security: Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft
Microsoft Security Blog
2026-03-12
Microsoft reports that Storm-2561 has been using SEO poisoning to promote fake VPN client downloads that install signed trojans and steal VPN credentials. The activity has been observed since 2025 and relies on impersonating trusted brands and abusing legitimate services.