Tuesday, May 13, 2025
HomeMalwareHackers Spreading AZORult Malware As a Fake ProtonVPN Installer To Attack the...

Hackers Spreading AZORult Malware As a Fake ProtonVPN Installer To Attack the Windows Computers

Published on

SIEM as a Service

Follow Us on Google News

Researchers discovered a new wave of Azorult malware campaign that abusing the protonVPN and dropper the malware payload as a fake ProtonVPN installer to infect the Windows System.

GBHackers reported several incidents involved by the Azorult malware campaign and is one of the well-known malware that often sold in Russian forums for the higher price ($100) since this malware contains a broad range of persistent functionality.

In this current attack scenario, Threat actors created a fake ProtonVPN website which is an exact HTTrack copy of the original ProtonVPN website through which they spreading the malware as an installer package to compromised the Windows users.

- Advertisement - Google News
Fake ProtonVPN website

The campaign initially started in November 2019 and the attacker register the domain under the name of ProtonVPN{.}store and is Registrar used for this campaign is from Russia.

Infection Vectors

Attackers handling several infection vectors to spread this malware and infect the victims as many as they can, but the main infection vectors is through affiliation banners networks also know as Malvertising.

Through the affiliation program and other infection vectors, victims are getting infected once they visit the fake ProtonVPN website and downloads a fake ProtonVPN installer for Windows, they receive a copy of the Azorult botnet implant.

PortonVPN installer

After the successful infection, Azorult malware collects the system information and share it to the attacker via command and control server which located in the same ” accounts[.]protonvpn[.]store server.”

According to Kaspersky research ” In their greed, the threat actors have designed the malware to steal cryptocurrency from locally available wallets (Electrum, Bitcoin, Etherium, etc.), FTP logins and passwords from FileZilla, email credentials, information from locally installed browsers (including cookies), credentials for WinSCP, Pidgin messenger and others. ‘

Indicators of Compromise

FilenameMD5 hash
ProtonVPN_win_v1.10.0.execc2477cf4d596a88b349257cba3ef356
ProtonVPN_win_v1.11.0.exe573ff02981a5c70ae6b2594b45aa7caa
ProtonVPN_win_v1.11.0.exec961a3e3bd646ed0732e867310333978
ProtonVPN_win_v1.11.0.exe2a98e06c3310309c58fb149a8dc7392c
ProtonVPN_win_v1.11.0.exef21c21c2fceac5118ebf088653275b4f
ProtonVPN_win_v1.11.0.exe0ae37532a7bbce03e7686eee49441c41
Unknown974b6559a6b45067b465050e5002214b

Follow us on TwitterLinkedinFacebook for Daily cyber security & hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Apple Releases Security Patches to Fix Critical Data Exposure Flaws

Apple released critical security updates for macOS Sequoia 15.5 on May 12, 2025, addressing...

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware...

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as...

Kimsuky Hacker Group Deploys New Phishing Techniques and Malware Campaigns

The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware...

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as...

Kimsuky Hacker Group Deploys New Phishing Techniques and Malware Campaigns

The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black...