Beware: This fake VPN installer is stealing users' passwords

VPN on laptop
(Image credit: Shutterstock)

If you're looking to download ProtonVPN software, be careful -- there's a fake version of the popular VPN client that infects your computer with malware designed to steal your passwords and any Bitcoin you might have lying around.

Kaspersky researchers reported yesterday (Feb. 18) that Russian miscreants had copied the real ProtonVPN site at wholesale and posted an exact duplicate at protonvpn-dot-store. The crooks lured victims to the phony ProtonVPN site with malicious banner ads on other websites. 

But if you clicked the big green "Get ProtonVPN Now" button in the middle of page, you'd download something that looked like a ProtonVPN installer yet was in fact the AZORult Trojan, a notorious information-stealer.

"The threat actors have designed the malware to steal cryptocurrency from locally available wallets (Electrum, Bitcoin, Etherium, etc.), FTP logins and passwords from FileZilla, email credentials, information from locally installed browsers (including cookies), credentials for WinSCP, Pidgin messenger and others," wrote Kaspersky's Dmitry Bestuzhev.

Several months ago, Bleeping Computer reminded us, another (or perhaps the same) gang cloned the NordVPN website and got people to download the Bolik banking Trojan

In that case, the tainted NordVPN software actually worked. In yesterday's report, Kaspersky didn't indicate whether the fake ProtonVPN installer did as well. 

The fake ProtonVPN site is still up, but the big green button now leads you to a random Twitter post extolling the virtues of ProtonVPN.

  • More: Discover the vast range of VPN uses in our comprehensive guide
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.