We may earn a commission if you click a deal and buy an item. This is how we make money.

A nasty malware is parading itself as one of our favourite VPNs

Cybercriminals have cloned the website of popular VPN software to trick unsuspecting visitors into downloading a dangerous trojan.

Researchers at Doctor Web have discovered a harmful banking trojan disguised as the popular virtual private network, NordVPN. The trojan, known as Win32.Bolik.2, is hidden alongside VPN downloads from a website designed to be easily mistaken for the real NordVPN’s site.

Related: Best VPN

Along with visual similarities to the original site and an easily mistakable domain name, the criminals behind the fake have also managed to get their hands on a valid SSL certificate, thanks to open certificate authority Let’s Encrypt.

This makes the site look more like the real thing and allows it to slip past browser security checks.

However, the counterfeit site did offer a much more enticing deal, with a year of the VPN software being promised for nothing as opposed to the actual offer of $2.99 a month for three years of the service on NordVPN’s real website.

This isn’t the first time this group has struck. Back in June, the hackers cloned the sites of various corporate office programmes, including Invoice 360 and Clip Plus, to hide the banking trojan and they have been caught distributing the same file via the hacked free video editing service, VSDC.

The trojan sneaks in alongside a legitimate copy of the VPN or office software from these fake sites to steal data from unsuspecting victims – and it’s been getting clicks.

“The Win32.Bolik.2 trojan is an improved version of Win32.Bolik.1 and has qualities of a multicomponent polymorphic file virus”, explained Doctor Web in a post exposing the malware. “Using this malware, hackers can perform web injections, traffic intercepts, keylogging and steal information from different bank-client systems.”

Related: Best free VPN

According to Doctor Web, the malware on these sites has been primarily targeted at English-speaking audiences, and the fake NordVPN page has already been visited thousands of times. This just serves as a reminder to double-check before you download any software that looks a little too good to be true.

Why trust our journalism?

Founded in 2004, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have 9 million users a month around the world, and assess more than 1,000 products a year.

author icon

Editorial independence

Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.

author icon

Professional conduct

We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.