Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Foxit PDF Reader & Editor Patches 20 Critical RCE Flaws
July 9, 2026
AssuranceAmerica Data Breach Exposes 6.9 Million Driver’s Licenses and Personal Data
July 9, 2026
GitLab Patches 8 Critical Vulnerabilities in Community and Enterprise Editions
July 9, 2026
Home/Threats/Critical GoodPersonRAT Malware Uses Fake LetsVPN Installer for Full Remote Control
Threats

Critical GoodPersonRAT Malware Uses Fake LetsVPN Installer for Full Remote Control

Key Takeaways A new remote access trojan (RAT), dubbed GoodPersonRAT, is being distributed through a deceptive installer for the legitimate Chinese VPN service, LetsVPN. The malware grants attackers...

Marcus Rodriguez
Marcus Rodriguez
July 9, 2026 4 Min Read
3 0

Key Takeaways

  • A new remote access trojan (RAT), dubbed GoodPersonRAT, is being distributed through a deceptive installer for the legitimate Chinese VPN service, LetsVPN.
  • The malware grants attackers comprehensive control over infected systems, including keylogging, screen control, file manipulation, command execution, and proxying internet traffic.
  • GoodPersonRAT employs stealthy techniques, such as loading its payload directly into memory and modifying security software settings, to evade detection.
  • The threat primarily targets users seeking to bypass internet censorship in China, exploiting their need for VPN services.
  • Users are advised to exercise extreme caution when downloading VPN software, verifying the source and digital signatures of installers.

A sophisticated new remote access trojan (RAT), identified as GoodPersonRAT, is actively compromising computers by masquerading as an installer for LetsVPN, a popular virtual private network service widely used in China to circumvent internet restrictions. This insidious malware provides its operators with extensive remote control capabilities, posing a significant threat to unsuspecting users.

Table Of Content

  • Key Takeaways
  • The GoodPersonRAT Infection Chain
  • Extensive Remote Control and Data Exfiltration
  • What You Should Do

The attack vector is particularly deceptive: the malicious installer, disguised as a setup utility for LetsVPN, contains a legitimate, digitally signed version of the VPN software. This ensures that after the hidden malware has completed its covert installation process, the authentic VPN application deploys as expected. This seamless execution leaves victims unaware that their systems have been silently infiltrated and compromised.

Cybersecurity firm ThreatLocker first uncovered this campaign during an analysis of suspicious files. In a report shared with Cyber Security News (CSN), ThreatLocker said in a report that their investigation revealed a single MSI package, “Kuailianwin-setup.86.msi,” containing three distinct components that work in concert to deploy the spyware onto a victim’s machine.

The GoodPersonRAT Infection Chain

The initial stage of the infection involves the execution of the “Kuailianwin-setup.86.msi” file. This installer is cleverly engineered to include the genuine LetsVPN software, ensuring the victim receives the expected application and remains unsuspicious. However, in the background, a loader component initiates the malicious process.

This loader allocates a section of memory and proceeds to read an embedded data blob, which is, in fact, encrypted shellcode. This shellcode then decrypts a larger, more complex program using a simple repeating XOR key. Crucially, this final payload, the GoodPersonRAT client, is loaded directly into memory without ever being written to disk. This fileless execution technique significantly hinders detection by traditional antivirus solutions and complicates forensic analysis.

Once active, the GoodPersonRAT client establishes communication with its command-and-control (C2) infrastructure. The malware is programmed with several backup C2 server addresses, selecting one based on a local configuration file or, if absent, the name of the directory from which it was launched. The name “GoodPersonRAT” was derived by researchers from several C2 server addresses that translate from Chinese to the phrase “you are a good person.”

Extensive Remote Control and Data Exfiltration

GoodPersonRAT provides attackers with near-total control over the compromised system. Unlike some RATs that periodically check in with their C2, GoodPersonRAT maintains a persistent, open line of communication, allowing attackers to issue commands in real-time. The capabilities of this RAT are extensive, including:

  • Live command prompt access
  • Bidirectional file transfer
  • Keystroke logging
  • Clipboard content exfiltration
  • Remote screen viewing and mouse control

The malware also exhibits a specific focus on popular messaging applications, particularly Telegram Desktop. It is designed to pilfer Telegram session data and surreptitiously reroute the application’s network traffic through an attacker-controlled proxy. To maintain its stealth, GoodPersonRAT patches the Telegram application, preventing any warning notifications from appearing to the user.

Furthermore, GoodPersonRAT incorporates anti-detection mechanisms. It actively queries the system for installed security software and adapts its behavior to avoid triggering alerts. On systems running Microsoft Defender, the RAT goes a step further, adding exclusions for its own files to prevent scanning and disabling automatic sample submission to Microsoft entirely.

To ensure long-term access, GoodPersonRAT establishes persistence on the infected machine. It installs itself as a background service and creates a scheduled task configured to execute at system startup, guaranteeing its survival across reboots. The malware also possesses a self-update mechanism, allowing attackers to push new versions of its core code from the C2 server, thereby introducing new functionalities or patching existing ones.

The success of this campaign hinges on exploiting the trust users place in tools designed to bypass censorship. The fact that the bundled VPN software is legitimate and signed means that only the outer installer file, “Kuailianwin-setup.86.msi,” is unsigned and suspicious. This single detail is often overlooked by users eager to install the VPN.

What You Should Do

  • Verify Installer Signatures: Before running any downloaded software, especially VPNs or tools for bypassing censorship, always check the digital signature of the installer file. An unsigned installer for a reputable product is a major red flag.
  • Download from Official Sources: Only download VPN software directly from the official vendor’s website or trusted app stores. Avoid third-party download sites, torrents, or unofficial links.
  • Employ Endpoint Detection and Response (EDR): Advanced endpoint security solutions can detect and block the sophisticated, fileless techniques used by GoodPersonRAT, such as memory injection and process hollowing.
  • Implement Application Whitelisting/Control: Solutions like ThreatLocker can prevent unauthorized executables, like the GoodPersonRAT loader, from running on your system, even if they manage to bypass initial antivirus scans.
  • Educate Users: Regularly inform users about the risks of downloading software from unverified sources and the importance of checking digital signatures.
  • Monitor Network Traffic: Keep an eye on unusual outbound network connections, especially to the C2 IP addresses and domains listed in the Indicators of Compromise (IoCs) below.
  • Keep Software Updated: Ensure your operating system, web browsers, and all security software (antivirus, anti-malware) are kept up-to-date to benefit from the latest protections.

Indicators Of Compromise (IoCs):-

Type Indicator Description
IP Address 23[.]133[.]4[.]108 C2 server address
IP Address 23[.]133[.]4[.]109 C2 server address
IP Address 27[.]124[.]40[.]52 C2 server address <a href="https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/11146061/4e3df6f8-92f8-4089-a5de-26d6472fda46/GoodPersonRAT-Uses-Fake-LetsVPN-Installer-to-Give-Attackers-Full-Remote-Control.pdf?AWSAccessKeyId=ASIA2

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwarePatchSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Microsoft Patches Critical Defender Zero-Day Vulnerability CVE-2023-XXXXX

Next Post

Chrome Update Patches 27 Vulnerabilities, Two Critical Code Execution Flaws

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
QR Code Phishing Attacks Steal Credentials and Deliver Malware
July 9, 2026
GitHub Copilot Blocks Harmful Prompts in Chat, Writes Them in Code
July 9, 2026
AI Agents Vulnerable to Remote Code Execution Attacks
July 9, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us