Microsoft has uncovered a credential-stealing operation that uses search engine manipulation to trick users into downloading counterfeit VPN software. By appearing at the top of search results for legitimate enterprise tools, the attackers lead victims to malicious sites that distribute trojans designed to harvest sensitive login information.
Microsoft recently identified a sophisticated credential theft campaign that leverages search engine optimization poisoning to lure users into downloading malicious software. By manipulating search rankings, the attackers ensure that individuals looking for legitimate enterprise applications are redirected to compromised websites. These sites host malicious archives containing digitally signed trojans that are carefully crafted to look like authentic virtual private network clients while secretly stealing user credentials.
The activity was first detected by Microsoft security teams in early 2026 and has been linked to a threat group known as Storm-2561. This specific cluster has a history of impersonating well-known software vendors and utilizing deceptive search tactics to spread malware since the middle of 2025. Their primary goal remains the infiltration of corporate networks through the theft of secure access permissions.
Earlier versions of this group’s tactics were documented by security researchers who noted the use of fraudulent installers for products from companies such as SonicWall and Ivanti. In those instances, users searching on Bing were led to fake domains where they were prompted to download installers that actually deployed the Bumblebee loader. This demonstrates a consistent pattern of using trusted brand names to bypass user suspicion and gain a foothold on target systems.
By late 2025, the campaign had evolved to specifically target users searching for Ivanti Pulse Secure VPN clients. The attackers set up deceptive domains that closely mimicked official branding to host trojanized versions of the software. Once a user installed the fake client, the malware would begin harvesting VPN credentials directly from the victim’s computer, providing the threat actors with the means to bypass standard security perimeters.
This latest discovery emphasizes the ongoing risk posed by threat actors who exploit search engine algorithms to distribute malware. By focusing on enterprise-grade software and using digitally signed files, the group increases the likelihood of a successful infection. Microsoft continues to monitor these clusters to protect users from the evolving techniques used to compromise corporate environments.
Source: Storm-2561 Uses SEO Poisoning To Spread Trojan VPN Clients And Steal Credentials