Storm-2561 Exploits Fake Fortinet and Ivanti VPN Sites to Deploy Hyrax Infostealer Malware

In a sophisticated phishing campaign that has already compromised dozens of organizations worldwide, threat actors behind Storm‑2561 are masquerading as legitimate VPN providers—specifically Fortinet and Ivanti—to lure users into downloading the Hyrax Infostealer. The operation combines social engineering, domain spoofing, and a malicious payload that quietly harvests credentials and sensitive data from infected machines.

How Storm‑2561 Lures Victims

Storm‑2561’s attack chain begins with a carefully crafted email that appears to come from a trusted IT administrator. The message typically contains a subject line such as “Urgent: VPN Access Required for Remote Work” and a link that directs the recipient to a website that looks almost identical to the official Fortinet or Ivanti login page. The attackers have registered domain names that mimic the legitimate ones, for example “fortinet‑vpn.com” or “ivanti‑support.net,” and they use SSL certificates that appear authentic at first glance.

Once the user enters their credentials, the site immediately initiates a download of a small, innocuous‑looking installer. The installer is actually a wrapper that silently installs the Hyrax Infostealer, which then runs in the background, collecting usernames, passwords, and other sensitive information from the victim’s browser, email clients, and local files.

The Role of Fake VPN Sites

Fortinet and Ivanti are both well‑known VPN vendors, and many organizations rely on them for secure remote access. By creating a replica of these sites, Storm‑2561 exploits the trust that users place in their corporate VPN infrastructure. The fake sites also employ subtle visual cues—such as the same logo, color scheme, and layout—to reduce suspicion.

Once the user logs in, the site does not actually establish a VPN connection. Instead, it redirects the user to a malicious download. Because the page is served over HTTPS, the attacker can intercept the traffic without raising immediate alarms. The use of HTTPS also makes it difficult for security tools that rely on plain‑text inspection to detect the malicious payload.

Impact of Hyrax Infostealer

Hyrax Infostealer is a credential‑stealing tool that has been active since 2022. It is designed to be stealthy and modular, allowing attackers to add new modules for different data sources. In the Storm‑2561 campaign, the malware focuses on:

• Browser credentials from Chrome, Edge, and Firefox.
• Email account passwords from Outlook and Gmail.
• Local file system search for documents containing credit card numbers, social security numbers, and other personally identifiable information.
• Network traffic sniffing to capture VPN credentials.

Once the data is harvested, Hyrax sends it to a command‑and‑control server controlled by the attackers. The stolen credentials can then be sold on underground forums or used to launch further attacks, such as lateral movement within corporate networks or phishing campaigns targeting other employees.

Defending Against the Threat

Organizations and individuals can take several steps to mitigate the risk posed by Storm‑2561 and the Hyrax Infostealer