Malware

New GoodPersonRAT malware distributed via fake LetsVPN installer

Trojan malware

Based on information from Cyber Insider, a new remote access trojan (RAT) named GoodPersonRAT is being distributed through a malicious installer that masquerades as the legitimate LetsVPN software. This campaign, uncovered by ThreatLocker Threat Intelligence researchers, poses a significant risk to users seeking unrestricted internet access.

The trojanized installer, identified as Kuailian_win-setup.86.msi, embeds a loader and an encrypted payload alongside the authentic LetsVPN application. Upon execution, the loader decrypts the payload and loads it directly into memory, employing stealth techniques to evade detection. GoodPersonRAT, named after one of its command-and-control domains translating to "you are a good person" in Chinese, grants attackers extensive control over infected systems. Capabilities include remote desktop access, file manipulation, command execution, keylogging, and clipboard monitoring.

The malware specifically targets Telegram Desktop users by archiving session data and rerouting traffic through attacker-controlled infrastructure, while also disabling security features like Microsoft Defender. Persistence is maintained through Windows services and scheduled tasks. Users are advised to download software only from official sources and verify digital signatures to avoid such threats.

Source: Cyber Insider

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Adware

You can skip this ad in 5 seconds