A Look at Upcoming Innovations in Electric and Autonomous Vehicles Trojanized VPN Installer Delivers Stealthy RAT That Grants Full System Access

Trojanized VPN Installer Delivers Stealthy RAT That Grants Full System Access

A malicious installer posing as the popular censorship-circumvention tool LetsVPN has been caught deploying a sophisticated remote access trojan that gives attackers complete control over a victim's machine - while the real VPN installs quietly in the background to avoid suspicion. Security researchers at ThreatLocker published findings detailing the threat, which they have named GoodPersonRAT after a cluster of Chinese-language domain names embedded in the malware's infrastructure. The campaign targets a user base that is already operating in a high-risk environment: people behind China's Great Firewall who depend on VPN tools to reach the open internet.

How the Attack Unfolds

The malicious file, identified as Kuailian_win-setup.86.msi, arrives as a standard Windows installer package - complete with a legitimate, signed VPN installer bundled inside it. That detail matters. A signed binary carries an implicit credential of trustworthiness; many users, and even some security tools, treat a valid digital signature as a signal that software is safe. The attackers exploit that assumption.

When executed, the MSI package drops the malware first, then proceeds to install the actual LetsVPN application. From the user's perspective, the installation completes normally. Nothing looks wrong. The VPN works. Meanwhile, on a layer the user never sees, a shellcode loader has already connected to a remote command-and-control server and pulled down the final RAT payload directly into system memory - never writing it to disk.

That in-memory execution technique is deliberate and consequential. Most traditional antivirus and endpoint detection tools are built around scanning files on disk. A payload that lives entirely in memory leaves no file for those tools to find. Combined with encrypted communications to a pool of 40 possible command-and-control domains - several of which translate from Mandarin as "you are a good person," hence the researchers' name for the malware - the RAT is designed to be both elusive and resilient. If one server goes dark, the malware has dozens of fallbacks.

What GoodPersonRAT Can Do Once Inside

The feature set documented by ThreatLocker is extensive. Once active, GoodPersonRAT can monitor the screen in real time, log every keystroke, and harvest clipboard contents - capturing passwords, two-factor authentication codes, or any other sensitive data that passes through the system. It scans installed browsers for stored cookies, login credentials, browsing history, and user profiles. It specifically targets Telegram Desktop, a messaging application widely used in privacy-conscious communities, including those in regions with heavy internet restrictions. Beyond data theft, the attacker retains the ability to execute arbitrary commands, meaning the compromised machine can be used for anything from espionage to further malware deployment.

Persistence is maintained even though no payload file exists on disk. The malware registers itself as a system service and creates scheduled tasks at the SYSTEM privilege level - the highest available on a Windows machine - configured to initialize before any user logs in. Rebooting the machine does not remove it. This combination of elevated privileges and pre-logon execution makes the infection difficult to detect and harder still to clean without specialized tools.

A Threat Designed for a Specific and Vulnerable Audience

LetsVPN is not an obscure application. It is widely used in China, where access to much of the global internet is blocked by state-level filtering infrastructure. People who rely on it are, by necessity, seeking software through channels that may not be official app stores - because official stores in that environment are themselves subject to censorship and removal orders. This creates a structural vulnerability: the audience most in need of the tool is also the audience most likely to find it through informal or third-party sources, precisely where attackers plant their traps.

ThreatLocker's report does not name a confirmed distribution method for this particular campaign, but the vectors commonly used in attacks of this type include malicious advertisements embedded in search results, compromised download pages designed to rank highly for relevant queries, phishing links sent through messaging platforms, and fake mirror sites that closely imitate legitimate software repositories. Any of these routes could plausibly deliver a file like Kuailian_win-setup.86.msi to an unsuspecting user.

The broader pattern - cloning a trusted application and weaponizing its installer - is not new, but it remains effective precisely because it exploits the weakest point in most security chains: the moment a person decides to trust a download. Technical defenses that focus on behavior after execution matter, but the attack succeeds before most of those defenses have a chance to activate.

What Users and Administrators Should Do

ThreatLocker urges both individual users and system administrators to verify the integrity of software before installation. In practice, this means several things:

  • Download software exclusively from official vendor websites or verified distribution channels, not from third-party mirrors or links shared in forums and messaging groups.
  • Check file hashes when the official vendor publishes them - a mismatch indicates a tampered file, regardless of whether it carries a valid signature.
  • Treat a digital signature as a minimum bar, not a guarantee. A signed installer confirms the file hasn't been corrupted in transit from a specific source; it does not validate that the source itself is legitimate.
  • Deploy endpoint protection capable of behavioral analysis and in-memory threat detection, not solely file-based scanning.
  • Monitor for unexpected service registrations and scheduled tasks, particularly those configured to run at SYSTEM level before user logon.

For users in restricted-internet environments, the risk calculus is harder. The very conditions that drive VPN adoption - censorship, surveillance, limited access to official software channels - also make safe software acquisition more difficult. That tension is unlikely to resolve soon, and attackers are clearly aware of it. Until official, verifiable distribution becomes more accessible to these users, the burden of scrutiny falls heavily on the individual - which is, by design, exactly where this kind of attack wants it.