{"id":24041,"date":"2026-04-10T13:00:57","date_gmt":"2026-04-10T06:00:57","guid":{"rendered":"https:\/\/fpt-is.com\/en\/?post_type=goc_nhin_so&p=24041"},"modified":"2026-04-10T18:39:33","modified_gmt":"2026-04-10T11:39:33","slug":"just-search-vpn-download-on-google-and-have-you-handed-over-company-credentials-to-hackers","status":"publish","type":"goc_nhin_so","link":"https:\/\/fpt-is.com\/en\/insights\/just-search-vpn-download-on-google-and-have-you-handed-over-company-credentials-to-hackers\/","title":{"rendered":"Just search ‘VPN download’ on Google and have you handed over company credentials to hackers?"},"content":{"rendered":"

Overview<\/span><\/h2>\n

As organizations increasingly rely on VPNs for remote access to internal systems, these tools have become attractive targets for cyberattack groups. Instead of directly exploiting complex software vulnerabilities, many attackers now focus on user behavior and trust in familiar platforms like search engines or official software download websites. A prime example is a campaign by the Storm-2561 group, discovered by Microsoft in early 2026. In this campaign, Storm-2561 used SEO poisoning techniques to manipulate search results, causing fake websites to appear when users searched for terms like \u201cVPN download\u201d or \u201cPulse Secure VPN client.\u201d These sites were designed to closely resemble the official pages of enterprise VPN providers like Ivanti, Cisco, and Fortinet, making it difficult for users to distinguish between real and fake. When accessing these sites, victims were provided with links to download trojanized VPN installers containing malware capable of stealing login credentials.<\/span><\/p>\n

Overview of Storm-2561<\/span><\/h2>\n

\"\"<\/span><\/p>\n

Introduction<\/span><\/h3>\n

Storm-2561 (also known as Pawn Storm, APT28, Fancy Bear, or Strontium) is one of the most sophisticated and long-standing cyberattack groups (APT – Advanced Persistent Threat) in the world. Security experts and Western intelligence agencies (such as the FBI and NSA) believe Storm-2561 is closely linked to the Russian military intelligence agency (GRU), specifically Unit 26165. The group’s activities have been recorded as starting around 2004 or 2007. Their main objective is noted as gathering strategic intelligence to serve the interests of the Russian government.<\/span><\/p>\n

Attack targets<\/span><\/h3>\n

Storm-2561 does not attack randomly; instead, they carefully select their targets:<\/span><\/p>\n

    \n
  • Government & Diplomacy: Foreign ministries and embassies of NATO and EU countries.<\/span><\/li>\n
  • Military: Defense organizations and military contractors.<\/span><\/li>\n
  • Politics: Political parties (most notably the attack on the U.S. Democratic National Committee – DNC in 2016).<\/span><\/li>\n
  • Media & Energy: Major news outlets and critical energy infrastructure.<\/span><\/li>\n<\/ul>\n

    High-profile campaigns<\/span><\/h3>\n

    U.S. Election 2016:<\/strong>\u00a0Hacked Democratic Party officials’ emails and leaked information via WikiLeaks to interfere with the election process.\u00a0German Bundestag Attack:<\/strong>\u00a0In 2015, the group stole a large amount of data from the German parliament’s network.\u00a0WADA (World Anti-Doping Agency):<\/strong>\u00a0Leaked medical records of athletes after Russia was banned from the Olympics.\u00a0Ukraine Infrastructure Attack:<\/strong>\u00a0Continuously targeted Ukraine’s power systems and government agencies over several years.<\/span><\/p>\n

    \"\"<\/span><\/p>\n

    Characteristic techniques<\/span><\/h3>\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n
    Techniques<\/span><\/strong><\/td>\nDescribe<\/span><\/strong><\/td>\n<\/tr>\n
    Spear Phishing<\/strong><\/span><\/td>\nSend extremely convincing phishing emails targeting specific individuals to steal passwords or install malware.<\/span><\/td>\n<\/tr>\n
    Credential Harvesting<\/strong><\/span><\/td>\nCreate fake login pages (Microsoft 365, Webmail) to collect account information.<\/span><\/td>\n<\/tr>\n
    Zero-day Exploits<\/strong><\/span><\/td>\nUse undisclosed software vulnerabilities to infiltrate systems.<\/span><\/td>\n<\/tr>\n
    Custom malware<\/strong><\/span><\/td>\nUse custom toolkits like Sofacy, X-Agent, Sednit, and recently, malware variants on Linux and IoT devices.<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

    Execution flow<\/span><\/h2>\n

    The initial phase is called SEO poisoning, where the attacker optimizes SEO so that malicious pages appear at the top of search results for VPN-related queries. After accessing, it redirects to fake websites like ivanti-vpn[.]org or vpn-fortinet[.]com.<\/span><\/p>\n

    \"\"\"\"<\/span><\/p>\n

    The fake website provides a link to download the malicious VPN file VPN-CLIENT.zip. After successful extraction, it contains two actual malicious files: the VPN installer (MSI) and a malicious DLL.<\/span><\/p>\n

    \"\"<\/span><\/p>\n

    After running the installer, it will install the fake VPN file, sideload the malicious DLL, and execute the shellcode loader.<\/span><\/p>\n

    \"\"<\/span><\/p>\n

    Then the malware will download the Hyrax infostealer variant to collect credentials, read VPN configurations, and gather URIs and login information. All collected data will then be sent to the attacker’s C2 system: vpn-connection[.]pro, myconnection[.]pro<\/span><\/p>\n

    \"\"<\/span><\/p>\n

    Finally, after obtaining the credentials, the malware will display a fake error and redirect the victim to the official VPN website. At this point, the user will install the real VPN without suspecting that the system has been compromised.<\/span><\/p>\n

    Conclusion<\/span><\/h2>\n

    Storm-2561’s campaign clearly demonstrates a shift in modern attack strategies: from exploiting technical vulnerabilities to exploiting user trust. By combining SEO poisoning, spoofing legitimate software, and abusing trusted infrastructure, this group has turned a familiar action – searching for and downloading a VPN – into the starting point for infiltrating enterprise networks.<\/span><\/p>\n

    The noteworthy aspect is not the complexity of the malware, but the effectiveness of the attack chain. Without needing zero-day exploits or sophisticated techniques, Storm-2561 can still gather VPN credentials – the direct key to accessing internal systems. This demonstrates that, in many cases, humans and operational processes remain the weakest links in the security chain.<\/span><\/p>\n

    Therefore, building an effective defense strategy is no longer just about technology; it involves a combination of people, processes, and the ability to identify risks in seemingly safe everyday actions.<\/span><\/p>\n

    Recommendations<\/span><\/h2>\n

    Only download software from official sources.<\/strong><\/span><\/p>\n