Storm-2561 is conducting a credential theft campaign leveraging SEO poisoning to distribute fake enterprise VPN clients. The attack utilizes digitally signed payloads and DLL side-loading to deploy the Hyrax infostealer, which harvests VPN credentials and configuration data before redirecting victims to legitimate software to evade detection.