Trojanized LetsVPN installer gives attackers remote access to Windows PCs

A recent investigation has revealed a sophisticated malware campaign that exploits the popular VPN service LetsVPN. Researchers from ThreatLocker Threat Intelligence, William Pires and John Moutos, uncovered a malicious Windows installer that masquerades as the legitimate LetsVPN application while simultaneously deploying a remote access trojan (RAT) known as GoodPersonRAT.

Details of the Malware

This malware grants attackers comprehensive control over infected systems, employing a variety of stealth techniques to remain undetected. The analysis conducted by the researchers indicates that the malicious MSI installer first deploys the RAT before installing the authentic, signed LetsVPNLatest.exe application. This clever tactic creates an illusion of legitimacy, potentially deceiving unsuspecting users.

LetsVPN, a widely utilized VPN service, is particularly appealing to users seeking to bypass China’s Great Firewall, making it an attractive target for cybercriminals. This incident is not an isolated case; a similar campaign was reported last year by Rapid7, where trojanized LetsVPN installers delivered the Winos v4.0 malware through a complex infection chain.

The malicious package identified as Kuailian_win-setup.86.msi contains three embedded files: the legitimate LetsVPN installer, a loader named promecefplugilte8.exe, and an encrypted payload stored as 20260609.dat. The loader decrypts and reflectively loads the final payload directly into memory, minimizing its footprint on disk and enhancing its stealth capabilities.

Functionality and Features of GoodPersonRAT

ThreatLocker aptly named the malware GoodPersonRAT, drawing inspiration from one of its command-and-control domains, nishihaoren8[.]top. The term “nishihaoren” translates to “you are a good person” in Chinese, adding a layer of irony to its malicious intent. The RAT is equipped with numerous hardcoded command-and-control server configurations and can dynamically switch between them using local configuration files.

Once connected to its command-and-control server, GoodPersonRAT offers attackers a wide array of functionalities, including:

  • Remote desktop control
  • File upload and download
  • Command execution via cmd.exe
  • SOCKS5 and HTTP proxying
  • Browser manipulation
  • Keylogging
  • Clipboard monitoring
  • Automatic malware updates

One particularly notable feature of this malware is its approach to web browsers. Rather than immediately stealing stored credentials, it first clears cookies and login sessions, compelling victims to re-enter their usernames and passwords, which are subsequently captured by the integrated keylogger. Additionally, the malware continuously monitors clipboard contents and exfiltrates any newly captured data to the attacker.

Targeting Telegram Desktop Users

Telegram Desktop users are also specifically targeted by GoodPersonRAT. The malware archives the tdata directory, which contains critical account session information, and alters the application’s proxy settings to funnel traffic through infrastructure controlled by the attackers. To further conceal its activities, it modifies telegram.exe to suppress notifications that would typically alert users to changes in proxy settings.

To ensure long-term access, the malware establishes persistence through Windows services and scheduled tasks. It also profiles installed security software and, when feasible, undermines Microsoft Defender by creating directory exclusions and disabling cloud-based protection features using PowerShell commands.

While the LetsVPN installer included in this malicious package is legitimate and digitally signed, the surrounding MSI package remains unsigned and harbors the malicious loader and payload. Users are advised to download LetsVPN and other software exclusively from official sources, verify digital signatures before executing installers, and refrain from using software packages obtained from third-party websites or file-sharing services.

If you liked this article, be sure to follow us on X/Twitter and also LinkedIn for more exclusive content.

Winsage
Trojanized LetsVPN installer gives attackers remote access to Windows PCs