Tuesday, February 18, 2025
HomeMalwareHackers Spreading AZORult Malware As a Fake ProtonVPN Installer To Attack the...

Hackers Spreading AZORult Malware As a Fake ProtonVPN Installer To Attack the Windows Computers

Published on

SIEM as a Service

Follow Us on Google News

Researchers discovered a new wave of Azorult malware campaign that abusing the protonVPN and dropper the malware payload as a fake ProtonVPN installer to infect the Windows System.

GBHackers reported several incidents involved by the Azorult malware campaign and is one of the well-known malware that often sold in Russian forums for the higher price ($100) since this malware contains a broad range of persistent functionality.

In this current attack scenario, Threat actors created a fake ProtonVPN website which is an exact HTTrack copy of the original ProtonVPN website through which they spreading the malware as an installer package to compromised the Windows users.

Fake ProtonVPN website

The campaign initially started in November 2019 and the attacker register the domain under the name of ProtonVPN{.}store and is Registrar used for this campaign is from Russia.

Infection Vectors

Attackers handling several infection vectors to spread this malware and infect the victims as many as they can, but the main infection vectors is through affiliation banners networks also know as Malvertising.

Through the affiliation program and other infection vectors, victims are getting infected once they visit the fake ProtonVPN website and downloads a fake ProtonVPN installer for Windows, they receive a copy of the Azorult botnet implant.

PortonVPN installer

After the successful infection, Azorult malware collects the system information and share it to the attacker via command and control server which located in the same ” accounts[.]protonvpn[.]store server.”

According to Kaspersky research ” In their greed, the threat actors have designed the malware to steal cryptocurrency from locally available wallets (Electrum, Bitcoin, Etherium, etc.), FTP logins and passwords from FileZilla, email credentials, information from locally installed browsers (including cookies), credentials for WinSCP, Pidgin messenger and others. ‘

Indicators of Compromise

FilenameMD5 hash
ProtonVPN_win_v1.10.0.execc2477cf4d596a88b349257cba3ef356
ProtonVPN_win_v1.11.0.exe573ff02981a5c70ae6b2594b45aa7caa
ProtonVPN_win_v1.11.0.exec961a3e3bd646ed0732e867310333978
ProtonVPN_win_v1.11.0.exe2a98e06c3310309c58fb149a8dc7392c
ProtonVPN_win_v1.11.0.exef21c21c2fceac5118ebf088653275b4f
ProtonVPN_win_v1.11.0.exe0ae37532a7bbce03e7686eee49441c41
Unknown974b6559a6b45067b465050e5002214b

Follow us on Twitter, Linkedin, Facebook for Daily cyber security & hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Highly Obfuscated .NET sectopRAT Mimic as Chrome Extension

SectopRAT, also known as Arechclient2, is a sophisticated Remote Access Trojan (RAT) developed using...

Threat Actors Trojanize Popular Games to Evade Security and Infect Systems

A sophisticated malware campaign was launched by cybercriminals, targeting users through trojanized versions of...

New Research Aims to Strengthen MITRE ATT&CK for Evolving Cyber Threats

A recent study by researchers from the National University of Singapore and NCS Cyber...

New LLM Vulnerability Exposes AI Models Like ChatGPT to Exploitation

A significant vulnerability has been identified in large language models (LLMs) such as ChatGPT,...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Weaponized PDFs Deliver Lumma InfoStealer Targeting Educational Institutions

A sophisticated malware campaign leveraging the Lumma InfoStealer has been identified, targeting educational institutions...

Cybercriminals Embedded Credit Card Stealer Script Within <img> Tag

Cybersecurity researchers have uncovered a new MageCart malware campaign targeting e-commerce websites running on...

EagerBee Malware Targets Government Agencies & ISPs with Stealthy Backdoor Attack

A sophisticated cyber espionage campaign leveraging the EagerBee malware has been targeting government agencies...