News·3 min read

Fake Chinese VPN Drops GoodPersonRAT With Keylogging, Proxying, and Telegram Theft

The legitimate VPN service is highly popular for its ability to bypass China’s Great Firewall. However, attackers are exploiting its reputation to deploy hidden malware. This fake installer drop

CS
CyberShield Team
2026-07-09
Share:
Fake Chinese VPN Drops GoodPersonRAT With Keylogging, Proxying, and Telegram Theft

The legitimate VPN service is highly popular for its ability to bypass China’s Great Firewall. However, attackers are exploiting its reputation to deploy hidden malware. This fake installer drops a dangerous, encrypted Remote Access Trojan (RAT) that grants attackers complete control over a victim’s computer and personal data. The malicious installer contains three distinct embedded […] The post Fake Chinese VPN Drops GoodPersonRAT With Keylogging, Proxying, and Telegram Theft appeared first on Cyber Security News.

The legitimate VPN service is highly popular for its ability to bypass China’s Great Firewall. However, attackers are exploiting its reputation to deploy hidden malware. This fake installer drops a dangerous, encrypted Remote Access Trojan (RAT) that grants attackers complete control over a victim’s computer and personal data. The malicious installer contains three distinct embedded files. To avoid suspicion, it first installs a signed, legitimate version of the LetsVPN software. While the user believes the installation was normal, a second file acts as a shellcode loader in the background. This loader allocates memory and decrypts the third file, which serves as the primary payload. By loading the final malware stage reflectively into memory, the attackers ensure the most dangerous code is never written directly to the hard drive. Chain of Execution (Source: threatlocker) Fake VPN Drops RAT Once active, the RAT connects to a command-and-control (C2) server to receive live instructions. The malware chooses its target server from a built-in table of 40 possible options. Interestingly, several of the malicious domains include the phrase “nishihaoren,” which translates from simplified Chinese to “You are a good person.” After connecting, the malware establishes a persistent session that waits silently for remote commands. This RAT equips the attacker with a massive toolkit for surveillance and data theft. An advanced file manager allows attackers to create directories, upload payloads, and exfiltrate sensitive data. A hidden keylogger records keystrokes every 10 milliseconds and steals copied text from the clipboard. Bundled Loader (Source: threatlocker) To maintain total secrecy, the malware actively modifies applications on the victim’s machine. It patches the Telegram executable to hide that proxy settings have been changed, so the user never sees a warning. The malware also uses a hidden overlay window to block the user’s physical keyboard and mouse input. This allows the attacker to take complete control of the screen and interact with the desktop remotely while locking the victim out. According to ThreatLocker research, the RAT uses sophisticated methods to bypass security software and maintain a permanent foothold. It runs a background query to check for 25 different antivirus and endpoint detection vendors. While it simply monitors most antivirus tools, it actively attacks Microsoft Defender. Using PowerShell, the malware creates exclusions for its own directories and disables critical threat-reporting features. Indicators of Compromise Indicator TypeIndicatorDescriptionIP Address23.133.4[.]108GoodPersonRAT C2 ServerIP Address23.133.4[.]109GoodPersonRAT C2 ServerIP Address27.124.40[.]52GoodPersonRAT C2 ServerIP Address27.124.9[.]47GoodPersonRAT C2 ServerIP Address38.45.124[.]19GoodPersonRAT C2 Server Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google. The post Fake Chinese VPN Drops GoodPersonRAT With Keylogging, Proxying, and Telegram Theft appeared first on Cyber Security News.

Share:

Join the Discussion

Comments coming soon. Follow us on social media for real-time discussions.