Attackers cover their tracks after credential theft
After capturing them, the fake client displays an error message indicating installation has failed, the advisory said. It then directs the user to download the legitimate VPN client from the official vendor site. “In certain instances, opens the user’s browser to the legitimate VPN website,” Microsoft said. If the real VPN installs and works as expected, the victim has no indication of compromise.
Storm-2561 also establishes persistence through the Windows RunOnce registry key, ensuring the malware runs on every reboot, the advisory noted. The post-credential redirection strategy eliminates behavioral anomalies that might otherwise trigger a security review. SEO poisoning campaigns have long relied on misdirection to avoid leaving forensic footprints. Storm-2561 takes that further by redirecting victims to legitimate software after the theft, leaving no obvious trace of compromise.
Mitigations
Microsoft recommended organizations enforce multifactor authentication on all accounts without exception. Enterprise credentials should not be stored in browser-based password vaults secured with personal credentials. Organizations should also disable browser password syncing on managed devices through Group Policy, the advisory added.
