SEO‑Poisoned Fake VPN Clients Harvest Enterprise Credentials via Hyrax Infostealer
What Happened – Cybercriminals leveraged search‑engine optimization (SEO) poisoning to push malicious VPN‑client pages to the top of organic results. The pages mimicked legitimate vendors, redirected users to a GitHub‑hosted ZIP containing a signed MSI that side‑loads a Hyrax‑based infostealer, capturing VPN usernames, passwords, and stored connection data.
Why It Matters for TPRM –
- Credential theft from a trusted remote‑access tool can give attackers lateral movement into corporate networks.
- The attack chain exploits common employee behavior (searching for security tools) and trusted distribution channels (GitHub, code‑signing certificates).
- Even organizations with strong perimeter controls can be compromised if a single employee installs the fake client.
Who Is Affected – All industries that require remote‑access VPNs, especially enterprises using third‑party VPN solutions, MSPs that manage client endpoints, and any organization with remote workforce policies.
Recommended Actions –
- Instruct users to obtain VPN clients only from verified vendor portals or approved internal software repositories.
- Enforce application allow‑listing and verify code‑signing certificates against revocation lists.
- Monitor for unexpected MSI installations and outbound traffic to known Hyrax C2 domains.
Technical Notes – The malicious ZIP contains an MSI that installs a DLL loader (dwmapi.dll) which executes shellcode to load inspector.dll, a Hyrax variant. The file was signed with a legitimate certificate that has since been revoked. Data exfiltrated includes VPN credentials, stored configuration files, and any other harvested login details. Source: Malwarebytes Labs