Hackers bait users with popular VPNs, but fake installers lead to complete compromise
Attackers use a covert network of command servers named after “Nishihaoren,” which translates to “you are a good person.”

Image by Cybernews.
- Attackers distribute trojanized MSI files that install both the legitimate VPN and the GoodPersonRAT malware.
- Once active, the RAT monitor screens, logs keystrokes, steals browser data, exfiltrates information from Telegram Desktop, and grants attackers complete control.
- Victims believe the VPN installation was successful because MSI files also deliver a legitimate installer.
A click on a wrong search result or a mistype can lead users to download malware instead of a legitimate VPN app. Security researchers at ThreatLocker warn of hackers using trojanized installers masquerading as Kuailian VPN (LetsVPN) – installing them would lead to complete system compromise.
LetsVPN is a popular tool for bypassing internet censorship in China. However, attackers are distributing a legitimate, signed installer alongside malware packaged in an MSI installer. The analyzed file was named “Kuailian_win-setup.86.msi.”
“This installer drops and executes an encrypted RAT (remote access trojan) that provides attackers with complete control over a victim’s machine and its data,” Threat Locker warns in a report.
The fake installer drops malware first, and only then continues to install the actual VPN app to trick unsuspecting users into thinking the installation completed successfully.
The malware initially acts as a shellcode loader that connects to the command-and-control (C2) server. The final RAT payload is loaded into memory and never touches the disk, evading file-based detection.
Stay updated with our latest stories and follow us on social media
Be the first to discover new stories, ideas, and updates from our team.
To communicate with attackers, the malware has a selection of 40 possible C2 servers.
Some of the domain names are variations of “Nishihaoren,” which, when translated from simplified Chinese, means “you are a good person.” Therefore, the researchers dubbed the malware “GoodPersonRAT”.
Once running on the victim system, the RAT waits for commands and offers an extensive feature set. The malware is capable of monitoring the screen, logging keystrokes, stealing clipboard content, scanning local browsers for cookies, profiles, login data, and history, targeting Telegram Desktop. The attacker also has full control over the victim’s computer to run any commands.
Even though the malware doesn’t leave files, it establishes persistence through service registration, and SYSTEM-level scheduled tasks that auto-start and initialize before user logon.
“This Trojan installer is a direct attack on LetsVPN users, many of whom operate behind the Great Firewall of China,” the researchers warn.
Attackers may clone popular VPNs and apps to bundle malicious installers. The ThreatLocker Threat Intelligence team warns users and administrators to verify the integrity of software bundles before installing them.
The report doesn't specify the actual distribution vector. Attackers usually prey on their victims using malvertising, SEO/search poisoning, phishing links, fake download sites, forums, and direct messages.