Foresiet Threat Research Alert: Caution! Cybercriminals Posing as NordVPN Infect Millions through Google and Bing Ads!

Posted on: 05 Apr 2024 | Author: Foresiet

Google has historically served as a prominent platform for such malicious advertisements. However, Bing is now increasingly susceptible to becoming a target due to its tight integration with the Windows ecosystem and the Edge browser.

Bing searches are being manipulated to redirect users to a counterfeit website closely resembling the legitimate NordVPN site.

To further deceive users, the threat actors attempted to digitally sign a malicious installer and hosted it on Dropbox. Unsuspecting victims may believe they are downloading NordVPN but end up installing a Remote Access Trojan (RAT) known as SecTopRAT on their systems.

Foresiet took action by reporting the malicious Bing ad to Microsoft and notifying other pertinent parties about the distribution infrastructure implicated. It's crucial to underscore that NordVPN is a reputable VPN provider and is being impersonated by threat actors in this malicious campaign. Users must exercise caution and verify that they download software solely from official sources to mitigate the risk of falling victim to such deceptive tactics.


The threat and research team at Foresiet stumbled upon a website bearing a striking resemblance to the official NordVPN site. However, upon conducting a thorough examination, we discovered that the domain name was invalid. This discovery raised significant concerns regarding the authenticity of the site and the safety of downloading any software from it.

http://besthord-vpn(.)com/ - Malicious site.

As frequently observed, the ad URL acts as a redirection mechanism, guiding users to a counterfeit website crafted to mirror the appearance of the legitimate one being impersonated. In this instance, the redirection directs users to a site named besthord-vpn[.]com. It's crucial to exercise vigilance and authenticate the legitimacy of websites, particularly when engaging with sensitive services such as VPNs, to steer clear of falling prey to such deceitful practices.

The sophistication of the counterfeit website is indeed alarming, as it appears remarkably convincing and is likely to dupe unsuspecting victims. Unlike the legitimate NordVPN website, which usually necessitates users to undergo a sign-up process, the fake site enables users to download the installer directly from Dropbox. This simplified approach may further mislead users into believing they are acquiring the authentic software, thereby amplifying the risk of inadvertently installing the malicious Remote Access Trojan (RAT) onto their systems.

It's imperative for users to exercise caution and meticulously verify the legitimacy of websites and software downloads, especially when dealing with sensitive services like VPNs. This vigilance is crucial for mitigating the risk of falling victim to such deceptive tactics.

The source code of the malicious website contains a link for downloading files from Dropbox.

The payload

This software is a Trojan.

The downloaded file is titled NordVPNSetup.exe and includes a digital signature, creating the impression that it originates from the official vendor. However, it's important to note that the signature is invalid, indicating that the file might not be genuine despite its appearance.

Digital Signature



It's vital to exercise caution when downloading software and verify the authenticity of websites to prevent falling victim to malicious actors. Users should exclusively download software from official sources and maintain vigilance against such deceptive tactics.

About Foresiet!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.

Safeguard Your Reputation, Data, and Systems

Protect your brand, reputation, data, and systems with Foresiet's Integrated Digital Risk Platform. 24/7/365 threat monitoring for total peace of mind.