Why fake software works as well as the real thing.
Searching for a corporate VPN client online can result in credential theft. A campaign by the cybercriminal group Storm-2561 demonstrates how easily attackers can turn a simple search query into a trap filled with malware.
Microsoft's Threat Intelligence team has discovered an attack in which attackers distribute fake VPN clients throughsearch results poisoning . A user searches for corporate software, such as the Pulse Secure client, and is then directed to a fake website masquerading as a well-known vendor's page. Instead of a legitimate installer, the site prompts the user to download an archive containing malware.
The attacks were attributed to the Storm-2561 group. The group has been active since at least May 2025 and regularly distributes malware through fake websites impersonating popular software providers. In the new campaign, the attackers capitalized on the credibility of search results. The fake websites ranked higher for queries like "Pulse VPN download" or "Pulse Secure client."
Clicking the link took the user to a page that appeared to be the official website. The download button led to a GitHub repository containing the VPN-CLIENT.zip archive. The repository was later deleted, but the archive was freely distributed during the attack.
The archive contained an installer for Microsoft Windows that impersonated the legitimate Pulse Secure client. Once launched, the installer created a directory similar to the program's real installation path and placed the Pulse.exe file there, along with the malicious dwmapi.dll and inspector.dll libraries. This trick allowed the malware to appear like legitimate software.
The dwmapi.dll file acted as a loader and launched hidden malicious code that activated the inspector.dll library. This library was a variant of the Hyrax infostealer . The program collected VPN server addresses and user credentials, then sent the information to the attackers' command-and-control server.
The installer's digital signature added credibility . The malicious files were signed with a valid certificate from the Chinese company Taiyuan Lihua Near Information Technology Co., Ltd. This certificate was later revoked. Using a legitimate signature helped bypass security warnings and reduced the likelihood of detecting the malicious file.
Once installed, the fake VPN client displayed a login interface almost identical to the legitimate Pulse Secure client. The user entered their username and password, hoping to connect to the company's network. Instead, the program intercepted the credentials and sent the information to the attackers' server.
The malware then displayed an installation error message and prompted users to download a legitimate VPN client from the official website. In some cases, the browser automatically opened the legitimate download page. The user installed the legitimate client, connected to the company's network, and noticed nothing suspicious. Most users dismissed the initial client installation as a routine technical issue.
To maintain access to the system, the malware added an entry to the Windows RunOnce registry key. After the computer was rebooted, the Pulse.exe file would launch again and continue to run on the system.
According to Microsoft, the attackers used several fake domains, including vpn-fortinet[.]com and ivanti-vpn[.]org. These sites distributed malicious versions of VPN clients disguised as software from various vendors.
The campaign demonstrates an old but still effective scheme. The user trusts the search results, downloads the "official" program, and voluntarily enters their credentials . After installing the legitimate VPN client, there are almost no traces of compromise, and the stolen credentials end up in the hands of the attackers.
Searching for a corporate VPN client online can result in credential theft. A campaign by the cybercriminal group Storm-2561 demonstrates how easily attackers can turn a simple search query into a trap filled with malware.
Microsoft's Threat Intelligence team has discovered an attack in which attackers distribute fake VPN clients throughsearch results poisoning . A user searches for corporate software, such as the Pulse Secure client, and is then directed to a fake website masquerading as a well-known vendor's page. Instead of a legitimate installer, the site prompts the user to download an archive containing malware.
The attacks were attributed to the Storm-2561 group. The group has been active since at least May 2025 and regularly distributes malware through fake websites impersonating popular software providers. In the new campaign, the attackers capitalized on the credibility of search results. The fake websites ranked higher for queries like "Pulse VPN download" or "Pulse Secure client."
Clicking the link took the user to a page that appeared to be the official website. The download button led to a GitHub repository containing the VPN-CLIENT.zip archive. The repository was later deleted, but the archive was freely distributed during the attack.
The archive contained an installer for Microsoft Windows that impersonated the legitimate Pulse Secure client. Once launched, the installer created a directory similar to the program's real installation path and placed the Pulse.exe file there, along with the malicious dwmapi.dll and inspector.dll libraries. This trick allowed the malware to appear like legitimate software.
The dwmapi.dll file acted as a loader and launched hidden malicious code that activated the inspector.dll library. This library was a variant of the Hyrax infostealer . The program collected VPN server addresses and user credentials, then sent the information to the attackers' command-and-control server.
The installer's digital signature added credibility . The malicious files were signed with a valid certificate from the Chinese company Taiyuan Lihua Near Information Technology Co., Ltd. This certificate was later revoked. Using a legitimate signature helped bypass security warnings and reduced the likelihood of detecting the malicious file.
Once installed, the fake VPN client displayed a login interface almost identical to the legitimate Pulse Secure client. The user entered their username and password, hoping to connect to the company's network. Instead, the program intercepted the credentials and sent the information to the attackers' server.
The malware then displayed an installation error message and prompted users to download a legitimate VPN client from the official website. In some cases, the browser automatically opened the legitimate download page. The user installed the legitimate client, connected to the company's network, and noticed nothing suspicious. Most users dismissed the initial client installation as a routine technical issue.
To maintain access to the system, the malware added an entry to the Windows RunOnce registry key. After the computer was rebooted, the Pulse.exe file would launch again and continue to run on the system.
According to Microsoft, the attackers used several fake domains, including vpn-fortinet[.]com and ivanti-vpn[.]org. These sites distributed malicious versions of VPN clients disguised as software from various vendors.
The campaign demonstrates an old but still effective scheme. The user trusts the search results, downloads the "official" program, and voluntarily enters their credentials . After installing the legitimate VPN client, there are almost no traces of compromise, and the stolen credentials end up in the hands of the attackers.
