This blog is about how trying to do the “right thing” can lead you straight into a trap. People searching for a VPN ended up downloading credential-stealing malware.
From the victim’s perspective, their trust was exploited at every step: trust in search engines, in familiar logos, in digital signatures, and in the assumption that if things “work in the end,” they must be safe.
Imagine you’re looking for a VPN client to connect to your employer’s network. You use your favorite search engine and, at the top of the search results, you see exactly what you were looking for: listings that look like they belong to established names in the industry. They have the right logo, the right product name, and a description that sounds legitimate.
But what you’re looking at, in the cases Microsoft describes, are search results influenced by SEO poisoning. Search engine optimization (SEO) poisoning comes down to getting a web page to rank highly for relevant search results without buying ads or following legitimate, but tedious, SEO best practices. Instead, cybercriminals use deceptive or outright illegal means to push their pages to the top.
On the spoofed—maybe even cloned—VPN page, everything looks familiar: the vendor branding, product name, and a short blurb about secure remote access. Most importantly, there’s a prominent Download button. You click, expecting an installer from a reputable vendor, but the site quietly redirects you to a GitHub release download instead, offering a ZIP file called something along the lines of VPN-CLIENT.zip.
GitHub is a favorite distribution channel for malware authors because it’s widely trusted. In this campaign, the criminals even signed their file with a legitimate certificate, which has since been revoked. The downloaded ZIP file contains a Microsoft Software Installer (.msi) file that takes the victim through the usualy Install, Next, Next, Finish routine, while side-loading malicious dynamic link library (DLL) files during the installation.
One of those DLLs, dwmapi.dll, is acting as a loader, launching embedded shellcode that in turn runs inspector.dll, a variant of the Hyrax infostealer. From the moment the install finishes, your VPN client is not just a client but also a credential thief.
When you start using your new VPN, several things happen in quick succession:
- The fake VPN client captures your username, password, and target URI, and hands this data to the Hyrax infostealer component.
- Hyrax also reads existing VPN configuration data, scooping up any stored connections and saved credentials.
- The malware sends all the stolen information to attacker‑controlled infrastructure.
All the user sees is a plausible‑sounding error like “connection failed” or “installation problem.” To top things off, the malware provides instructions to download the legitimate VPN client from official sources. In certain instances, it even opens the user’s browser to the real VPN website. All this, of course, to alleviate suspicion.
The rest happens on the employer’s network. The attacker can now log into the corporate VPN as you, from infrastructure they control, and immediately blend in with normal remote access traffic. If your account has access to file shares, internal admin panels, ticketing systems, or cloud services, they can start exploring or abusing these resources.
How to stay away from fake VPN clients
Now that you know what to look for, you’re already one step ahead. Here are some more general tips to stay safe:
- Never trust search results alone, especially for security software. Go straight to the vendor’s website.
- Double‑check the domain before downloading. Are you still on the vendor’s site or a trusted platform? If needed, verify the download link with your IT department.
- Report “failed” VPN installs to IT. Don’t keep retrying. An unexpected failure followed by a redirect should raise a red flag.
- Don’t store corporate VPN credentials in personal password managers or browsers.
If you’ve ever installed a VPN client from an untrusted site or an unusual domain, assume your VPN credentials may be compromised and request a reset.
We don’t just report on privacy—we offer you the option to use it.
Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.
