- Fake X-VPN installer was found to deploy credential stealing malware
- X-VPN was not hacked; only those who downloaded the fake app were affected
- First targeting crypto traders, criminals expanded to privacy-minded users
A new report has revealed an uncomfortable truth for anyone who downloads software from somewhere other than the official source: an app that looks trustworthy can be weaponized against you.
Threat researchers at Cyderes have tracked an active campaign that uses a fake X-VPN installer to deploy malware known as STX RAT, which steals credentials and gives attackers remote control of an infected machine.
Crucially, this is not a breach of X-VPN, a provider that just proved its privacy credentials with an independent, no-logs audit. The company’s official download channels were unaffected, and the only people at risk were those who installed a malicious copy from attacker-controlled sources.
This is a stark reminder that even if you choose one of the best VPN services around, you still need to be careful with downloads. As Google warned in its November 2025 fraud notice, scammers are increasingly disguising malware as legitimate VPN apps to steal users’ data.
How the fake X-VPN attack works
As Cyderes’ findings show, attackers took genuine X-VPN program files and slipped an additional malicious file named CRYPTBASE.dll, a technique called DLL sideloading.
Due to a quirk in how Windows finds that file, the app appears to install normally, while the hidden file injects the STX RAT malware directly into the computer’s memory, leaving few traces that antivirus tools can catch.
Once activated, the STX RAT can harvest saved browser passwords and session tokens, gather system information, run commands remotely, and talk to its servers over plain encrypted web traffic, so it merges. The fake VPN was one of 11 malicious packages linked to the operation, along with trojanized installers for Binance, Bybit, MetaTrader 5, and Steam Exodus.
The campaign started by targeting cryptocurrency traders, then pivoted to a trojanized X-VPN package to reach privacy-conscious users who often handle sensitive credentials. The same malware previously spread through a brief compromise of the CPUID website, which Kaspersky linked to more than 150 victims across multiple countries and industries.
To its credit, X-VPN responded quickly and released Windows version 77.5.3 with hardened DLL loading controls. Users of the X-VPN app must update to that version or later.
How to avoid fake VPN apps
The good news is that the most effective defense here is also the simplest and requires no technical skills. Most of these attacks fall apart the moment you refuse to download software from anywhere other than the official source.
Use the supplier’s own website or an official app storeand avoid installers from third-party repositories or links sent to you. In this campaign, the files resided in an unknown Bitbucket repository.
There have been other cases of criminals using a fake free VPN to spread malware, so treat suspiciously cheap apps as a red flag.
Enter the address yourself instead of clicking on ads or search results, avoiding similar websites.
Keep software up to date and run reputable security software for an extra layer of protection. Because STX RAT runs in memory and tries to avoid detection, a modern antivirus or endpoint tool gives you an extra layer of protection along with good download habits.
If you think you have installed a fake VPN, assume that your passwords and sessions may be exposed. Change important passwords from a pure entity, log out anywhereand turn on two-factor authentication. A VPN is a valuable privacy tool, but only when you install the genuine article from a source you can trust.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
