From github.com
The permissive folder permission in “C:\ProgramData\OpenVPN Connect” allows an attacker without admin rights to place a malicious DLL next to tapinstall.exe. As soon as OpenVPN client is installed or upgraded, the malicious DLL is loaded by tapinstall and the shellcode is executed.