Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareUsed by 1 actor

Hyrax

Hyrax is an information stealer used in a financially motivated credential-theft campaign attributed by Microsoft to Storm-2561. In the observed activity, victims searching for enterprise VPN software were redirected via SEO poisoning to spoofed vendor sites and malicious ZIP packages, including trojanized VPN installers impersonating Pulse Secure, Fortinet, Ivanti, GlobalProtect, and Sophos Connect. The infection chain used a fake MSI installer that dropped Pulse.exe together with malicious DLLs such as dwmapi.dll and inspector.dll into %CommonFiles%\Pulse Secure. The dwmapi.dll component acted as an in-memory loader that executed shellcode to load inspector.dll, which was identified as a variant of Hyrax. Hyrax captured VPN credentials entered into a fake VPN sign-in dialog, extracted URI and VPN sign-in credentials, and read stored configuration data from C:\ProgramData\Pulse Secure\ConnectionStore\connectionstore.dat. Stolen data was exfiltrated to attacker-controlled infrastructure, including 194.76.226[.]93:8080. The malware established persistence by adding Pulse.exe to the Windows RunOnce registry key. After stealing credentials, the fake client displayed an error and in some cases redirected victims to the legitimate vendor website to reduce suspicion. The campaign’s malicious binaries were digitally signed with a certificate issued to Taiyuan Lihua Near Information Technology Co., Ltd., which was later revoked. High-confidence related infrastructure mentioned in the reporting includes delivery via GitHub-hosted ZIP files and associated domains such as vpn-fortinet[.]com, ivanti-vpn[.]org, myconnection[.]pro, and v pn-connection[.]pro.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Storm 2561

The dwmapi.dll file works as an in-memory loader, executing shellcode that loads inspector.dll — a variant of the Hyrax infostealer. Hyrax captures VPN credentials entered through the fake login screen and reads stored configuration data from C:\ProgramData\Pulse Secure\ConnectionStore\connectionstore.dat, sending everything to 194.76.226[.]93:8080.

via cyber security newscybersecuritynews.com
MITRE ATT&CK

Techniques & procedures

15 distinct techniques documented for this family, organized by ATT&CK tactic.

Reconnaissance

1 technique
T1598Phishing for InformationEvidence1

A fake, yet convincing, VPN sign-in dialog is displayed to the user to capture the credentials. Once the information is entered by the victim, they are displayed an error message and are instructed to download the legitimate VPN client this time.

Resource Development

2 techniques
T1588.003Code Signing CertificatesEvidence1

The trojans were digitally signed by a certificate issued to “Taiyuan Lihua Near Information Technology Co., Ltd.”... The digital signatures on these malicious files allowed them to bypass standard Windows security warnings and certain application allowlisting policies.

T1608.006SEO PoisoningEvidence2

Microsoft has disclosed details of a credential theft campaign that employs fake virtual private network (VPN) clients distributed through search engine optimization (SEO) poisoning techniques.

Execution

2 techniques
T1204.002Malicious FileEvidence1

The attack delivers its payload through a Windows Installer (MSI) package hidden inside a ZIP file. When a victim runs the fake MSI — disguised as a Pulse Secure installer — it drops Pulse.exe alongside two malicious DLL files...

T1574.001DLLEvidence1

"...ZIP file containing... MSI... that mimics a legitimate VPN software and side-loads malicious dynamic link library (DLL) files during installation."; "...drops malicious DLLs, dwmapi.dll and inspector.dll, into the Pulse Secure directory."

Persistence

1 technique
T1547.001Registry Run Keys / Startup FolderEvidence3

To maintain persistence, the malware adds Pulse.exe to the Windows RunOnce registry key, making it run automatically on every device restart.

Privilege Escalation

1 technique
T1547.001Registry Run Keys / Startup FolderEvidence3

To maintain persistence, the malware adds Pulse.exe to the Windows RunOnce registry key, making it run automatically on every device restart.

Stealth

3 techniques
T1036MasqueradingEvidence3

Users who click these results land on pages built to look identical to real VPN vendor portals, complete with matching logos and download buttons.

T1574.001DLLEvidence1

"...ZIP file containing... MSI... that mimics a legitimate VPN software and side-loads malicious dynamic link library (DLL) files during installation."; "...drops malicious DLLs, dwmapi.dll and inspector.dll, into the Pulse Secure directory."

T1620Reflective Code LoadingEvidence2

The dwmapi.dll file works as an in-memory loader, executing shellcode that loads inspector.dll — a variant of the Hyrax infostealer.

Defense Impairment

1 technique
T1553.002Code SigningEvidence1

"The MSI file and the malicious DLLs are signed with a valid digital certificate, which is now revoked... This abuse of code signing... bypasses default Windows security warnings... might bypass application whitelisting..."

Credential Access

3 techniques
T1056.001KeyloggingEvidence1

"The fake VPN client presents a graphical user interface... prompting the user to enter their credentials... the application captures the credentials entered and exfiltrates them..."

T1555Credentials from Password StoresEvidence2

Hyrax captures VPN credentials entered through the fake login screen and reads stored configuration data from C:\ProgramData\Pulse Secure\ConnectionStore\connectionstore.dat

T1649Steal or Forge Authentication CertificatesEvidence1

A fake, yet convincing, VPN sign-in dialog is displayed to the user to capture the credentials.

Collection

1 technique
T1056.001KeyloggingEvidence1

"The fake VPN client presents a graphical user interface... prompting the user to enter their credentials... the application captures the credentials entered and exfiltrates them..."

Command and Control

1 technique
T1105Ingress Tool TransferEvidence2

the GitHub repository hosts a ZIP file containing an MSI installer file that masquerades as legitimate VPN software

Exfiltration

2 techniques
T1041Exfiltration Over C2 ChannelEvidence1

"...exfiltrating them to attacker-controlled command-and-control (C2) infrastructure... (194.76.226[.]93:8080)."; "Data exfiltration: Stolen credentials and VPN configuration data are transmitted to attacker-controlled infrastructure."

T1048.003Exfiltration Over Unencrypted Non-C2 ProtocolEvidence1

Hyrax captures VPN credentials... sending everything to 194.76.226[.]93:8080.

INDICATORS OF COMPROMISE

IOCs tracked for this family

30 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
19 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
11 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app4 months ago
domain●●●●●●●●●●●●View more in app4 months ago
domain●●●●●●●●●●●●View more in app4 months ago
domain●●●●●●●●●●●●View more in app4 months ago
domain●●●●●●●●●●●●View more in app4 months ago
domain●●●●●●●●●●●●View more in app4 months ago
ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
cyber security newsNews
Mar 17, 2026
Attackers Use SEO Poisoning and Signed Trojans to Steal VPN Credentials

Hyrax is an infostealer used in fake VPN installer campaigns to capture VPN credentials and stored connection configuration data, then exfiltrate that information to attacker-controlled infrastructure. In this campaign it is delivered via a malicious MSI and loaded through DLL-based in-memory execution.

Read more
the hacker newsNews
Mar 13, 2026
Storm-2561 Spreads Trojan VPN Clients via SEO Poisoning to Steal Credentials

An information stealer variant used to harvest and exfiltrate VPN credentials, including through a fake VPN sign-in dialog.

Read more
microsoft security blogNews
Mar 12, 2026
Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft | Microsoft Security Blog

Credential-stealing infostealer (delivered as inspector.dll) used in trojanized VPN installers to collect VPN URIs, sign-in credentials, and stored VPN configuration data (e.g., connectionstore.dat) and exfiltrate it to attacker-controlled C2.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching30

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping15

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.