- Fake X-VPN installer found to deploy credential-stealing malware
- X-VPN was not hacked; only those downloading the fake app were affected
- First targeting crypto traders, criminals widened to privacy-minded users
A new report has uncovered an uncomfortable truth for anyone who downloads software from somewhere other than the official source: a trusted-looking app can be weaponized against you.
Threat researchers at Cyderes have been tracking an active campaign that uses a fake X-VPN installer to deploy malware known as the STX RAT, which steals credentials and hands attackers remote control of an infected machine.
Crucially, this is not a breach of X-VPN, a provider that has just proved its privacy credentials with an independent no-log audit. The company’s official download channels were unaffected, and the only people at risk were those who installed a malicious copy from attacker-controlled sources.
This is a stark reminder that, even if you pick one of the best VPN services around, you still need to be careful with downloads. As Google warned in its November 2025 fraud advisory, scammers are increasingly disguising malware as legitimate VPN apps to steal users’ data.
How the fake X-VPN attack works
As the Cyderes’ findings show, attackers took genuine X-VPN program files and slipped in one extra malicious file named CRYPTBASE.dll, a technique called DLL sideloading.
Because of a quirk in how Windows finds that file, the app appears to install normally while the hidden file injects the STX RAT malware straight into the computer’s memory, leaving little trace for antivirus tools to catch.
Once active, STX RAT can harvest saved browser passwords and session tokens, collect system information, run commands remotely, and talk to its servers over ordinary encrypted web traffic, so it blends in. The fake VPN was one of 11 malicious packages tied to the operation, alongside trojanized installers for Binance, Bybit, MetaTrader 5, Exodus, and Steam.
The campaign began by targeting cryptocurrency traders, then pivoted to a trojanized X-VPN package to reach privacy-conscious users who often handle sensitive credentials. The same malware spread earlier through a brief compromise of the CPUID website, which Kaspersky linked to more than 150 victims across several countries and industries.
To its credit, X-VPN responded quickly, releasing Windows version 77.5.3 with hardened DLL loading controls. Users of the X-VPN app should update to that version or later.
How to avoid fake VPN apps
The good news is that the single most effective defense here is also the simplest and requires no technical skill. Most of these attacks fall apart the moment you refuse to download software from anywhere other than the official source.
Use the vendor’s own website or an official app store, and avoid installers from third-party repositories or links sent to you. In this campaign, the files lived in an unknown Bitbucket repository.
There have been other cases of criminals using a fake free VPN to spread malware, so treat suspiciously cheap apps as a red flag.
Type the address yourself rather than clicking ads or search results, which avoids look-alike sites.
Keep software updated and run reputable security software for an extra layer of protection. Because STX RAT runs in memory and tries to evade detection, a modern antivirus or endpoint tool gives you an extra layer of protection alongside good download habits.
If you think you installed a fake VPN, assume your passwords and sessions may be exposed. Change important passwords from a clean device, sign out everywhere, and turn on two-factor authentication. A VPN is a valuable privacy tool, but only when you install the genuine article from a source you can trust.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
