Storm-2561 SEO-poisoning VPN credential-theft campaign
Campaign
Summary
Hide ▲
Show ▼
The Storm-2561 group is running a credential-theft campaign that uses SEO poisoning and fake VPN clients to steal VPN credentials from people searching for enterprise software. The operation is active across malicious ZIPs, attacker-controlled websites, and trusted hosting paths, making the lure harder to spot. It matters because the chain turns ordinary software searches into a credential-harvesting flow that can expose enterprise access.
Related Happenings
Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs
Threat Actor Meta
First: 20.05.2026 00:47
Last: 20.05.2026 00:47
Sources 1
About this happening:
Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...
Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs
Threat Actor MetaAbout this happening: Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...
Microsoft civil action against Fox Tempest infrastructure takedown
Regulatory/Legal Action
First: 19.05.2026 18:00
Last: 19.05.2026 18:00
Sources 1
About this happening:
Microsoft filed a **civil action** against **Fox Tempest** in the **US District Court for the Southern District of New York**, securing a **court order** that enabled a broad disr...
Microsoft civil action against Fox Tempest infrastructure takedown
Regulatory/Legal ActionAbout this happening: Microsoft filed a **civil action** against **Fox Tempest** in the **US District Court for the Southern District of New York**, securing a **court order** that enabled a broad disr...
TeamPCP uses Shai-Hulud release to build access-broker monetization pipeline
Threat Actor Meta
First: 18.05.2026 22:53
Last: 18.05.2026 22:53
Sources 1
About this happening:
**TeamPCP** is being framed as using the **Shai-Hulud** source-code release to drive an **access broker** business, turning worm distribution into a credential-monetization pipeli...
TeamPCP uses Shai-Hulud release to build access-broker monetization pipeline
Threat Actor MetaAbout this happening: **TeamPCP** is being framed as using the **Shai-Hulud** source-code release to drive an **access broker** business, turning worm distribution into a credential-monetization pipeli...
Shai-Hulud worm clone activity on NPM
Malware Activity
First: 18.05.2026 12:45
Last: 18.05.2026 12:45
Sources 1
About this happening:
The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud worm clone activity on NPM
Malware ActivityAbout this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Sefirah infostealer delivered through a malicious Hugging Face repository
Malware Activity
First: 09.05.2026 17:26
Last: 09.05.2026 17:26
Sources 1
About this happening:
A malicious **Hugging Face** repository impersonated **OpenAI’s Privacy Filter** and delivered **sefirah**, a **Rust-based infostealer**, to **Windows** users, creating credential...
Sefirah infostealer delivered through a malicious Hugging Face repository
Malware ActivityAbout this happening: A malicious **Hugging Face** repository impersonated **OpenAI’s Privacy Filter** and delivered **sefirah**, a **Rust-based infostealer**, to **Windows** users, creating credential...
Timeline
-
13.03.2026 15:38 2 articles · 2mo ago
Microsoft discloses Storm-2561 VPN credential-theft campaign
Initial DisclosureMicrosoft disclosed a credential theft campaign targeting users searching for enterprise VPN software, saying it observed the activity in mid-January 2026 and attributing it to Storm-2561. The operation used SEO poisoning, attacker-controlled websites, malicious ZIP files on GitHub, MSI installers that sideloaded DLLs, a fake VPN sign-in dialog, a Hyrax variant for credential theft, and Windows RunOnce persistence; Microsoft also removed the attacker-controlled GitHub repositories and revoked the certificate used to sign the malicious components.
Show sources
- Storm-2561 Spreads Trojan VPN Clients via SEO Poisoning to Steal Credentials — thehackernews.com — 13.03.2026 15:38
- Storm-2561 Spreads Trojan VPN Clients via SEO Poisoning to Steal Credentials — thehackernews.com — 13.03.2026 15:38