EarlyNarratives
Pricing
Start free trialSign in
Start free trialSign in
Signal

Storm-2561 uses SEO poisoning to distribute trojanized VPN clients targeting enterprises

Evidence first: scan the strongest sources, then decide whether to go deeper.

Published 2026-03-13 08:51 UTCUpdated 2026-03-13 17:17 UTC
rss
cveexploitsmalwarethreat_actorsincident_response
Source links open
Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.
BackEvidence (3)Get the free brief by emailStart free trial
No card needed for the free brief.
Evidence trail (top sources)
top sources (3 domains)domains are deduped. counts indicate coverage, not truth.
3 top sources shown
View all evidence
Overview

The cybercriminal group Storm-2561 has been hijacking search engine results to promote fake VPN clients from major vendors such as Cisco, Fortinet, CheckPoint, and others.

Score total
1.2
Momentum 24h
3
Posts
3
Origins
3
Source types
1
Duplicate ratio
0%
Why now
  • Activity detected since mid-January 2026 with ongoing campaigns targeting enterprise VPN users.
  • Attackers use SEO poisoning to hijack search results for popular VPN client downloads.
  • The malware is digitally signed and hosted on trusted platforms, increasing its chances of success.
Why it matters
  • Storm-2561 exploits trusted software brands and SEO to trick enterprise users into installing malware.
  • Stolen VPN credentials can grant attackers persistent access to corporate networks.
  • The campaign highlights the increasing sophistication of infostealer malware combined with remote access trojans.
LLM analysis
Topic mix: lowPromo risk: lowSource quality: medium
Recurring claims
  • Storm-2561 hijacks search engine results to distribute trojanized VPN clients that steal corporate credentials.
  • The malware is digitally signed and hosted on trusted platforms like GitHub to evade suspicion.
  • After stealing credentials, victims are redirected to legitimate VPN client downloads to hide the attack.
How sources frame it
  • Microsoft Threat Intelligence: neutral
Consolidated multiple reports to highlight the ongoing threat from Storm-2561's SEO poisoning campaign targeting enterprise VPN users.
All evidence
All evidence
Credential-stealing crew spoofs VPN clients from Cisco, Fortinet, and others
theregister_security · go.theregister.com · 2026-03-13 17:17 UTC
Storm-2561 Spreads Trojan VPN Clients via SEO Poisoning to Steal Credentials
The Hacker News · thehackernews.com · 2026-03-13 13:38 UTC
Storm-2561 targets enterprise VPN users with SEO poisoning, fake clients
CSO Online · csoonline.com · 2026-03-13 08:51 UTC
Show filters & breakdown
Posts loaded: 0Publishers: 3Origin domains: 3Duplicates: -
Showing 3 / 0
Top publishers (this list)
  • theregister_security (1)
  • The Hacker News (1)
  • CSO Online (1)
Top origin domains (this list)
  • go.theregister.com (1)
  • thehackernews.com (1)
  • csoonline.com (1)