bug-bounty489
google318
xss283
microsoft259
facebook227
rce175
apple153
exploit147
malware112
account-takeover109
bragging-post102
cve92
csrf85
privilege-escalation81
authentication-bypass66
stored-xss65
writeup63
phishing60
dos57
browser57
reflected-xss57
react54
ssrf52
access-control51
input-validation49
supply-chain49
cross-site-scripting48
cloudflare48
aws47
node46
docker46
sql-injection45
smart-contract45
ethereum44
web-security43
defi43
web-application43
reverse-engineering42
oauth42
web340
lfi37
burp-suite36
idor36
vulnerability-disclosure35
html-injection33
race-condition33
csp-bypass32
smart-contract-vulnerability32
clickjacking31
information-disclosure30
0
5/10
Threat actor Storm-2561 distributes fake VPN clients from major vendors (Ivanti, Cisco, Fortinet, Sophos, Sonicwall, Check Point, WatchGuard) via SEO poisoning to steal enterprise VPN credentials and configuration data. The malware bundle includes the Hyrax infostealer, creates persistence via RunOnce registry keys, and displays fake login interfaces before redirecting users to legitimate vendor sites to avoid detection.
phishing
seo-poisoning
credential-theft
infostealer
malware
vpn
fake-installer
social-engineering
persistence
registry-manipulation
digital-certificate-abuse
c2-infrastructure
ivanti
cisco
fortinet
sophos
sonicwall
check-point
watchguard
Storm-2561
Hyrax
Pulse.exe
dwmapi.dll
inspector.dll
connectionsstore.dat
Taiyuan Lihua Near Information Technology Co., Ltd.
Microsoft
GitHub
Windows Defender
SmartScreen