Fake enterprise VPN clients are being used to siphon corporate credentials. π
Phishing Alert Β· Storm-2561 distributing malicious @[Cisco](urn:li:organization:1063), @[Ivanti](urn:li:organization:36124), and @[Fortinet](urn:li:organization:13303) installers.
A threat actor tracked as Storm-2561 is leveraging SEO poisoning and fraudulent download portals to distribute fake enterprise VPN installers. These malicious files masquerade as legitimate clients for @[Cisco](urn:li:organization:1063), @[Ivanti](urn:li:organization:36124), and @[Fortinet](urn:li:organization:13303), but instead install credential-stealing malware.
The campaign specifically targets remote workers searching for software updates or connection tools. Once installed, the malware captures VPN login data and system information, providing the attacker with the keys required to bypass the network perimeter silently.
The uncomfortable truth: Your perimeter security is bypassed the moment a single user installs a poisoned version of the tool meant to protect them.
β Instruct all employees to download enterprise software only from official, IT-approved internal portals.
β Use EDR tools to block the execution of unsigned or unrecognized installers from common download directories.
β Audit your VPN logs for unusual login patterns originating from non-standard or geographic IP blocks.
Do you have a strictly enforced policy that blocks users from installing non-approved software on company assets? π
#Cybersecurity #VPN #Phishing #CredentialTheft #SOC #CodeDefence