Microsoft Reveals Credential Theft Campaign by Storm-2561 Using Trojanized VPN Clients

Microsoft disclosed a credential theft campaign attributed to the threat actor Storm-2561, which distributes trojanized VPN clients via SEO poisoning. The attack redirects users searching for legitimate enterprise software to malicious ZIP files hosted on attacker-controlled websites. These trojans are digitally signed to appear as trusted VPN applications, facilitating credential theft. No specific dates, CVE IDs, or technical indicators such as file hashes or infrastructure details were provided in the disclosure. The campaign targets users seeking enterprise solutions through manipulated search engine results.