Fake Enterprise VPN Downloads Used to Steal Company Credentials

A threat actor identified as Storm-2561 is distributing counterfeit enterprise VPN clients impersonating Ivanti, Cisco, and Fortinet to harvest VPN credentials from targeted users. The campaign involves fake download sites mimicking legitimate vendors to deceive employees into installing malicious software. No specific dates, technical indicators, or CVE IDs were disclosed in the reported activity. The primary impact is the theft of corporate VPN credentials, potentially enabling unauthorized access to internal networks. The attack vector relies on social engineering to trick victims into downloading and executing the fraudulent clients.