Threat Actor Storm‑2561 Deploys Fake Fortinet & Ivanti VPN Pages to Distribute Hyrax Infostealer
What Happened – In mid‑January 2026 Microsoft Defender experts discovered that the Storm‑2561 group was operating counterfeit Fortinet and Ivanti VPN login portals. Victims who entered credentials were redirected to download the Hyrax infostealer, which harvests browser data, saved passwords, and system information.
Why It Matters for TPRM –
- Credential‑phishing campaigns targeting VPN access can compromise third‑party network gateways.
- Hyrax’s data‑stealing capabilities expose sensitive employee and client information across multiple vendors.
- The use of trusted security‑vendor branding increases the likelihood of successful compromise of supply‑chain partners.
Who Is Affected – Organizations that rely on Fortinet or Ivanti VPN solutions, remote‑workforces, Managed Service Providers (MSPs), and any third‑party that integrates these VPNs.
Recommended Actions – Verify VPN URLs, enforce MFA on all remote‑access portals, deploy DNS‑filtering for known malicious domains, monitor endpoints for Hyrax IOCs, and conduct phishing‑awareness training focused on VPN impersonation.
Technical Notes – Attack vector: phishing via cloned VPN login pages; Malware: Hyrax infostealer (collects browsers, passwords, crypto wallets); No CVE exploited; Data types exfiltrated include credentials, personal identifying information, and potentially financial data. Source: HackRead