{
	"id": "19495fd7-0692-4294-aeff-f116c9dad373",
	"created_at": "2026-04-06T00:19:36.523614Z",
	"updated_at": "2026-04-10T03:20:50.07384Z",
	"deleted_at": null,
	"sha1_hash": "e1de05d4b62c31e44fe9f7ccca50242f35fee6f1",
	"title": "Cybercriminals Distribute Backdoor With VPN Installer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 430007,
	"plain_text": "Cybercriminals Distribute Backdoor With VPN Installer\r\nBy Raphael Centeno ( words)\r\nPublished: 2020-09-21 · Archived: 2026-04-05 23:19:12 UTC\r\nAs with any popular technology, Virtual Private Networks (VPNs) are also used by cybercriminals as bait for spreading\r\nthreats. In this entry, we share how threat actors are bundling Windscribe VPN installers with backdoors. Backdoors allow\r\ncybercriminals to gain access and control of computers remotely without the need for proper authentication. The specific\r\nbackdoor here is detected by Trend Micro as Backdoor.MSIL.BLADABINDI.THA, while the associated malicious files are\r\ndetected by Trend Micro as Trojan.MSIL.BLADABINDI.THIOABO.\r\nIt is important to point out that the installers examined in this report come from fraudulent sources and are not from\r\nWindscribe’s official download centeropen on a new tab or app stores for Googleopen on a new tab and Appleopen on a new\r\ntab. Notably, cybercriminals have previously used the technique of bundling legitimate installers with malicious files for\r\nluring users on other platforms such as video conferencing apps.\r\nThe use of a VPN secures the communication between a user’s computer and the internet by encrypting the connection, thus\r\nkeeping data secure from spying attempts. VPNs have always been useful but are now relied on more than ever as many\r\ncompanies remain in work-from-homeworking-from-home-here-s-what-you-need-for-a-secure-setup (WFH), away from the\r\npresumably more secure office network environment.\r\nAnalyzing the malicious files bundled with the installer\r\nTo begin with, a user likely gets the file from malicious sources, not knowing that they are downloading a bundled\r\napplication instead of the legitimate installer alone. The bundled application drops three components to the user’s system:\r\nthe legitimate VPN installer, the malicious file (named lscm.exe) that contains the backdoor, and the application that serves\r\nas the runner of the malicious file (win.vbs).\r\nFigure 1. Contents of the bundled application\r\nFigure 2. Code content of win.vbs file showing its function of running the malicious file\r\nThe user sees an installation window on their screen, which possibly masks the malicious activity that occurs in the\r\nbackground.\r\nhttps://www.trendmicro.com/en_us/research/20/i/wind-up-windscribe-vpn-bundled-with-backdoor.html\r\nPage 1 of 4\n\nFigure 3. Installation Window of Windscribe VPN\r\nWithout the user’s knowledge, the file lscm.exe stealthily acts in the background by downloading its payload from a\r\nwebsite. This website then redirects the user to another page to download an encrypted file named Dracula.jpg.\r\nFigure 4. Code snippet of lscm.exe showing the website it downloads its payload from\r\nThis file, which is obfuscated, has a decryption routine for the first layer stating that all “DTA” should be replaced by “14”\r\nand then that the file should be string-reversed. Afterward, it also states that the hex value should be converted to a string.\r\nThe value will then become an encoded base64 file.\r\nFigure 5. Code snippet showing decryption routine\r\nDecrypting Dracula.jpg’s layers of encryption reveals the backdoor payload.\r\nFigure 6. Encrypted Dracula.jpg file\r\nhttps://www.trendmicro.com/en_us/research/20/i/wind-up-windscribe-vpn-bundled-with-backdoor.html\r\nPage 2 of 4\n\nFigure 7. Encrypted Code Windscribe\r\nFigure 8. Decrypted file\r\nThe backdoor can also perform some commands like downloading, executing, and updating files, as well as taking\r\nscreenshots of the user’s screen.\r\nBesides these, the malware gathers the following information:\r\n Antivirus products\r\n Machine name\r\n Operating system\r\n Username\r\nConclusion\r\nEnterprises and individual users alike employ VPNs to bolster their system’s protection. However, inadvertently\r\ndownloading an installer bundled with malicious files does the exact opposite of this as it exposes systems to threats.\r\nTherefore, everyone should be reminded that the download of any application must only be coursed through legitimate\r\navenues such as the app’s official download centers and other legitimate app marketplaces.\r\nToday, many companies still use VPNs for their WFH setups. Although the home is a place for relaxation, users should\r\nnever let their guard down when it comes to the security of their devices. Rather, it is best for users to stay vigilant in taking\r\nsteps to protect their data.\r\nRecommendations\r\nAs prevention is better than cure, the best method to avoid malicious files is to be careful not to download them from their\r\nsources. For this, the following measures are recommended:\r\nDownload applications and files only from official download centers and app stores. When in doubt about the\r\ndownload source, it is best to consult with the IT team of one’s company.\r\nScrutinize URLs to distinguish between spoofed domains of download centers (or app stores) and the legitimate ones.\r\nKeep in mind that misspelled domain names are red flags.\r\nNever download apps and other files from emails sent by untrusted sources.\r\nDo not select any links from suspicious emails. Instead, hover over a link to get a preview of the URL where the\r\nembedded link is supposed to lead to.\r\nLastly, we recommend Trend Micro™ WiFi Protectionproducts, which ensures secure internet connection both at home and\r\nin public places. It also filters and blocks malicious websites, online fraud, and internet scams.\r\nIndicators of Compromise\r\nURLs\r\ngamezer1hack[.]sytes[.]net:19811\r\nhxxps://onedrive[.]live[.]com/download?\r\ncid=9B6546ADF0F7911A\u0026resid=9B6546ADF0F7911A!1195\u0026authkey=ABFIpKKz4bOcT1I\r\nhxxps://yu0aoq[.]db[.]files[.]1drv[.]com/y4mr4XEohBDL_98XqXLIKJPqiyqV1rhPymTxyJlXe0jmdlUfwDD0zTGUJtmAqyLRdtTJXAYycbv00q\r\ngSTmO3mIT5jCGKwfPRsMgFOcCjm8P9cugtlz0psvZQgiW13JPS_JSu3Wc8nVE0qT8qYTpNjQfCHLwTmNk6fh5zaCvDF0gpJkdKuvrMJ0TsA\r\ndownload\u0026psid=1\r\nTags\r\nhttps://www.trendmicro.com/en_us/research/20/i/wind-up-windscribe-vpn-bundled-with-backdoor.html\r\nPage 3 of 4\n\nSource: https://www.trendmicro.com/en_us/research/20/i/wind-up-windscribe-vpn-bundled-with-backdoor.html\r\nhttps://www.trendmicro.com/en_us/research/20/i/wind-up-windscribe-vpn-bundled-with-backdoor.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/20/i/wind-up-windscribe-vpn-bundled-with-backdoor.html"
	],
	"report_names": [
		"wind-up-windscribe-vpn-bundled-with-backdoor.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434776,
	"ts_updated_at": 1775791250,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e1de05d4b62c31e44fe9f7ccca50242f35fee6f1.pdf",
		"text": "https://archive.orkl.eu/e1de05d4b62c31e44fe9f7ccca50242f35fee6f1.txt",
		"img": "https://archive.orkl.eu/e1de05d4b62c31e44fe9f7ccca50242f35fee6f1.jpg"
	}
}