{ "id": "d4297c3a-8b51-484a-a354-225f7eaf0a9c", "created_at": "2026-04-06T03:36:20.447826Z", "updated_at": "2026-04-10T03:37:09.405107Z", "deleted_at": null, "sha1_hash": "1b3ba7141564a0937ad7e659d6038ac0db7f29e1", "title": "New AZORult campaign abuses popular VPN service to steal cryptocurrency", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 437889, "plain_text": "New AZORult campaign abuses popular VPN service to steal\r\ncryptocurrency\r\nBy Kaspersky\r\nPublished: 2020-02-18 · Archived: 2026-04-06 03:27:12 UTC\r\nKaspersky researchers have detected an unusual malicious campaign that uses a phishing copy of a popular\r\nVPN service’s website to spread AZORult, a Trojan stealer, under the guise of installers for Windows.\r\nThe campaign, which kicked off at the end of November 2019 with the registration of a fake website, is\r\ncurrently active and focused on stealing personal information and cryptocurrency from infected users. This\r\nshows that cybercriminals are still hunting for cryptocurrency, despite reports that interest in the currency\r\nhas died down.\r\nAZORult is one of the most commonly bought and sold stealers on Russian forums due to its wide range of\r\ncapabilities. This Trojan poses a serious threat to those whose computers may have been infected as it is capable\r\nof collecting various data, including browser history, login credentials, cookies, files from folders, cryptowallet\r\nfiles and can also be used as a loader to download other malware.\r\nIn a world where privacy is heavily fought for, VPN services play an important role by enabling additional data\r\nprotection and safe internet browsing. Yet cybercriminals try to abuse the growing popularity of VPNs by\r\nimpersonating them, as is the case in this AZORult campaign. In the most recent campaign, the attackers created a\r\ncopy a VPN service’s website, which looks exactly the same as the original with the only exception being a\r\ndifferent domain name.\r\nhttps://www.kaspersky.com/about/press-releases/2020_new-azorult-campaign-abuses-popular-vpn-service-to-steal-cryptocurrency\r\nPage 1 of 3\n\nScreenshot of a phishing copy of the targeted VPN service’s website\r\nLinks to the domain are spread through advertisements via different banner networks, a practice that is also called\r\n‘malvertizing’. The victim visits the phishing website and is prompted to download a free VPN installer. Once a\r\nvictim downloads a fake VPN installer for Windows, it drops a copy of AZORult botnet implant. As soon as the\r\nimplant is ran, it collects the infected device's environment information and reports it to the server. Finally, the\r\nattacker steals cryptocurrency from locally available wallets (Electrum, Bitcoin, Etherium, and others), FTP\r\nlogins, and its passwords from FileZilla, email credentials, information from locally installed browsers (including\r\ncookies), credentials from WinSCP,Pidgin messenger and others.\r\nUpon the discovery of the campaign, Kaspersky immediately informed the VPN service in question about the\r\nissue and blocked the fake website.\r\n“This campaign is a good example of how vulnerable our personal data is nowadays. In order to protect it, users\r\nneed to be cautious and be especially careful when surfing online. This case also shows why cybersecurity\r\nsolutions are needed on every device. When it comes to phishing copies of websites, it is very difficult for the user\r\nto differentiate between a real and a fake version. Cybercriminals often capitalize on popular brands and this trend\r\nis not likely to die down”, comments Dmitry Bestuzhev, head of GReAT in Latin America. “We strongly\r\nrecommend using VPN for protection of data exchange on the web, but it is also important to closely study where\r\nthe VPN software is downloaded from.”\r\nKaspersky detects this threat as HEUR:Trojan-PSW.Win32.Azorult.gen\r\nRead more about this AZORult campaign on Securelist.com.\r\nTo reduce the risk of infection with Trojan stealers such as AZORult, Kaspersky recommends\r\nusers to:\r\nCheck if the website is authentic. Do not visit websites until you are sure that they are legitimate and start\r\nwith ‘https’. Confirm that the website is genuine by double-checking the format of the URL or the spelling\r\nof the company name, reading reviews about it and checking the domain’s registration data before starting\r\ndownloads\r\nStore cryptocurrencies in cold wallets (ones that are not connected to the internet) to minimize risks of\r\nfunds being stolen\r\nTry to keep your passwords and other personal information, including a wallet’s private key, in a password\r\nmanager - like Kaspersky Password Manager. The application securely stores your data in an encrypted\r\nprivate vault.\r\nUse a reliable security solution, such as Kaspersky Security Cloud, which protects devices from a wide\r\nrange of threats, including phishing activity.\r\nAbout Kaspersky\r\nKaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security\r\nexpertise is constantly transforming into innovative security solutions and services to protect businesses, critical\r\ninfrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio\r\nhttps://www.kaspersky.com/about/press-releases/2020_new-azorult-campaign-abuses-popular-vpn-service-to-steal-cryptocurrency\r\nPage 2 of 3\n\nincludes leading endpoint protection and a number of specialized security solutions and services to fight\r\nsophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we\r\nhelp 270,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.\r\nSource: https://www.kaspersky.com/about/press-releases/2020_new-azorult-campaign-abuses-popular-vpn-service-to-steal-cryptocurrency\r\nhttps://www.kaspersky.com/about/press-releases/2020_new-azorult-campaign-abuses-popular-vpn-service-to-steal-cryptocurrency\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.kaspersky.com/about/press-releases/2020_new-azorult-campaign-abuses-popular-vpn-service-to-steal-cryptocurrency" ], "report_names": [ "2020_new-azorult-campaign-abuses-popular-vpn-service-to-steal-cryptocurrency" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775446580, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1b3ba7141564a0937ad7e659d6038ac0db7f29e1.pdf", "text": "https://archive.orkl.eu/1b3ba7141564a0937ad7e659d6038ac0db7f29e1.txt", "img": "https://archive.orkl.eu/1b3ba7141564a0937ad7e659d6038ac0db7f29e1.jpg" } }