Just search 'VPN download' on Google—and have you handed over company credentials to hackers?
Overview
As organizations increasingly rely on VPNs for remote access to internal systems, these tools have become attractive targets for cyberattack groups. Instead of directly exploiting complex software vulnerabilities, many attackers now focus on user behavior and trust in familiar platforms like search engines or official software download websites. A prime example is a campaign by the Storm-2561 group, discovered by Microsoft in early 2026. In this campaign, Storm-2561 used SEO poisoning techniques to manipulate search results, causing fake websites to appear when users searched for terms like “VPN download” or “Pulse Secure VPN client.” These sites were designed to closely resemble the official pages of enterprise VPN providers like Ivanti, Cisco, and Fortinet, making it difficult for users to distinguish between real and fake. When accessing these sites, victims were provided with links to download trojanized VPN installers containing malware capable of stealing login credentials.
Overview of Storm-2561
Introduction
Storm-2561 (also known as Pawn Storm, APT28, Fancy Bear, or Strontium) is one of the most sophisticated and long-standing cyberattack groups (APT - Advanced Persistent Threat) in the world. Security experts and Western intelligence agencies (such as the FBI and NSA) believe Storm-2561 is closely linked to the Russian military intelligence agency (GRU), specifically Unit 26165. The group's activities have been recorded as starting around 2004 or 2007. Their main objective is noted as gathering strategic intelligence to serve the interests of the Russian government.
Attack targets
Storm-2561 does not attack randomly; instead, they carefully select their targets:
Government & Diplomacy: Foreign ministries and embassies of NATO and EU countries.
Military: Defense organizations and military contractors.
Politics: Political parties (most notably the attack on the U.S. Democratic National Committee - DNC in 2016).
Media & Energy: Major news outlets and critical energy infrastructure.
High-profile campaigns
U.S. Election 2016: Hacked Democratic Party officials' emails and leaked information via WikiLeaks to interfere with the election process. German Bundestag Attack: In 2015, the group stole a large amount of data from the German parliament's network. WADA (World Anti-Doping Agency): Leaked medical records of athletes after Russia was banned from the Olympics. Ukraine Infrastructure Attack: Continuously targeted Ukraine's power systems and government agencies over several years.
Characteristic techniques
Techniques | Describe |
Spear Phishing | Send extremely convincing phishing emails targeting specific individuals to steal passwords or install malware. |
Credential Harvesting | Create fake login pages (Microsoft 365, Webmail) to collect account information. |
Zero-day Exploits | Use undisclosed software vulnerabilities to infiltrate systems. |
Custom malware | Use custom toolkits like Sofacy, X-Agent, Sednit, and recently, malware variants on Linux and IoT devices. |
Execution flow
The initial phase is called SEO poisoning, where the attacker optimizes SEO so that malicious pages appear at the top of search results for VPN-related queries. After accessing, it redirects to fake websites like ivanti-vpn[.]org or vpn-fortinet[.]com.
The fake website provides a link to download the malicious VPN file VPN-CLIENT.zip. After successful extraction, it contains two actual malicious files: the VPN installer (MSI) and a malicious DLL.
After running the installer, it will install the fake VPN file, sideload the malicious DLL, and execute the shellcode loader.
Then the malware will download the Hyrax infostealer variant to collect credentials, read VPN configurations, and gather URIs and login information. All collected data will then be sent to the attacker's C2 system: vpn-connection[.]pro, myconnection[.]pro
Finally, after obtaining the credentials, the malware will display a fake error and redirect the victim to the official VPN website. At this point, the user will install the real VPN without suspecting that the system has been compromised.
Conclusion
Storm-2561's campaign clearly demonstrates a shift in modern attack strategies: from exploiting technical vulnerabilities to exploiting user trust. By combining SEO poisoning, spoofing legitimate software, and abusing trusted infrastructure, this group has turned a familiar action—searching for and downloading a VPN—into the starting point for infiltrating enterprise networks.
The noteworthy aspect is not the complexity of the malware, but the effectiveness of the attack chain. Without needing zero-day exploits or sophisticated techniques, Storm-2561 can still gather VPN credentials—the direct key to accessing internal systems. This demonstrates that, in many cases, humans and operational processes remain the weakest links in the security chain.
Therefore, building an effective defense strategy is no longer just about technology; it involves a combination of people, processes, and the ability to identify risks in seemingly safe everyday actions.
Recommendations
Only download software from official sources.
Always visit the provider's website directly, such as Microsoft, Cisco, Fortinet, Ivanti.
Do not download from search results (Google, Bing) without verifying the domain.
Bookmark the official link for long-term use.
Carefully check the domain and website.
Carefully examine the URL:
- Avoid unfamiliar domains (e.g., vpn-cisco-download[.]com).
Check:
HTTPS (not enough to ensure safety but a basic step).
Spelling errors, poor copy interface..
Check:
Digital signature (is the publisher the correct vendor?).
Hash (if available from the official source).
Do not run the file:
Download from shortened links.
Download from unfamiliar GitHub/repos (unless verified).
Be alert to unusual behavior during installation.
The installer reports an error immediately after running.
Requests credentials unusually early.
Redirects to a different website after installation.
Do not reuse VPN passwords.
Each important account → use a unique password.
Avoid sharing with:
Personal email.
Other internal accounts.
Update awareness about "search-based phishing"
Users are often trained about email phishing, but it's important to note:
Phishing isn't limited to email
Google Search can also be an entry point for attacks
MITRE ATT&CK Mapping
| Tactic | Technique ID | Technique Name | Describe behavior in the campaign |
|---|---|---|---|
| Initial Access | T1189 | Drive-by Compromise | Users access fake websites from search results (SEO poisoning). |
| Initial Access | T1566 | Phishing (Search-based) | Tricking users into downloading a fake VPN client through search results |
| Execution | T1204.002 | User Execution: Malicious File | User runs the malicious VPN installer file themselves. |
| Execution | T1059 | Command and Scripting Interpreter | Loader executes shellcode/script |
| Persistence | T1574.002 | DLL Side-Loading | The legitimate installer loads a malicious DLL. |
| Defense Evasion | T1036 | Masquerading | Masquerading as legitimate VPN software |
| Defense Evasion | T1553.002 | Code Signing | The malicious file is signed with a valid certificate. |
| Defense Evasion | T1027 | Obfuscated/Compressed Files | Payload is compressed in zip/MSI |
| Defense Evasion | T1140 | Deobfuscate/Decode Files | Decode shellcode at runtime |
| Credential Access | T1552.001 | Credentials in Files | Read the VPN configuration file containing credentials. |
| Credential Access | T1555 | Credentials from Password Stores | Collect VPN login credentials |
| Discovery | T1082 | System Information Discovery | System information collection |
| Discovery | T1016 | Network Configuration Discovery | Collect network/VPN configuration |
| Collection | T1005 | Data from Local System | Collect local data (config, credential) |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | Send data to the attacker's server. |
| Command & Control | T1071.001 | Web Protocols | C2 communication over HTTP/HTTPS |
IOCs
Malicious IP
- 194.76.226.93
SHA-256
26DB3FD959F12A61D19D102C1A0FB5EE7AE3661FA2B301135CDB686298989179
44906752F500B61D436411A121CAB8D88EDF614E1140A2D01474BD587A8D7BA8
57A50A1C04254DF3DB638E75A64D5DD3B0D6A460829192277E252DC0C157A62F
6129D717E4E3A6FB4681463E421A5603B640BC6173FB7BA45A41A881C79415CA
6C9AB17A4AFF2CDF408815EC120718F19F1A31C13FC5889167065D448A40DFE6
85C4837E3337165D24C6690CA63A3274DFAAA03B2DDACA7F1D18B3B169C6AAC1
862F004679D3B142D9D2C729E78DF716AEEDA0C7A87A11324742A5A8EDA9B557
8EBE082A4B52AD737F7ED33CCC61024C9F020FD085C7985E9C90DC2008A15ADC
98F21B8FA426FC79AA82E28669FAAC9A9C7FCE9B49D75BBEC7B60167E21963C9
CFA4781EBFA5A8D68B233EFB723DBDE434CA70B2F76FF28127ECF13753BFE011
EB8B81277C80EEB3C094D0A168533B07366E759A8671AF8BFBE12D8BC87650C9
Malicious Domain
checkpoint-vpn.com
cisco-secure-client.es
forticlient-for-mac.com
forticlient-vpn.de
forticlient-vpn.fr
forticlient-vpn.it
forticlient.ca
forticlient.co.uk
forticlient.no
fortinet-vpn.com
ivanti-pulsesecure.com
ivanti-secure-access.de
ivanti-vpn.org myconnection.pro
sonicwall-netextender.nl
sophos-connect.org vpn-connection.pro
vpn-fortinet.com watchguard-vpn.com
URL
