Microsoft has disclosed details of a credential theft campaign that employs fake virtual private network (VPN) clients distributed through search engine optimization (SEO) poisoning techniques.
"The campaign redirects users searching for legitimate enterprise software to malicious ZIP files on attacker-controlled websites to deploy digitally signed trojans that masquerade as trusted VPN clients
The Windows maker, which observed the activity in mid-January 2026, has attributed it to Storm-2561 , a threat activity cluster known for propagating malware through SEO poisoning and impersonating popular software vendors since May 2025.
The threat actor's campaigns were first documented by Cyjax, highlighting the use of SEO poisoning to redirect users searching for software programs from companies like SonicWall, Hanwha Vision, and Pulse Secure (now Ivanti Secure Access) on Bing to fake sites and trick them into downloading MSI installers that deploy the Bumblebee loader .
A subsequent iteration of the attack was disclosed by Zscaler in October 2025.
The campaign was observed taking advantage of users searching for legitimate software on Bing to propagate a trojanized Ivanti Pulse Secure VPN client via bogus websites ("ivanti-vpn[.]org") that ultimately stole VPN credentials from the victim's machine.