Credential-stealing crew spoofs VPN clients from Cisco, Fortinet, and others

Steven

Credential-stealing crew spoofs VPN clients from Cisco, Fortinet, and others

Summary

Microsoft has attributed a campaign to a criminal group it tracks as Storm-2561 that uses SEO poisoning and vendor impersonation to distribute fake enterprise VPN clients. The attackers create spoofed search results that lead users to malicious GitHub repositories hosting MSI installers that sideload malicious DLLs (dwmapi.dll and inspector.dll). The fake installers prompt for VPN credentials, exfiltrate them to a command-and-control server, then display a fake installation failure and direct victims to download the legitimate VPN client from the vendor site to hide the compromise. The MSI and DLLs were signed with a valid (now revoked) certificate from Taiyuan Lihua Near Information Technology Co., Ltd.

Key Points

  • Threat actor: Storm-2561 (Microsoft designation) uses SEO poisoning and vendor impersonation.
  • Targets: Fake VPN clients impersonate CheckPoint, Cisco, Fortinet, Ivanti and others (also SonicWall, Sophos, WatchGuard).
  • Delivery: Spoofed search results redirect to GitHub repos serving malicious MSI installers that sideload DLLs.
  • Payload behaviour: Installer captures entered credentials and sends them to an attacker-controlled C2 server.
  • Cover-up tactic: After stealing credentials the fake app shows an install error and encourages downloading the real client so users think the problem was a glitch.
  • Code signing: MSI and DLLs were signed with a valid digital certificate that has since been revoked.
  • Mitigations advised: Enforce multi-factor authentication (MFA) broadly and prevent storage of workplace credentials in browsers or personal vaults.

Context and relevance

This campaign is a clear example of the ongoing rise in SEO poisoning and supply-chain style deception used to harvest credentials. By impersonating trusted VPN vendors and then steering victims to the legitimate download, the operators reduce detection and increase the chance credentials will be reused or leveraged for follow-on access. Organisations that rely on VPNs or remote access should treat this as a persistent threat vector: credential theft remains a primary entry point for lateral movement and data breaches.

Why should I read this?

Quick and dirty: these crooks are tricksy. They fake VPN downloads, nick your logins, then shove you to the real site so you don’t suspect a thing. If you manage remote access, user accounts, or security controls — this affects you. Read the details, tighten MFA, and remind staff not to use personal password vaults for work creds.

Author style

Punchy: high-impact campaign that directly targets remote-access trust. If you care about stopping account theft and preventing break‑ins, this isn’t background noise — act on the mitigation advice now.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2026/03/13/vpn_clients_spoofed/