Keypoints
- Malicious Bing ad impersonated NordVPN and redirected users via a short-lived typosquatted domain to a fake site.
- Typosquatted domains observed: nordivpn[.]xyz (ad URL) which redirected to besthord-vpn[.]com (decoy site).
- Decoy site offered a direct download (bypassing normal NordVPN signup flow) and served the installer from Dropbox.
- Downloaded file named NordVPNSetup.exe was digitally signed but the signature was invalid; it contained both a legit-looking installer and a malware payload.
- The payload injects into MSBuild.exe and establishes a SecTopRAT (Arechclient2) command-and-control connection to 45.141.87[.]216:15647.
- Indicators and infrastructure were reported to providers; Dropbox removed the malicious download and the ad was reported to Microsoft.
MITRE Techniques
- [T1566] Phishing – Malicious search advertisement lures users to a fraudulent site via Bing search results (‘When searching for “nord vpn” via the Bing search engine, we identified a malicious ad that impersonates NordVPN.’).
- [T1583.002] Acquire Infrastructure: Domains – Ad and decoy infrastructure used newly registered typosquatted domains to impersonate the vendor (‘the domain name nordivpn[.]xyz was created one day ago … redirect to besthord-vpn[.]com’).
- [T1102] Web Service – Distribution used a cloud file-hosting service to host the installer (‘you can directly download the installer from Dropbox.’).
- [T1553] Subvert Trust Controls (Code Signing) – Threat actors attempted to sign the installer to appear legitimate; the signature was invalid (‘The downloaded file is called NordVPNSetup.exe and is digitally signed, as if it was from its official vendor; however, the signature is not valid.’).
- [T1055] Process Injection – The malicious payload injects into a legitimate process (MSBuild.exe) to run stealthily (‘The payload is injected into MSBuild.exe’).
- [T1071] Application Layer Protocol – Backdoor communicates with a command-and-control server over the network to 45.141.87[.]216 on port 15647 (‘will connect to the malware author’s command and control server at 45.141.87[.]216 on port 15647.’).
Indicators of Compromise
- [Domain] Malicious redirect and decoy site – nordivpn[.]xyz, besthord-vpn[.]com
- [Filename] Fake installer offered to victims – NordVPNSetup.exe
- [File Hash] Malicious installer hash – e9131d9413f1596b47e86e88dc5b4e4cc70a0a4ec2d39aa8f5a1a5698055adfc
- [IP Address] SecTopRAT command-and-control – 45.141.87[.]216
The campaign leveraged paid Bing search ads to capture queries for “nord vpn” and redirect users through a newly registered typosquatted domain (nordivpn[.]xyz) to a decoy site (besthord-vpn[.]com). The decoy closely mimicked the legitimate vendor’s site and offered a direct download hosted on Dropbox, avoiding the normal signup flow users would expect from NordVPN.
The downloaded binary, NordVPNSetup.exe, was presented with a digital signature to appear authentic; analysis showed the signature was not valid. The package contained both a harmless-looking NordVPN installer and a hidden SecTopRAT payload that performs process injection into MSBuild.exe to remain stealthy.
Once injected, the backdoor establishes outbound C2 communication to 45.141.87[.]216 on TCP port 15647 (detected as Arechclient2/SecTopRAT). Infrastructure and indicators were reported to providers and Dropbox removed the malicious download, but the technical chain—malvertising → typosquat domains → cloud-hosted installer → signed-but-fake binary → MSBuild injection → C2—highlights multiple stages defenders can monitor and block.
Read more: https://www.malwarebytes.com/blog/threat-intelligence/2024/04/bing-ad-for-nordvpn-leads-to-sectoprat