Threat Actor Storm‑2561 Deploys Fake Fortinet & Ivanti VPN Pages to Distribute Hyrax Infostealer
What Happened – A campaign attributed to the Storm‑2561 group is hosting counterfeit Fortinet and Ivanti VPN login portals. Victims who enter credentials are redirected to download the Hyrax infostealer, which harvests browser data, credentials, and cryptocurrency wallets.
Why It Matters for TPRM –
- Fake VPN portals masquerade as legitimate security products, increasing the likelihood of credential compromise across multiple vendors.
- Hyrax can exfiltrate sensitive third‑party data, creating downstream supply‑chain risk.
- The technique exploits trust in widely‑used remote‑access solutions, affecting any organization that relies on VPN authentication.
Who Is Affected – Enterprises across all sectors that use Fortinet or Ivanti VPN solutions, especially those with remote‑workforces.
Recommended Actions – Verify the authenticity of VPN login URLs, enforce MFA on remote‑access portals, and monitor for Hyrax‑related IOCs. Conduct a rapid review of any third‑party VPN providers for phishing‑resilience.
Technical Notes – Attack vector: phishing‑style credential harvesting via cloned VPN sites. Malware: Hyrax infostealer (collects browser cookies, saved passwords, crypto wallet keys). No CVE is directly exploited; the threat relies on social engineering. Source: HackRead