Security researchers observed samples of the AZORult trojan disguising themselves as fake ProtonVPN installers for distribution.
Back in November 2019, malicious actors launched this attack campaign by registering the domain “protonvpn[.]store” with a registrar based in Russia.
One iteration of the campaign used malvertising as its initial infection vector. Upon visiting a malicious website and downloading a fake ProtonVPN installer for Windows, a victim received a copy of AZORult.