A financially motivated threat actor tracked as Storm-2561 is running a credential theft campaign that abuses SEO poisoning and fake, signed VPN installers to steal enterprise VPN credentials. Active since May 2025, Storm-2561 continues to exploit user trust in search results, known VPN brands, and code-signing certificates to distribute malware disguised as legitimate remote access […] The post Storm-2561 Uses SEO Poisoning, Fake Signed VPN Apps to Steal Enterprise Credentials appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
First seen on gbhackers.com
Jump to article: gbhackers.com/storm-2561-uses-seo-poisoning/
