Beware: This fake VPN installer is stealing users’ passwords

If you’re looking to download ProtonVPN software, be careful — there’s a fake version of the popular VPN client that infects your computer with malware designed to steal your passwords and any Bitcoin you might have lying around.

Kaspersky researchers reported yesterday (Feb. 18) that Russian miscreants had copied the real ProtonVPN site at protonvpn.com wholesale and posted an exact duplicate at protonvpn-dot-store. The crooks lured victims to the phony ProtonVPN site with malicious banner ads on other websites. 

But if you clicked the big green “Get ProtonVPN Now” button in the middle of page, you’d download something that looked like a ProtonVPN installer yet was in fact the AZORult Trojan, a notorious information-stealer.

“The threat actors have designed the malware to steal cryptocurrency from locally available wallets (Electrum, Bitcoin, Etherium, etc.), FTP logins and passwords from FileZilla, email credentials, information from locally installed browsers (including cookies), credentials for WinSCP, Pidgin messenger and others,” wrote Kaspersky’s Dmitry Bestuzhev.

Several months ago, Bleeping Computer reminded us, another (or perhaps the same) gang cloned the NordVPN website and got people to download the Bolik banking Trojan. 

In that case, the tainted NordVPN software actually worked. In yesterday’s report, Kaspersky didn’t indicate whether the fake ProtonVPN installer did as well. 

The fake ProtonVPN site is still up, but the big green button now leads you to a random Twitter post extolling the virtues of ProtonVPN.