Hackers impersonate top VPN to steal cryptocurrency

Someone using a VPN on a PC.
Image credit: Shutterstock (Image credit: Shutterstock)

Researchers at Kaspersky have discovered a new malicious campaign which uses a fake version of a popular VPN service's website to spread the Trojan stealer AZORult by tricking users into thinking they are downloading a Windows installer.

AZORult is one of the most common stealers on Russian hacking forums because of its wide range of capabilities. This Trojan poses a serious threat to infected computers as it allows an attacker to collect a wealth of data including browser history, login credentials, cookies, files and folders, cryptowallet files and it can even be used as a loader to download other malware.

As more users have turned to VPNs to protect their privacy online, cybercriminals have begun to abuse the growing popularity of VPNs by impersonating them, as is the case in this AZORult campaign.

In the campaign discovered by Kaspersky researchers, the attackers created a copy of ProtonVPN's website which looks identical to the service's actual site except for the fact that it has a different domain name.

AZORult campaign

Links to the fake VPN website are spread through advertisements via different banner networks which is a practice that is also referred to as malvertising.

When a victim visits the phishing website, they are prompted to download a free VPN installer. However, once a victim downloads the fake VPN installer for Windows, it drops a copy of the AZORult botnet implant. Once the implant is activated, it collects the infected device's environment information and reports it back to a server controlled by the attackers.

The attackers then steal any cryptocurrency stored locally on the device from cryptowallets as well as FTP logins, passwords from FileZilla, email credentials, information from browsers including cookies and credentials from WinSCPm, Pidgin messenger and others software.

After discovering the campaign, Kaspersky immediately informed ProtonVPN and blocked the fake website in its security software.

Founder and CEO of ProtonVPN, Andy Yen told TechRadar Pro how the company is working to limit the impact of the campaign in a statement, saying:

“This underlines the importance of never downloading an app from an unofficial source. Before downloading an app, users should always double check the website address, the app name and the app developer to make sure it’s genuine. In this case it appears the fake app was designed to steal users information, specifically data regarding crypto currencies. Kaspersky blocked the fake website and informed us of the issue as soon as they discovered the malware. We immediately requested a takedown of the domain to limit the impact of the campaign. We have also published a guide on what to do if you accidentally download a fake version of our apps.”

  • Also check out our complete list of the best VPN services
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in VPN Privacy & Security
Using an Amazon Fire Stick on a Smart TV
How to use a VPN with Fire Stick
Close up of PS5 DualSense controller leaning on a PS5
5 reasons your PS5 needs a VPN
Tor
What is Onion over VPN?
 In this photo illustration a Google Play logo seen displayed on a smartphone.
Why is there so much spyware hidden in the Play Store?
PrivadoVPN running on an iPhone during TechRadar's VPN tests
Why PrivadoVPN Free is still the best free VPN for streaming
Homepage of CloudFlare website on the display of PC, url - CloudFlare.com.
"Network blocking is never going to be the solution" – Cloudflare slams anti-piracy tactics
Latest in News
A super close up image of the Google Gemini app in the Play Store
It's official: Google Assistant will be retired for phones this year, with Gemini taking over
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 16 (game #1147)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Sunday, March 16 (game #378)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Sunday, March 16 (game #644)
Three iPhone 16 handsets on show
Apple could launch an iPhone 17 Ultra this year – but we've heard these rumors before
Super Mario Odyssey
ChatGPT is the ultimate gaming tool - here's 4 ways you can use AI to help with your next playthrough