Overview
- Researchers attribute the campaign to Storm-2561, which lured users from search results to spoofed vendor pages for Ivanti, Cisco, Fortinet, Sophos, SonicWall, Check Point, and WatchGuard.
- The spoofed sites linked to GitHub-hosted ZIP archives containing MSI installers that masqueraded as VPN clients while harvesting corporate logins.
- Installation sideloaded dwmapi.dll and inspector.dll, dropped Pulse.exe, and deployed a Hyrax infostealer variant to capture and exfiltrate VPN credentials and configuration data.
- The fake client displayed a convincing login dialog, then threw an error and redirected victims to the legitimate vendor site, with persistence set via the Windows RunOnce registry key.
- GitHub repositories used in the operation were removed and a Taiyuan Lihua Near Information Technology Co., Ltd. signing certificate was revoked, with Microsoft advising MFA, Defender cloud protection, EDR in block mode, and SmartScreen-enabled browsers.