- Fake X-VPN installer discovered to deploy credential-stealing malware
- X-VPN has not been hacked; only those who downloaded the fake app were affected
- First targeting crypto traders, criminals have expanded to privacy-conscious users
A new report has revealed an uncomfortable truth for anyone downloading software from anything other than the official source: a seemingly trustworthy app can be used as a weapon against you.
Cyderes threat researchers have been tracking an active campaign that uses a fake X-VPN installer to deploy malware known as STX RAT, which steals credentials and gives attackers remote control of an infected machine.
Importantly, this isn’t a violation of X-VPN, a provider that just proved its privacy credentials with an independent no-logging audit. The company’s official download channels were not affected and the only people at risk were those who installed a malicious copy from sources controlled by attackers.
This is a stark reminder that even if you choose one of the best VPN services around, you should always be careful with downloads. As Google warned in its November 2025 fraud advisory, fraudsters are increasingly disguising malware as legitimate VPN apps to steal user data.
How the fake X-VPN attack works
As Cyderes’ findings show, the attackers took real X-VPN program files and slipped in an additional malicious file named CRYPTBASE.dll, a technique called DLL sideloading.
Due to a quirk in the way Windows finds this file, the application appears to install normally while the hidden file injects the STX RAT malware directly into the computer’s memory, leaving little trace for antivirus tools.
Once active, STX RAT can retrieve saved browser passwords and session tokens, collect system information, execute remote commands, and communicate with its servers via ordinary encrypted web traffic, in order to integrate. The fake VPN was one of 11 malware packages linked to the operation, alongside trojan installers for Binance, Bybit, MetaTrader 5, Exodus and Steam.
The campaign began by targeting cryptocurrency traders, then pivoted to a trojanized X-VPN package to reach privacy-conscious users who often handle sensitive credentials. The same malware spread earlier through a brief compromise of the CPUID website, which Kaspersky linked to more than 150 victims across multiple countries and industries.
To its credit, X-VPN responded quickly by releasing Windows version 77.5.3 with tightened DLL loading controls. X-VPN app users should update to this version or later.
How to avoid fake VPN apps
The good news is that the most effective defense here is also the simplest and requires no technical skills. Most of these attacks collapse as soon as you refuse to download software from anything other than the official source.
Use the the provider’s website or an official app storeand avoid installers from third-party repositories or links sent to you. In this campaign, the files resided in an unknown Bitbucket repository.
There have been other cases of criminals using fake free VPN to spread malware. treat suspiciously cheap apps as a red flag.
Type the address yourself rather than clicking on ads or search results, which avoids similar sites.
Keep the software up to date and lead in a reputable manner security software for an extra layer of protection. Since STX RAT runs in memory and attempts to evade detection, a modern antivirus or endpoint tool gives you an extra layer of protection as well as good download habits.
If you think you have installed a fake VPN, assume that your passwords and sessions may be exposed. Change important passwords from a clean device, disconnect everywhereAnd enable two-factor authentication. A VPN is a valuable privacy tool, but only when you install the genuine article from a trusted source.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
