嗯,用户让我用中文总结一篇文章,控制在100字以内,而且不需要特定的开头。首先,我需要通读文章,抓住主要内容。 文章讲的是一个叫做Storm-2561的威胁行为者,他们通过伪造企业VPN客户端来窃取用户的VPN凭证。这些伪造的客户端来自Ivanti、Cisco和Fortinet等公司。攻击者利用SEO中毒,操控搜索结果,比如“Pulse VPN下载”这样的关键词,将用户引导到仿冒的网站。 微软的研究人员发现,这些攻击使用了多个与Sophos、Sonicwall等公司相关的域名,并且链接到了GitHub上的一个ZIP文件,里面包含伪造的MSI安装程序。安装后会运行Pulse.exe,并释放加载器和Hyrax信息窃取器。这些恶意软件会窃取用户的VPN凭证和配置数据,并且在后台创建持久性机制。 最后,微软建议启用云交付保护、运行EDR、启用多因素认证和智能屏幕浏览器,并提供了检测指标。 总结的时候要简洁明了,控制在100字内。不需要开头语,直接描述内容。 </think> Storm-2561 分发伪造的企业 VPN 客户端(如 Ivanti、Cisco 和 Fortinet)以窃取用户 VPN 凭证。攻击者通过 SEO 操控搜索结果(如“Pulse VPN 下载”),将用户引导至仿冒网站。微软发现这些网站链接到 GitHub 上的恶意 ZIP 文件(已下架),文件安装后会释放 Pulse.exe 和信息窃取器 Hyrax,窃取用户凭证和 VPN 配置数据。恶意软件通过 Windows 注册表创建持久性机制以绕过重启。微软建议启用云保护、EDR 和多因素认证以防御此类攻击。 2026-3-13 13:30:19 Author: www.bleepingcomputer.com(查看原文) 阅读量:3 收藏
A threat actor tracked as Storm-2561 is distributing fake enterprise VPN clients from Ivanti, Cisco, and Fortinet to steal VPN credentials from unsuspecting users.
The attackers manipulate search results (SEO poisoning) for common queries like “Pulse VPN download” or “Pulse Secure client” to redirect victims to spoofed VPN vendor sites that closely mimic VPN solutions from legitimate software vendors.
After examining the attack and command-and-control (C2) infrastructure, Microsoft researchers discovered that the same campaign used domains related to Sophos, Sonicwall, Ivanti, Check Point, Cisco, WatchGuard, and others, targeting users of multiple enterprise VPN products.
In the observed attack, Microsoft found that the fake sites link to a GitHub repository (now taken down) that hosts a ZIP archive containing a fake VPN MSI installer.
Source: Microsoft
When executed, this file installs ‘Pulse.exe’ into %CommonFiles%\Pulse Secure, and drops a loader (dwmapi.dll) and a variant of the Hyrax infostealer (inspector.dll).
The fake VPN client displays a legitimate-looking login interface that invites victims to enter their credentials, which are captured and exfiltrated to the attacker's infrastructure.
The malware, which is digitally signed with a legitimate, but now revoked, certificate from Taiyuan Lihua Near Information Technology Co., Ltd., also steals VPN configuration data stored in the ‘connectionsstore.dat’ file from the legitimate program’s directory.
To reduce suspicion, the fake VPN client displays an installation error after stealing the credentials, and redirects them to the real vendor’s site to download the legitimate VPN client.
“If users successfully install and use legitimate VPN software afterward, and the VPN connection works as expected, there are no indications of compromise to the end users […], [who] are likely to attribute the initial installation failure to technical issues, not malware,” explains Microsoft.
Meanwhile, in the background, the infostealer malware creates persistence for Pulse.exe via the Windows RunOnce registry key, ensuring the infection survives system reboots.
The researchers recommend that system administrators enable cloud-delivered protection in Defender, run EDR in block mode, enforce multi-factor authentication, and use SmartScreen-enabled browsers.
Microsoft has also provided indicators of compromise (IoCs) and hunting guidance to help detect and block this campaign early.
Red Report 2026: Why Ransomware Encryption Dropped 38%
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
如有侵权请联系:admin#unsafe.sh