Just search ‘VPN download’ on Google and have you handed over company credentials to hackers?

Overview

As organizations increasingly rely on VPNs for remote access to internal systems, these tools have become attractive targets for cyberattack groups. Instead of directly exploiting complex software vulnerabilities, many attackers now focus on user behavior and trust in familiar platforms like search engines or official software download websites. A prime example is a campaign by the Storm-2561 group, discovered by Microsoft in early 2026. In this campaign, Storm-2561 used SEO poisoning techniques to manipulate search results, causing fake websites to appear when users searched for terms like “VPN download” or “Pulse Secure VPN client.” These sites were designed to closely resemble the official pages of enterprise VPN providers like Ivanti, Cisco, and Fortinet, making it difficult for users to distinguish between real and fake. When accessing these sites, victims were provided with links to download trojanized VPN installers containing malware capable of stealing login credentials.

Overview of Storm-2561

Introduction

Storm-2561 (also known as Pawn Storm, APT28, Fancy Bear, or Strontium) is one of the most sophisticated and long-standing cyberattack groups (APT – Advanced Persistent Threat) in the world. Security experts and Western intelligence agencies (such as the FBI and NSA) believe Storm-2561 is closely linked to the Russian military intelligence agency (GRU), specifically Unit 26165. The group’s activities have been recorded as starting around 2004 or 2007. Their main objective is noted as gathering strategic intelligence to serve the interests of the Russian government.

Attack targets

Storm-2561 does not attack randomly; instead, they carefully select their targets:

• Government & Diplomacy: Foreign ministries and embassies of NATO and EU countries.
• Military: Defense organizations and military contractors.
• Politics: Political parties (most notably the attack on the U.S. Democratic National Committee – DNC in 2016).
• Media & Energy: Major news outlets and critical energy infrastructure.

High-profile campaigns

U.S. Election 2016: Hacked Democratic Party officials’ emails and leaked information via WikiLeaks to interfere with the election process. German Bundestag Attack: In 2015, the group stole a large amount of data from the German parliament’s network. WADA (World Anti-Doping Agency): Leaked medical records of athletes after Russia was banned from the Olympics. Ukraine Infrastructure Attack: Continuously targeted Ukraine’s power systems and government agencies over several years.

Characteristic techniques

Execution flow

The initial phase is called SEO poisoning, where the attacker optimizes SEO so that malicious pages appear at the top of search results for VPN-related queries. After accessing, it redirects to fake websites like ivanti-vpn[.]org or vpn-fortinet[.]com.

The fake website provides a link to download the malicious VPN file VPN-CLIENT.zip. After successful extraction, it contains two actual malicious files: the VPN installer (MSI) and a malicious DLL.

After running the installer, it will install the fake VPN file, sideload the malicious DLL, and execute the shellcode loader.

Then the malware will download the Hyrax infostealer variant to collect credentials, read VPN configurations, and gather URIs and login information. All collected data will then be sent to the attacker’s C2 system: vpn-connection[.]pro, myconnection[.]pro

Finally, after obtaining the credentials, the malware will display a fake error and redirect the victim to the official VPN website. At this point, the user will install the real VPN without suspecting that the system has been compromised.

Conclusion

Storm-2561’s campaign clearly demonstrates a shift in modern attack strategies: from exploiting technical vulnerabilities to exploiting user trust. By combining SEO poisoning, spoofing legitimate software, and abusing trusted infrastructure, this group has turned a familiar action – searching for and downloading a VPN – into the starting point for infiltrating enterprise networks.

The noteworthy aspect is not the complexity of the malware, but the effectiveness of the attack chain. Without needing zero-day exploits or sophisticated techniques, Storm-2561 can still gather VPN credentials – the direct key to accessing internal systems. This demonstrates that, in many cases, humans and operational processes remain the weakest links in the security chain.

Therefore, building an effective defense strategy is no longer just about technology; it involves a combination of people, processes, and the ability to identify risks in seemingly safe everyday actions.

Recommendations

Only download software from official sources.

• Always visit the provider’s website directly, such as Microsoft, Cisco, Fortinet, Ivanti.
• Do not download from search results (Google, Bing) without verifying the domain.
• Bookmark the official link for long-term use.

Carefully check the domain and website.

• Carefully examine the URL:
  • Avoid unfamiliar domains (e.g., vpn-cisco-download[.]com).
• Check:
  • HTTPS (not enough to ensure safety but a basic step).
  • Spelling errors, poor copy interface..
• Check:
  • Digital signature (is the publisher the correct vendor?).
  • Hash (if available from the official source).
• Do not run the file:
  • Download from shortened links.
  • Download from unfamiliar GitHub/repos (unless verified).

Be alert to unusual behavior during installation.

• The installer reports an error immediately after running.
• Requests credentials unusually early.
• Redirects to a different website after installation.

Do not reuse VPN passwords.

• Each important account → use a unique password.
• Avoid sharing with:
  • Personal email.
  • Other internal accounts.

Update awareness about “search-based phishing”

Users are often trained about email phishing, but it’s important to note:

• Phishing isn’t limited to email
• Google Search can also be an entry point for attacks

MITRE ATT&CK Mapping

IOCs

Malicious IP

• 194.76.226.93

SHA-256

• 26DB3FD959F12A61D19D102C1A0FB5EE7AE3661FA2B301135CDB686298989179
• 44906752F500B61D436411A121CAB8D88EDF614E1140A2D01474BD587A8D7BA8
• 57A50A1C04254DF3DB638E75A64D5DD3B0D6A460829192277E252DC0C157A62F
• 6129D717E4E3A6FB4681463E421A5603B640BC6173FB7BA45A41A881C79415CA
• 6C9AB17A4AFF2CDF408815EC120718F19F1A31C13FC5889167065D448A40DFE6
• 85C4837E3337165D24C6690CA63A3274DFAAA03B2DDACA7F1D18B3B169C6AAC1
• 862F004679D3B142D9D2C729E78DF716AEEDA0C7A87A11324742A5A8EDA9B557
• 8EBE082A4B52AD737F7ED33CCC61024C9F020FD085C7985E9C90DC2008A15ADC
• 98F21B8FA426FC79AA82E28669FAAC9A9C7FCE9B49D75BBEC7B60167E21963C9
• CFA4781EBFA5A8D68B233EFB723DBDE434CA70B2F76FF28127ECF13753BFE011
• EB8B81277C80EEB3C094D0A168533B07366E759A8671AF8BFBE12D8BC87650C9

Malicious Domain

• checkpoint-vpn.com
• cisco-secure-client.es
• forticlient-for-mac.com
• forticlient-vpn.de
• forticlient-vpn.fr
• forticlient-vpn.it
• forticlient.ca
• forticlient.co.uk
• forticlient.no
• fortinet-vpn.com
• ivanti-pulsesecure.com
• ivanti-secure-access.de
• ivanti-vpn.org myconnection.pro
• sonicwall-netextender.nl
• sophos-connect.org vpn-connection.pro
• vpn-fortinet.com watchguard-vpn.com

URL

• https://github.com/latestver/vpn/releases/download/vpn-client2/VPN-CLIENT.zip

Reference

Fake enterprise VPN sites used to steal company credentials

Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft | Microsoft Security Blog