TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Microsoft Threat Intelligence

Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft

Microsoft Threat Intelligence and Microsoft Defender Experts · 2026-03-12 · Read original ↗

ATT&CK techniques detected

13 predictions
T1195.002Compromise Software Supply Chain
83%
“a zip file containing a microsoft windows installer ( msi ) installer file that mimics a legitimate vpn software and side - loads malicious dynamic link library ( dll ) files during installation. the fake vpn software enables credential collection and exfiltration while appearing…”
T1195.002Compromise Software Supply Chain
77%
“: ] / / github [. ] com / latestver / vpn / releases / download / vpn - client2 / vpn - client. zip. at the time of this report, this repository is no longer active. when the user launches the malicious msi masquerading as a legitimate pulse secure vpn installer embedded within t…”
T1555.003Credentials from Web Browsers
75%
“in block mode works behind the scenes to remediate malicious artifacts that are detected post - breach. enable network protection in microsoft defender for endpoint. turn on web protection in microsoft defender for endpoint. encourage users to use microsoft edge and other web bro…”
T1588.003Code Signing Certificates
69%
“##stealer extracts uri and vpn sign - in credentials before exfiltrating them to attacker - controlled command - and - control ( c2 ) infrastructure. code signing abuse the msi file and the malicious dlls are signed with a valid digital certificate, which is now revoked, from tai…”
T1608.006SEO Poisoning
63%
“##yuan lihua near information technology co., ltd. " | distinct sha1 ; deviceprocessevents | where sha1 in ( a ) identify suspicious dlls in pulse secure folder identify launching of malicious dll files in folders masquerading as pulse secure. deviceimageloadevents | where folder…”
T1195.002Compromise Software Supply Chain
59%
“since been taken down. additionally, the trojans are digitally signed by a legitimate certificate that has since been revoked. storm - 2561 learn how microsoft names threat actors in this blog, we share our in - depth analysis of the tactics, techniques, and procedures ( ttps ) a…”
T1556.006Multi-Factor Authentication
56%
“. this approach relies on visual deception and immediate user interaction, allowing attackers to harvest credentials as soon as the target attempts to sign in. the credential theft operation follows the below structured sequence : ui presentation : a fake vpn sign - in dialog is …”
T1195.001Compromise Software Dependencies and Development Tools
55%
“since been taken down. additionally, the trojans are digitally signed by a legitimate certificate that has since been revoked. storm - 2561 learn how microsoft names threat actors in this blog, we share our in - depth analysis of the tactics, techniques, and procedures ( ttps ) a…”
T1608.006SEO Poisoning
48%
“join discussions on social media, follow us on linkedin, x ( formerly twitter ), and bluesky. to hear stories and insights from the microsoft threat intelligence community about the ever - evolving threat landscape, listen to the microsoft threat intelligence podcast. the post st…”
T1574Hijack Execution Flow
42%
“: ] / / github [. ] com / latestver / vpn / releases / download / vpn - client2 / vpn - client. zip. at the time of this report, this repository is no longer active. when the user launches the malicious msi masquerading as a legitimate pulse secure vpn installer embedded within t…”
T1036.005Match Legitimate Resource Name or Location
40%
“: ] / / github [. ] com / latestver / vpn / releases / download / vpn - client2 / vpn - client. zip. at the time of this report, this repository is no longer active. when the user launches the malicious msi masquerading as a legitimate pulse secure vpn installer embedded within t…”
T1608.006SEO Poisoning
36%
“storm - 2561 uses seo poisoning to distribute fake vpn clients for credential theft in mid - january 2026, microsoft defender experts identified a credential theft campaign that uses fake virtual private network ( vpn ) clients distributed through search engine optimization ( seo…”
T1608.006SEO Poisoning
32%
“( requires license for at least one defender xdr product ) to get the most up - to - date information about the threat actor, malicious activity, and techniques discussed in this blog. these reports provide the intelligence, protection information, and recommended actions to prev…”

Summary

Storm-2561 uses SEO poisoning to push fake VPN downloads that install signed trojans and steal VPN credentials. Active since 2025, Storm-2561 mimics trusted brands and abuses legitimate services. This post reviews TTPs, IOCs, and mitigation guidance.

The post Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft appeared first on Microsoft Security Blog.