← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft
WHITE Storm-2561 Tr1sa111 2026-03-18 Modified: 2026-04-15
43
IOCs
MEDIUM VOLUME
credential theftcode signingvpnseo poisoninghyrax
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Hyrax
Indicators of Compromise (8 / 43 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 1ef8789705d339b6b39440a38a3acf01 2026-03-18
FileHash-MD5 68529d3d99fccac503484068d8bbd693 2026-03-18
FileHash-MD5 8101669915443060c2e5f72e36798618 2026-03-18
FileHash-MD5 c0f3acc808ad91bdd436b60787a049b8 2026-03-18
FileHash-MD5 da9d12bbbf17c3e7b0e26831037fce12 2026-03-18
FileHash-MD5 dd0846c994edd78cac2a44b8851f00d3 2026-03-18
FileHash-MD5 ec6212c853cbbdc02b5158b4fb3548fb 2026-03-18
FileHash-MD5 fcbaf5f629e8d233b695c8b3cea28b3d 2026-03-18
References (1)
↗ https://www.microsoft.com/en-us/security/blog/2026/03/12/storm-2561-uses-seo-poisoning-to-distribute-fake-vpn-clients-for-credential-theft