Credential-stealing crew spoofs VPN clients from Cisco, Fortinet, and others.
And then they send victims to the legit VPN download to hide their tracks.
A group of cybercriminals tracked as Storm-2561 is using fake enterprise VPN clients from CheckPoint, Cisco, Fortinet, Ivanti, and other vendors to steal users’ credentials, according to Microsoft.
Storm-2561 is a newish criminal gang (“Storm” followed by a number is how Microsoft tracks groups still in development) that has been around since May 2025, and typically uses SEO positioning and vendor impersonation to distribute malware. This campaign, which started in mid-January, is no different.
The crew gains initial access to victims by manipulating search results and pushes malicious websites masquerading as enterprise VPN updates to the top of the list. So when a user searches for a VPN client such as “Pulse VPN download” or “Pulse Secure client,” the top results point to a spoofed website mimicking the real vendor’s page. These include products from SonicWall, Sophos, and WatchGuard, in addition to the VPN vendors listed above.
Clicking on the link redirects users to a malicious GitHub repository that hosts the fake VPN clients disguised as Microsoft Windows Installer (MSI) files.
Read More here: https://www.theregister.com/2026/03/13/vpn_clients_spoofed/
