In mid-January 2026, Microsoft Defender Experts identified a devious way that cybercriminals are tricking people into giving away their private information. A group known as Storm-2561 has been setting up fake websites that look exactly like official download pages for popular office software, specifically Virtual Private Networks (VPNs).
As we know it, a VPN is a tool many of us use to stay secure online. Ironically, the attackers are using this trust against us. This group, reportedly, uses a trick called SEO poisoning, which simply means they manipulate search engine results so that when you search for terms like Pulse VPN download, their fake, malicious website appears right at the top of your search results.
How the Trick Works
According to Microsoft Threat Intelligence researchers, users are led to websites like vpn-fortinet.com and ivanti-vpn.org. These sites offer a download that looks legitimate but is actually a malicious ZIP file that was hosted on GitHub repositories. Further investigation revealed that these files contain a Trojan that masquerades as a trusted VPN client.
Researchers noted that the software was digitally signed by a certificate from Taiyuan Lihua Near Information Technology Co., Ltd. This signature acts like a digital stamp of approval that usually tells your computer a program is safe. By using a real certificate, which has since been revoked, the hackers were able to “bypass default Windows security warnings” and make the installation look official.
Hidden Malware and Stolen Data
As per the official Microsoft security blog post, the installer places files into a folder named %CommonFiles%Pulse Secure, which is the same location a real VPN would use. This helps the malware “blend in with legitimate VPN software to appear trustworthy” and avoid any immediate suspicion.
Once the fake VPN is opened, it looks exactly like the real thing and asks for your username and password. Instead of connecting you to the internet, it uses a variant of an infostealer called Hyrax to steal your details and send them to the hackers’ own servers.
To keep the scam hidden, the program shows a fake error message and then helpfully points you to the real website to download the actual software. Because the real VPN eventually works, most people never realise they were hacked.
To protect your data, it is best practice to download software directly from official company websites rather than clicking the first link you see in a search.
