---
title: "Credential-stealing crew spoofs VPN clients from Cisco, Fortinet, and others"
type: "News"
locale: "en"
url: "https://longbridge.com/en/news/279076175.md"
description: "A cybercriminal group known as Storm-2561 is using fake VPN clients from various vendors, including Cisco and Fortinet, to steal user credentials. They manipulate search results to direct users to spoofed websites that appear legitimate. Once users download the malicious software, it captures their credentials and sends them to an attacker-controlled server. Microsoft recommends enforcing multi-factor authentication and advises against storing workplace credentials in personal password vaults to mitigate risks."
datetime: "2026-03-13T17:21:19.000Z"
locales:
  - [zh-CN](https://longbridge.com/zh-CN/news/279076175.md)
  - [en](https://longbridge.com/en/news/279076175.md)
  - [zh-HK](https://longbridge.com/zh-HK/news/279076175.md)
---

> Supported Languages: [简体中文](https://longbridge.com/zh-CN/news/279076175.md) | [繁體中文](https://longbridge.com/zh-HK/news/279076175.md)


# Credential-stealing crew spoofs VPN clients from Cisco, Fortinet, and others

A group of cybercriminals tracked as Storm-2561 is using fake enterprise VPN clients from CheckPoint, Cisco, Fortinet, Ivanti, and other vendors to steal users' credentials, according to Microsoft.

Storm-2561 is a newish criminal gang ("Storm" followed by a number is how Microsoft tracks groups still in development) that has been around since May 2025, and typically uses SEO positioning and vendor impersonation to distribute malware. This campaign, which started in mid-January, is no different.

The crew gains initial access to victims by manipulating search results and pushes malicious websites masquerading as enterprise VPN updates to the top of the list. So when a user searches for a VPN client such as "Pulse VPN download" or "Pulse Secure client," the top results point to a spoofed website mimicking the real vendor's page. These include products from SonicWall, Sophos, and WatchGuard, in addition to the VPN vendors listed above.

Clicking on the link redirects users to a malicious GitHub repository that hosts the fake VPN clients disguised as Microsoft Windows Installer (MSI) files.

"Microsoft has observed spoofing of various VPN software brands and has observed the GitHub link at the following two domains: vpn-fortinet\[.\] com and ivanti-vpn\[.\] org," Redmond's threat intelligence team said in a Thursday blog. The GitHub repos have since been taken down. (Read the blog to the end for a long list of indicators of compromise.)

The installer sideloads malicious dynamic link library (DLL) files, dwmapi.dll and inspector.dll, during installation, and the phony VPN software prompts the user to enter their credentials. This captures the usernames and passwords, and then sends them to an attacker-controlled command-and-control server, all the while appearing to be a legitimate client application.

The MSI file and malicious DLLs are signed with a valid - and now revoked - digital certificate from Taiyuan Lihua Near Information Technology Co., Ltd.

-   Microsoft spots ClickFix campaign getting users to self-pwn on Windows Terminal
-   Critical Microsoft Excel bug weaponizes Copilot Agent for zero-click information disclosure attack
-   Iran-linked cyber crew says they hit US med-tech firm
-   Operation Lightning takes down SocksEscort proxy network blamed for tens of millions in fraud

Then comes the trickiest part: Immediately after a user enters their credentials into the fake sign-in page, the application displays an error message saying the installation failed, and then instructs the victim to download the legitimate VPN client from the vendor's official website. In some cases, the app even opens the user's browser to the legitimate site.

"If users successfully install and use legitimate VPN software afterward, and the VPN connection works as expected, there are no indications of compromise to the end user," according to the blog. "Users are likely to attribute the initial installation failure to technical issues, not malware."

Unsurprisingly, since it's a Microsoft threat-intel report, the software giant recommends its products and services to prevent credential theft. But there are couple key (and vendor-neutral) security suggestions that we want to highlight.

First - and we cannot stress this enough - enforce multi-factor authentication (MFA) on all accounts. Make sure to remove users excluded from MFA, and require MFA from all devices, everywhere, at all times.

Second: remind employees NOT to store workplace credentials in browsers or password vaults secured with personal credentials. ®

### Related Stocks

- [YieldMax MSFT Option Income Strategy ETF (MSFO.US)](https://longbridge.com/en/quote/MSFO.US.md)
- [Direxion Daily CSCO Bull 2X Shares (CSCL.US)](https://longbridge.com/en/quote/CSCL.US.md)
- [CISO Global Inc. (CISO.US)](https://longbridge.com/en/quote/CISO.US.md)
- [iShares Global Tech ETF (IXN.US)](https://longbridge.com/en/quote/IXN.US.md)
- [Direxion Daily MSFT Bear 1X ETF (MSFD.US)](https://longbridge.com/en/quote/MSFD.US.md)
- [T-Rex 2X Long Microsoft Daily Target ETF (MSFX.US)](https://longbridge.com/en/quote/MSFX.US.md)
- [iShares Expanded Tech-Software Sect ETF (IGV.US)](https://longbridge.com/en/quote/IGV.US.md)
- [GraniteShares 2x Long MSFT Daily ETF (MSFL.US)](https://longbridge.com/en/quote/MSFL.US.md)
- [Fortinet, Inc. (FTNT.US)](https://longbridge.com/en/quote/FTNT.US.md)
- [Direxion Daily CSCO Bear 1X Shares (CSCS.US)](https://longbridge.com/en/quote/CSCS.US.md)
- [Kurv Yield Premium Str Microsoft ETF (MSFY.US)](https://longbridge.com/en/quote/MSFY.US.md)
- [Cisco Systems, Inc. (CSCO.US)](https://longbridge.com/en/quote/CSCO.US.md)
- [State StreetSPDRS&PSftwr&SvcsETF (XSW.US)](https://longbridge.com/en/quote/XSW.US.md)
- [Direxion Daily MSFT Bull 2X Shares (MSFU.US)](https://longbridge.com/en/quote/MSFU.US.md)
- [Microsoft Corporation (MSFT.US)](https://longbridge.com/en/quote/MSFT.US.md)

## Related News & Research

- [CreativeOne Wealth LLC Sells 12,611 Shares of Fortinet, Inc. $FTNT](https://longbridge.com/en/news/279003351.md)
- [Arrowstreet Capital Limited Partnership Has $390.47 Million Stock Holdings in Fortinet, Inc. $FTNT](https://longbridge.com/en/news/278999712.md)
- [Smart Money Is Betting Big In CSCO Options](https://longbridge.com/en/news/278413461.md)
- [Hotpatching goes default in Windows Autopatch whether you like it or not](https://longbridge.com/en/news/278714396.md)
- [Microsoft Insider Sold Shares Worth $5,045,643, According to a Recent SEC Filing](https://longbridge.com/en/news/278512830.md)