security: Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft

Microsoft reports that Storm-2561 has been using SEO poisoning to promote fake VPN client downloads that install signed trojans and steal VPN credentials. The activity has been observed since 2025 and relies on impersonating trusted brands and abusing legitimate services.

• Source: Microsoft Security Blog