ExpressVPN Clone Sites Infect Visitors with Redline Malware

A new campaign exploits the ExpressVPN brand to trick people into downloading fake installers containing Redline, a widely distributed information stealer.

Victims infect themselves with the malware by launching it, thinking they’re about to install the popular VPN tool and end up losing sensitive data to cybercriminals.

The campaign was discovered by Cyble Research & Intelligence Labs researchers, who shared their findings exclusively with RestorePrivacy.

Impersonation Campaign

The ongoing brand impersonation campaign uses typosquatting domains made to appear close to ExpressVPN’s actual domain, “expressvpn.com.”

Typosquatting is a technique involving the registration of domain names that are similar to those of the impersonated brands, usually featuring additional characters or letter swaps.

Six examples uncovered by Cyble while investigating this campaign are:

express-vpns[.]cloudexpress-vpns[.]funexpress-vpns[.]bizexpress-vpns[.]onlineexpress-vpns[.]proexpress-vpns[.]xyz

Victims end up on these sites via phishing emails, malvertising, SEO poisoning, instant messages, or posts on social media and forums.

The appearance of the sites is very close to the real ExpressVPN site, and they even include the three-month free offer the software promoted as part of its Black Friday deal.

Fake site left, real site right
Cyble

The threat actors made sure to use valid SSL certificates to make their scam sites appear trustworthy to humans and security tools.

Dropping Redline

Clicking on the embedded button to claim the exclusive deal initiates a ZIP download from a Discord app URL.

The file, “Setup.zip,” contains an artificially oversized executable (setup.exe) to evade analysis and AV scans.

Zeros padding used for inflating the executable size to 680MB
Cyble

Running

Read more

Explore the site

More from the blog

Latest News