...ers searching for legitimate VPN software. The campaign deploys Hyrax malware bundled within functional installers, allowing credential theft to proceed while the software operates normally. The use of SEO manipulation to surface malicious installers above legitimate results is an established initial-access technique, effective against corporate environments where VPN tooling is routinely downloaded by IT staff. GitHub distribution adds perceived legitimacy and bypasses reputation-based fi...