Find notable cyber news and cases, enriched with sources, timelines, and signals.

Storm-2561 SEO-poisoning VPN credential-theft campaign

Campaign
First reported
Last updated
Happening score
H score 37
1 unique sources, 1 articles

Summary

Hide ▲

The Storm-2561 group is running a credential-theft campaign that uses SEO poisoning and fake VPN clients to steal VPN credentials from people searching for enterprise software. The operation is active across malicious ZIPs, attacker-controlled websites, and trusted hosting paths, making the lure harder to spot. It matters because the chain turns ordinary software searches into a credential-harvesting flow that can expose enterprise access.

Related Happenings

Microsoft 365 Copilot Enterprise SearchLeak remote code execution flaw (CVE-2026-42824)

Vulnerability
H score34 First: 15.06.2026 16:00 Last: 15.06.2026 16:00 Sources 1

About this happening: **Microsoft 365 Copilot Enterprise Search** has a **critical** vulnerability chain, **SearchLeak**, that could let a user leak **emails, calendar details, MFA codes, and indexed f...

O1oo1 packages SilabRAT and AsmCrypt as a dark-web MaaS ecosystem

Threat Actor Meta
H score31 First: 10.06.2026 18:30 Last: 10.06.2026 18:30 Sources 1

About this happening: **o1oo1** is selling **SilabRAT** as a **$5000/month MaaS** and bundling it with **AsmCrypt**, turning the malware into a packaged criminal service that lowers adoption barriers....

Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs

Threat Actor Meta
H score26 First: 20.05.2026 00:47 Last: 20.05.2026 00:47 Sources 1

About this happening: Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...

Microsoft civil action against Fox Tempest infrastructure takedown

Regulatory/Legal Action
H score24 First: 19.05.2026 18:00 Last: 19.05.2026 18:00 Sources 1

About this happening: Microsoft filed a **civil action** against **Fox Tempest** in the **US District Court for the Southern District of New York**, securing a **court order** that enabled a broad disr...

TeamPCP uses Shai-Hulud release to build access-broker monetization pipeline

Threat Actor Meta
H score16 First: 18.05.2026 22:53 Last: 18.05.2026 22:53 Sources 1

About this happening: **TeamPCP** is being framed as using the **Shai-Hulud** source-code release to drive an **access broker** business, turning worm distribution into a credential-monetization pipeli...

Timeline

  1. 13.03.2026 15:38 2 articles · 3mo ago

    Microsoft discloses Storm-2561 VPN credential-theft campaign

    Initial Disclosure

    Microsoft disclosed a credential theft campaign targeting users searching for enterprise VPN software, saying it observed the activity in mid-January 2026 and attributing it to Storm-2561. The operation used SEO poisoning, attacker-controlled websites, malicious ZIP files on GitHub, MSI installers that sideloaded DLLs, a fake VPN sign-in dialog, a Hyrax variant for credential theft, and Windows RunOnce persistence; Microsoft also removed the attacker-controlled GitHub repositories and revoked the certificate used to sign the malicious components.

    Show sources