Cybercriminal Group Storm-2561 Uses Fake VPN Sites to Distribute Hyrax Infostealer Malware

In mid-January 2026, Microsoft Defender Experts identified a cybercriminal campaign attributed to the threat group Storm-2561, which used fake Fortinet and Ivanti VPN websites to distribute the Hyrax infostealer malware. The attackers employed SEO poisoning techniques to lure victims into downloading malicious installers disguised as legitimate VPN software. The campaign specifically targeted users searching for VPN solutions, redirecting them to fraudulent sites mimicking official vendor pages. Hyrax infostealer is designed to exfiltrate sensitive data, including credentials and system information. No specific CVEs or additional technical indicators were mentioned in the reported findings.