In a security blog post, Microsoft reported a credential theft campaign observed in mid-January 2026 that uses SEO poisoning to push digitally signed trojan installers posing as enterprise VPN clients to harvest VPN credentials.
KEY FACTS
- Incident Credential theft via fake VPN clients
- Technique SEO poisoning redirects to malicious ZIP files
- Attribution Activity linked to Storm-2561
- Delivery MSI installers hosted on GitHub that sideload DLLs
The campaign redirects users searching for legitimate enterprise VPN software to attacker controlled sites that host ZIP archives containing MSI installers. The packages are digitally signed and install trojanized components that run during setup.
Victims are shown a convincing fake VPN sign in dialog that captures credentials. After credentials are entered victims see an error message and may be directed to download the legitimate client, which helps hide the theft.
The malware establishes persistence by creating entries under the Windows RunOnce registry key and uses a variant of an information stealer known as Hyrax to collect and exfiltrate credentials. Some components carried a valid certificate issued to “Taiyuan Lihua Near Information Technology Co., Ltd.”
GitHub repositories used to host the installer archives were removed and the legitimate certificate was revoked to disrupt the operation. Recommended mitigations include enforcing multi factor authentication and verifying software sources before download.
WHY IT MATTERS
Search engine rankings and software branding can be abused to trick enterprise users into installing credential harvesting software. Organizations should require MFA and verify installer authenticity to reduce the risk of VPN credential compromise.