Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Mar 14, 2026 · 5 min read

That VPN You Just Downloaded From Google? It's Stealing Your Passwords

A threat group called Storm 2561 is poisoning search engine results to distribute fake VPN installers that steal corporate credentials, targeting employees searching for legitimate software from Ivanti, SonicWall, and Hanwha Vision.

A laptop screen showing a VPN download page with a subtle digital fishing hook overlay symbolizing the trojan threat hidden in fake software

The Search Results You Trust Are Lying to You

When employees need to install VPN software to connect to their company's network, most start with a search engine. That instinct is exactly what Storm 2561 exploits. Microsoft disclosed that the threat group has been using search engine optimization poisoning to redirect users searching for legitimate enterprise VPN software, particularly on Bing, to attacker controlled websites hosting trojanized installers.

The fake sites look convincing. They impersonate real VPN vendors including Ivanti Pulse Secure (now Ivanti Secure Access), SonicWall, and Hanwha Vision. The malicious installers are hosted on GitHub repositories as ZIP files containing MSI installer packages, lending them an additional layer of perceived legitimacy since GitHub is widely trusted by technical users.

How the Trojan Steals Your Credentials

The attack is elegantly simple. When a victim downloads and runs the fake installer, it uses DLL sideloading to execute malicious code during the installation process. The trojan then presents a convincing fake VPN sign in dialog that looks identical to the legitimate software's login screen. When the victim enters their corporate username and password, the credentials are immediately exfiltrated to the attacker's infrastructure.

After capturing the credentials, the malware displays an error message and directs the user to download the legitimate VPN client from the real vendor's website. The victim ends up with working VPN software and assumes the initial error was a minor glitch, never realizing their credentials have already been stolen. This technique is particularly dangerous because it leaves no obvious trace that something went wrong.

The trojan uses a variant of the Hyrax information stealer and establishes persistence through the Windows RunOnce registry key, ensuring it survives system reboots. Microsoft identified the malicious components as digitally signed by "Taiyuan Lihua Near Information Technology Co., Ltd.," meaning the malware passes basic code signing checks that many security tools use as a trust signal.

Why SEO Poisoning Is So Effective

Search engine optimization poisoning works by manipulating search rankings so that malicious sites appear near the top of results for specific queries. Unlike phishing emails, which users are increasingly trained to recognize, poisoned search results exploit an implicit trust: if a search engine shows it, it must be legitimate.

The technique has been growing in popularity among cybercriminals throughout 2025 and 2026. By targeting niche enterprise software queries rather than broad consumer searches, attackers can avoid the scrutiny that Google and Bing apply to high volume terms. A search for "Ivanti Pulse Secure VPN download" attracts far less automated review than a search for "free antivirus," even though the former leads directly to a high value corporate target.

The use of GitHub as a hosting platform adds another layer of difficulty for defenders. Many corporate firewalls and security tools whitelist GitHub by default, meaning the malicious download may bypass network level protections entirely.

The Corporate Risk

Stolen VPN credentials give attackers direct access to corporate networks. Unlike phishing for email passwords, which may be limited by multi factor authentication on cloud services, VPN credentials often provide a tunnel directly into the internal network. Once inside, attackers can move laterally, access sensitive systems, and deploy ransomware or exfiltrate data.

The target selection is deliberate. Ivanti, SonicWall, and Hanwha Vision are enterprise products used by large organizations with valuable data. Employees searching for these specific installers are likely IT staff or remote workers at companies that represent high value targets for financial extortion or espionage.

How to Protect Yourself

  • Always download VPN software directly from the vendor's official website, never from search engine results or third party repositories
  • Verify the URL before downloading: check that it matches the vendor's known domain exactly
  • Be suspicious if a VPN installer asks for credentials during installation rather than after the software is fully set up
  • Report any unexpected VPN login errors to your IT security team immediately
  • Use bookmarks for frequently accessed software download pages instead of searching each time
  • Enable multi factor authentication on your VPN connections so that stolen passwords alone are not enough for access