storm 2561

Storm-2561 is a cybercrime group tracked by Microsoft that distributes trojanized VPN clients through SEO poisoning. The campaign, first observed in January 2026 and publicized in March, spoofs enterprise VPN brands like Fortinet, Cisco, Ivanti, and SonicWall. The attackers host fake MSI installers on legitimate developer infrastructure, sideloading malicious DLLs to harvest corporate credentials. A social-engineering loop captures credentials and redirects victims to the real vendor site, making the compromise less noticeable. This tag covers discussions about the Storm-2561 threat, its techniques, and implications for enterprise security.