AZORult Malware - fake ProtonVPN installer To Attack the Windows

ProtonVPN is a security-focused open-source virtual private network (VPN) service provider developed and operated by Proton Technologies AG, the Swiss company behind the end-to-end encrypted email service ProtonMail.

A fake ProtonVPN website was used since November 2019 to deliver the AZORult information-stealing malware to potential victims in the form of fake ProtonVPN installers as discovered by security researchers at Kaspersky.


AZORult is an ever-evolving data-stealing Trojan that sells roughly $100 on Russian underground forums, also known to act as a downloader for other malware families when used in multi-stage campaigns.

As Kaspersky’s researchers have discovered, protonvpn[.]store, a website used to deliver malicious fake ProtonVPN installers (also recognized as DrStache), was registered via a Russian registrar in November 2019.

After the successful infection, Azorult malware collects the system information and share it to the attacker via command and control server which located in the same ” accounts[.]protonvpn[.]store server.”

Indicators of Compromise

FilenameMD5 hash

Kaspersky products detect this threat as HEUR:Trojan-PSW.Win32.Azorult.gen. Hackers cloned the official website of protonvpn using  HTTrack Software, which is shown below.

This Trojan was previously spotted by researchers as part of large-scale malicious campaigns to spread ransomware, data, and cryptocurrency malware.


Follow us on Twitter, Linkedin, Facebook for Daily security updates & penetration testing tutorials. Have something to say about this content? Let me know by comment below.

You may like these posts

Post a comment