Submitted by Global Scam Watch on

Microsoft security researchers have identified an active cybercrime campaign conducted by a threat actor known as Storm-2561 targeting individuals searching online for common workplace VPN software such as Pulse Secure or Fortinet. The operation relies on manipulation of search engine rankings so malicious links appear at the top of results pages. When users click these links, they are redirected to repositories hosted on GitHub containing what appear to be legitimate software installers.

The downloaded file behaves like a standard VPN installation package but includes hidden malware components. During installation a fraudulent login prompt appears, designed to capture VPN credentials. At the same time, malware operating in the background deploys variants of the Hyrax infostealer or BoryptGrab, which quietly collect stored passwords, authentication tokens, and system information from the infected device.

What the Malware Does and Why Criminals Deploy It

Once installed, the malware begins quietly harvesting sensitive information from the infected device. Variants such as Hyrax and BoryptGrab operate as credential stealing tools designed to extract stored passwords from web browsers, VPN login credentials, authentication tokens, and system configuration data. Some versions also collect details about installed software, security tools, and network connections, allowing attackers to build a profile of the compromised system.

The primary objective involves gaining access to corporate networks. Many employees use VPN software to connect remotely to workplace systems. When criminals steal those credentials, they can log in through legitimate VPN portals and appear as an authorized user. This form of intrusion often bypasses traditional security monitoring because the connection looks legitimate.

Stolen credentials also carry significant value in criminal marketplaces. Access to corporate VPN accounts, email platforms, and internal systems can be sold to other cybercriminal groups. These buyers frequently use the access for additional crimes including business email compromise, financial fraud, ransomware deployment, or data theft.

In many cases the initial malware infection represents only the first stage of a broader attack. Once a device and its credentials are compromised, attackers may return later with additional tools designed to expand access inside the network, monitor communications, or deploy more destructive forms of malware.

The Risk of Shared VPN Infrastructure

Many individuals use VPN services primarily to reduce exposure while using public WiFi networks. However, shared VPN infrastructure can recreate similar security risks. When users connect to a shared VPN server, they effectively join a network environment populated by thousands of unknown users.

Cybercriminals frequently take advantage of these environments for two primary reasons.

  •  Hiding Identity VPN services allow attackers to mask their real location and identity behind shared infrastructure, making attribution significantly more difficult.
  •  Targeting Victims Operating within the same virtual network environment can provide opportunities to identify vulnerable systems connected to the same server.

A shared VPN can therefore create a false sense of protection. Without proper device security settings, exposure may resemble risks present on public networks such as libraries or coffee shops. In addition, untrustworthy VPN providers may monitor traffic or even conduct Man in the Middle interception attacks to capture sensitive information passing through their infrastructure.

Typo Squatting and Fake Services

Cybercriminals often intercept victims before they even reach manipulated search results by relying on typo squatting. This technique involves registering internet addresses almost identical to legitimate websites in order to exploit typing mistakes made by users.
 

A single altered letter or a different domain ending such as .co instead of .com can lead users to a fraudulent website. These sites frequently replicate the appearance of legitimate VPN providers with convincing accuracy. Once a victim downloads software from these pages, they may unknowingly install the same malware packages used within the Storm-2561 campaign.

Verified Protection Steps

Individuals can reduce exposure to search result poisoning and fraudulent VPN installers by following several security practices.

  •  Use Official Sources Only Always access a software provider by manually typing the official website address into the browser rather than clicking search advertisements or unfamiliar links.
  •  Check Digital Signature Warnings Legitimate software normally includes a verified publisher signature. If the operating system displays a warning indicating an Unknown Publisher, installation should be cancelled immediately.
  •  Avoid Free VPN Services Services offered without cost frequently rely on data collection, traffic monitoring, or weak infrastructure security to generate revenue.

Indicators of Possible Infection

Anyone who recently downloaded VPN software from search engine results should check their system for files associated with the Storm-2561 malware campaign. Suspicious indicators include files appearing in temporary or installation directories with the following names.

  •  ivanti-vpn.zip or PulseSecure.zip
  •  SalmonSamurai.exe
  •  LakerBaker.exe
  •  DisplayPhotoViewer.exe
  •  Squarel.exe

Additional warning signs include command files appearing in system directories named:

  •  Beauty.cmd
  •  Possess.cmd
  •  Villa.cmd

The presence of these files may indicate malware installation and potential compromise of stored credentials. Immediate credential changes and a full system security scan are strongly recommended.