silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,057
AZORult has its history. However, a few days ago, we discovered what appears to be one of its most unusual campaigns: abusing the ProtonVPN service and dropping malware via fake ProtonVPN installers for Windows.
The campaign started at the end of November 2019 when the threat actor behind it registered a new domain under the name protonvpn[.]store. The Registrar used for this campaign is from Russia.
We have found that at least one of the infection vectors is through affiliation banners networks (Malvertising).
When the victim visits a counterfeit website and downloads a fake ProtonVPN installer for Windows, they receive a copy of the Azorult botnet implant. [.....]
AZORult spreads as a fake ProtonVPN installer
We discovered what appears to be one of AZORult's most unusual campaigns: abusing the ProtonVPN service and dropping malware via fake ProtonVPN installers for Windows.
securelist.com