Microsoft has identified a new cybercrime campaign in which attackers distribute malicious VPN installers through search engine manipulation. The activity, attributed to a threat group tracked as Storm-2561, uses search engine optimization (SEO) poisoning to trick users searching for legitimate enterprise software into downloading malware disguised as trusted tools.
Microsoft Defender Experts discovered the activity in mid-January 2026, noting that the campaign demonstrates how attackers continue to exploit well-known software brands, trusted platforms, and high search rankings to gain unauthorized access to corporate environments.
According to Microsoft, Storm-2561 has been active since at least May 2025 and commonly relies on software impersonation combined with SEO manipulation to distribute malicious files. In the recent campaign, attackers created web pages designed to appear in search results when users looked for enterprise VPN software.
Cyber Technology Insights: Iris Introduces Private Data Removal to Reduce Online Personal Information Exposure
When victims attempted to download the supposed VPN client, they were redirected to a GitHub repository hosting a ZIP archive labeled VPN-CLIENT.zip. Although the repository has since been removed, it previously contained a malicious installer disguised as a legitimate Pulse Secure VPN package. Inside the archive was an MSI installer that deployed malware rather than a genuine VPN application. The installer was signed with a certificate issued to Taiyuan Lihua Near Information Technology Co., Ltd., which has since been revoked.
After installation, the malware placed a file named Pulse.exe in a directory resembling the legitimate Pulse Secure file path under the Windows Common Files directory. This tactic helped the malicious files blend into the system and avoid raising suspicion. The installer also deployed two malicious dynamic-link libraries: dwmapi.dll and inspector.dll. The first file acted as an in-memory loader that executed shellcode and then launched inspector.dll, which Microsoft identified as a variant of the Hyrax information-stealing malware.
Cyber Technology Insights: DoveRunner Launches License Cipher Gateway for DRM Protection
To further mislead victims, the fake installer displayed an error message after the malicious components were deployed. In some cases, users were redirected to the real VPN vendor’s website, making the compromise appear to be a simple installation failure. The malware also established persistence by adding Pulse.exe to the Windows RunOnce registry key, ensuring the program could relaunch after the system rebooted.
Microsoft noted that the campaign is particularly effective because it combines several trust indicators including search engine rankings, brand impersonation, GitHub hosting, and valid code signing to create a convincing attack chain that leads users from search results to a compromised download.
To reduce exposure to similar threats, Microsoft recommends enabling cloud-delivered protection, endpoint detection and response (EDR) in block mode, network protection, and browser security tools such as SmartScreen.
Organizations are also encouraged to enforce multifactor authentication, restrict the storage of corporate credentials in personal browser password vaults, and apply attack surface reduction rules to block suspicious or low-reputation executables before they can run.
Cyber Technology Insights: Cyberhaven Partners with Ignition Technology to Expand AI and Data Security Across the UK
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
