone. In order to block untrusted executables, organizations should apply attack surface reduction rules, enable network and web protection, and run endpoint detection and response tools in block mode.

Security teams should look into any files signed by unidentified or recently revoked certificate authorities, and employees should avoid storing enterprise credentials in browsers. LinkedIn, X to Get More Instant Updates, and Google should set ZeroOwl as a Preferred Source.