google335
microsoft277
facebook232
exploit222
malware170
rce167
apple159
bug-bounty147
cve147
xss104
browser85
phishing75
writeup69
supply-chain69
privilege-escalation63
dos59
account-takeover56
react53
aws50
reverse-engineering49
ctf47
docker46
node46
cloudflare45
cloud45
pentest43
open-source42
auth-bypass37
oauth36
info-disclosure35
ai-agents35
lfi35
buffer-overflow28
race-condition28
postmessage27
ssrf24
sqli23
kubernetes22
wordpress21
cache-poisoning19
machine-learning19
automation19
tool18
csrf18
websocket18
mobile17
llm17
code-generation16
osint15
access-control15
0
5/10
Threat actor Storm-2561 distributes fake VPN clients from major vendors (Ivanti, Cisco, Fortinet, Sophos, Sonicwall, Check Point, WatchGuard) via SEO poisoning to steal enterprise VPN credentials and configuration data. The malware bundle includes the Hyrax infostealer, creates persistence via RunOnce registry keys, and displays fake login interfaces before redirecting users to legitimate vendor sites to avoid detection.
phishing
seo-poisoning
credential-theft
infostealer
malware
vpn
fake-installer
social-engineering
persistence
registry-manipulation
digital-certificate-abuse
c2-infrastructure
ivanti
cisco
fortinet
sophos
sonicwall
check-point
watchguard
Storm-2561
Hyrax
Pulse.exe
dwmapi.dll
inspector.dll
connectionsstore.dat
Taiyuan Lihua Near Information Technology Co., Ltd.
Microsoft
GitHub
Windows Defender
SmartScreen