Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Cybercriminals Exploit Vulnerabilities in Enterprise VPN Clients to Steal User Credentials


Microsoft warns of a new threat vector used by the Storm-2561 group, which uses fake enterprise VPN clients to steal user credentials. Learn more about how you can protect your organization from this type of attack and stay ahead of emerging cybersecurity threats with the latest updates and best practices.

  • The Storm-2561 group has been using fake enterprise VPN clients from various vendors to steal users' credentials.
  • The cybercriminals gain initial access by manipulating search results and pushing malicious websites to the top of the list.
  • Clicking on the link redirects users to a malicious GitHub repository that hosts fake VPN clients disguised as Microsoft Windows Installer files.
  • The fake VPN software prompts users to enter their credentials, which are then sent to an attacker-controlled command-and-control server.
  • The attackers use revoked digital certificates and code checks for legitimate operating systems to evade detection.
  • Users may unknowingly install malware if they download the fake VPN client despite seeing an error message instructing them to download a legitimate one from the vendor's official website.
  • The attack relies on exploiting user trust in legitimate brands and websites, highlighting the sophistication of modern cybercrime groups.
  • Compromised accounts and weak security practices within well-known vendors like CheckPoint, Cisco, Fortinet, Ivanti, and others pose a significant threat to organizations.
  • Maintaining strict control over access controls, keeping up with security updates, and enforcing multi-factor authentication can help prevent credential theft.



    • A recent threat intelligence report from Microsoft highlights a new campaign by a group of cybercriminals, tracked as Storm-2561, which has been using fake enterprise VPN clients from various vendors, including CheckPoint, Cisco, Fortinet, Ivanti, and others, to steal users' credentials. The campaign, which started in mid-January, uses a combination of SEO positioning and vendor impersonation to distribute malware.

    The cybercriminals gain initial access to victims by manipulating search results and pushing malicious websites masquerading as enterprise VPN updates to the top of the list. When a user searches for a VPN client such as "Pulse VPN download" or "Pulse Secure client," the top results point to a spoofed website mimicking the real vendor's page. These include products from SonicWall, Sophos, and WatchGuard, in addition to the VPN vendors listed above.

    Clicking on the link redirects users to a malicious GitHub repository that hosts the fake VPN clients disguised as Microsoft Windows Installer (MSI) files. The installer sideloads malicious dynamic link library (DLL) files, dwmapi.dll and inspector.dll, during installation, and the phony VPN software prompts the user to enter their credentials. This captures the usernames and passwords, and then sends them to an attacker-controlled command-and-control server, all while appearing to be a legitimate client application.

    The malicious DLLs are signed with a valid - and now revoked - digital certificate from Taiyuan Lihua Near Information Technology Co., Ltd. The MSI file and malicious DLLs are also embedded with code that checks for the presence of legitimate operating systems (Windows 10, Windows 11) to ensure they have the required resources to run before proceeding.

    The trickiest part of this campaign is immediately after a user enters their credentials into the fake sign-in page, the application displays an error message saying the installation failed, and then instructs the victim to download the legitimate VPN client from the vendor's official website. In some cases, the app even opens the user's browser to the legitimate site.

    If users successfully install and use legitimate VPN software afterward, and the VPN connection works as expected, there are no indications of compromise to the end user. They are likely to attribute the initial installation failure to technical issues, not malware. However, this approach also provides a safety net for attackers to continue their campaigns without being detected.

    The attack vector used by Storm-2561 is particularly effective due to its reliance on exploiting user trust in legitimate brands and websites. This tactic demonstrates how cunningly sophisticated cybercrime groups have become in recent years.

    Furthermore, the use of fake enterprise VPN clients from well-known vendors like CheckPoint, Cisco, Fortinet, Ivanti, and others underscores the potential threat posed by compromised accounts and weak security practices within these companies' ecosystems. It is crucial for organizations to maintain strict control over their access controls and keep up with any security updates.

    In light of this campaign, Microsoft has highlighted a couple key security suggestions that can help prevent credential theft.

    First, Microsoft recommends enforcing multi-factor authentication (MFA) on all accounts. This should include removing users who are excluded from MFA and requiring MFA for all devices, everywhere, at all times. By doing so, organizations can significantly limit the damage caused by such cyberattacks.

    Secondly, employees must be reminded not to store workplace credentials in browsers or password vaults secured with personal credentials. Such practices can make it easier for attackers to get their hands on sensitive information.

    The use of fake enterprise VPN clients to steal user credentials is just another example of how sophisticated and resourceful modern-day cybercrime groups have become. Organizations must remain vigilant and proactive in maintaining robust security measures to safeguard themselves against such threats.

    Related Information:
  • https://www.ethicalhackingnews.com/articles/Cybercriminals-Exploit-Vulnerabilities-in-Enterprise-VPN-Clients-to-Steal-User-Credentials-ehn.shtml

  • https://go.theregister.com/feed/www.theregister.com/2026/03/13/vpn_clients_spoofed/

  • https://www.microsoft.com/en-us/security/blog/2026/03/12/storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft/

  • https://longbridge.com/en/news/279076175

  • https://www.csoonline.com/article/4144783/storm-2561-targets-enterprise-vpn-users-with-seo-poisoning-fake-clients.html

  • https://thehackernews.com/2026/03/storm-2561-spreads-trojan-vpn-clients.html

  • https://thehackernews.com/2026/03/apt41-linked-silver-dragon-targets.html

  • https://www.cisco.com/site/us/en/learn/topics/security/what-is-an-advanced-persistent-threat-apt.html

  • https://www.fortinet.com/blog/threat-research/tracking-malware-and-attack-expansion-a-hacker-groups-journey-across-asia

  • https://www.fortinet.com/resources/cyberglossary/advanced-persistent-threat

  • https://cybersecuritynews.com/chinese-hackers-exploit-ivanti-vpn-vulnerabilities/

  • https://www.csoonline.com/article/3732107/ivanti-zero-day-exploited-by-apt-group-that-previously-targeted-connect-secure-appliances.html

  • https://cybersecuritynews.com/hackers-attacking-sonicwall-firewalls/

  • https://dailysecurityreview.com/cyber-security/sonicwall-traces-2023-breach-to-state-linked-threat-group-targeting-firewalls/

  • https://www.sophos.com/en-us/blog/personal-panda

  • https://www.infosecurity-magazine.com/news/sophos-chinese-hackers-stealthier/

  • https://gbhackers.com/storm-2561-uses-seo-poisoning/

  • https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/

  • https://www.fbi.gov/wanted/cyber/apt-10-group


    • Published: Fri Mar 13 15:22:01 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us