A malware campaign has been discovered that exploits the VPN service LetsVPN. Researchers from ThreatLocker found a malicious Windows installer that pretends to be the legitimate LetsVPN application while deploying a remote access trojan (RAT) called GoodPersonRAT. The malware allows attackers to control infected systems using stealth techniques. The malicious installer first deploys the RAT and then installs the authentic LetsVPN application, creating an illusion of legitimacy. The package identified as Kuailian_win-setup.86.msi contains the legitimate LetsVPN installer, a loader, and an encrypted payload. GoodPersonRAT features include remote desktop control, file upload/download, command execution, proxying, keylogging, and clipboard monitoring. It specifically targets Telegram Desktop users by archiving critical account information and altering proxy settings. The malware ensures persistence through Windows services and scheduled tasks and can undermine security software. The LetsVPN installer is legitimate and signed, but the MSI package is unsigned and contains malicious components. Users are advised to download software only from official sources and verify digital signatures.