Cybersecurity researchers are warning that fake VPN installers are being used to infect Windows systems with a powerful remote access trojan (RAT).
The campaign targets users searching for LetsVPN, also known as Kuailian VPN. Victims believe the installation succeeds because the malicious package also installs the legitimate VPN application.
Fake VPN Installers Deliver Hidden Malware
Researchers at ThreatLocker discovered attackers distributing a trojanized MSI package named Kuailian_win-setup.86.msi.
The installer contains a legitimate, signed version of LetsVPN. However, it first deploys malware before launching the real VPN installer.
As a result, victims see the VPN install normally and may never realize their computer has already been compromised.
ThreatLocker says the malware provides attackers with complete control over the infected system and its data.
Malware Loads Directly Into Memory
The attack begins by loading shellcode that contacts a command-and-control (C2) server.
The final malware payload is injected directly into memory instead of being written to disk. This technique helps it avoid many traditional file-based security tools.
Researchers found that the malware can communicate with up to 40 different C2 servers.
Several domains contain variations of the phrase “Nishihaoren,” which translates from simplified Chinese as “you are a good person.” Based on that naming pattern, ThreatLocker named the malware GoodPersonRAT.
GoodPersonRAT Gives Attackers Full Control
Once active, GoodPersonRAT waits for commands from its operators.
The malware includes a wide range of spying and remote administration features.
It can:
- Capture screenshots and monitor the display
- Log keystrokes
- Steal clipboard contents
- Collect browser cookies, saved logins, profiles, and browsing history
- Extract data from Telegram Desktop
- Execute commands remotely on the victim’s computer
The malware also creates persistence by registering Windows services and SYSTEM-level scheduled tasks. These launch automatically before the user signs in.
Users Behind China’s Firewall Are Primary Targets
ThreatLocker believes the campaign specifically targets LetsVPN users.
The VPN is widely used to bypass internet censorship behind China’s Great Firewall, making it an attractive lure for attackers.
Although the researchers did not identify the exact distribution method, fake VPN installers are commonly spread through search poisoning, malicious advertisements, phishing emails, cloned download websites, online forums, and direct messages.
How to Avoid Fake VPN Installers
ThreatLocker recommends verifying the source and integrity of all software before installing it.
Users should download VPN software only from the official website or trusted app stores. Organizations should also validate software packages before deployment to reduce the risk of supply-chain attacks.
As this campaign shows, fake VPN installers can appear completely legitimate while secretly giving attackers full control of a victim’s device.


0 responses to “Fake VPN Installers Infect PCs With GoodPersonRAT Malware”