Microsoft says that a group of hackers it tracks as Storm-2561 is running a campaign to steal credentials by using fake VPN clients that are pushed through search engine optimization poisoning This article explores microsoft says storm. . This tricks people who are looking for trusted business software into downloading trojanized installers instead of real tools.
Microsoft Defender Experts found the activity in the middle of January 2026. The company says the operation shows how attackers keep using well-known software brands, search rankings, and trusted platforms to get into businesses. How the Attack Works Microsoft says that Storm-2561 has been around since at least May 2025. It is known for using SEO poisoning and fake software to trick people into downloading malware when they are looking for real products.
When a user clicked the download button, the site sent them to a bad GitHub repository that had a ZIP file called VPN-CLIENT.zip. Microsoft, on the other hand, says that the repository is no longer there. The archive contained an MSI installer that pretended to be a real Pulse Secure VPN package but actually installed malware signed with a certificate that was later revoked and given to Taiyuan Lihua Near Information Technology Co., Ltd. Storm-2561 campaign attack chain (Source: microsoft).
Microsoft said that the installer put Pulse.exe in a folder that looked a lot like a real Pulse Secure path under %CommonFiles%\Pulse Secure, which helped the files blend in with the system and avoid raising user suspicion.
It also dropped two harmful DLLs, dwmapi.dll and inspector.dll. Dwmapi.dll acted as an in-memory loader that launched shellcode and then loaded inspector.dll, a type of the Hyrax infostealer. Screenshot of the actor-controlled website vpn-fortinet[.
]com, which pretends to be Fortinet (Source: Microsoft) The campaign also used a smart trick after the theft. Microsoft said that the fake installer showed an error message and, in some cases, sent users to the real VPN website. This could make the earlier breach seem like nothing more than a failed installation or a temporary software problem. To stay on the computer, the malware added Pulse.exe to the Windows Run.Once the registry key was set, it could start up again after a reboot.
This campaign is different because it uses search engine placement, brand impersonation, GitHub hosting, and valid code signing all in one attack chain. Each layer makes people less suspicious, and when you put them all together, they make a convincing path from search results to a fake installer to stolen credentials. This is especially true for employees who need to get into business systems quickly.
This is a code snippet from vpn-fortinet[. ]com that shows how to download VPN-CLIENT.zip from GitHub (Source: microsoft) Microsoft suggests that defenders turn on cloud-delivered protection, EDR in block mode, network protection, web protection, and browser protections like SmartScreen to stop bad sites and artifacts earlier in the chain.
The company also told businesses to use attack surface reduction rules to stop low-prevalence or untrusted executables from running, stop storing work passwords in personal browser vaults, and require multifactor authentication.
