Hackers are manipulating search results to lure users looking for legitimate VPN software to malicious downloads that install trojanized VPN clients and steal enterprise credentials.
-
Hackers are manipulating search results to trick users searching for VPN software into downloading malicious fake versions instead of legitimate clients.
-
The malware steals VPN login credentials by displaying convincing login windows that mimic trusted brands like Cisco, Fortinet, and Check Pointby.
-
Victims remain unaware of the compromise because the fake installer shows an error message and directs them to download the real software, which then works normally.
The malware is designed to steal the victim’s VPN login credentials. According to Microsoft, the attack uses search engine optimization (SEO) poisoning to push websites hosting the malicious VPN software higher up in search results.
Users who click on one of these search results are being redirected to spoofed websites that closely mimic trusted VPN clients, including Ivanti, Check Point, Cisco, Fortinet, SonicWall, Sophos, and WatchGuard.
However, instead of downloading legitimate, trustworthy VPN software, users are being deceived into downloading a fake VPN client hosted on a malicious GitHub repository.
The repository hosts a ZIP file containing a Microsoft Windows Installer (MSI) file, which sideloads malicious dynamic link library (DLL) files during installation.
The bogus VPN software doesn’t offer VPN services, but rather collects and exfiltrates login credentials, which are sent to the attackers. This happens as soon as a victim enters their password and VPN configuration. To hide the attackers’ intentions, the installed program displays a login window that resembles that of the genuine VPN software.
To maintain access, the malware creates a backdoor during installation through the Windows RunOnce registry key, adding the malicious software to run when the infected device reboots.
As soon as the victim’s credentials are stolen, the malware displays a convincing error message that says that the installation failed. It then provides instructions to download the legitimate VPN client from the official website.
“If users successfully install and use legitimate VPN software afterward, and the VPN connection works as expected, there are no indications of compromise to the end user. Users are likely to attribute the initial installation failure to technical issues, not malware,” the Redmond-based tech company said in a recently published blog post.
According to Microsoft Threat Intelligence and Microsoft Defender Experts, the SEO poisoning campaign is attributed to Storm-2561, a threat actor active since May 2025 and notorious for impersonating popular software vendors.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked