Windscribe VPN Targeted with Fake Google Ads & Bundled with Backdoor

windscribe backdoor bundled via malicious sites

Virtual Private Networks (VPN’s) are a popular technology that gives you online privacy and anonymity by creating a private network from a public internet connection.

VPN’s mask your internet protocol (IP) address so your online actions are virtually untraceable.

But like many popular technologies, cyber-criminals find ways to use them as bait for spreading threats.

In the recent world of cyber threats comes a fraudulent VPN installer with back-doors that allow cyber-criminals to gain access and control of computers remotely without any sort of proper authentication needed.

The backdoor we are talking about in this article is detected by Trend Micro as Backdoor.MSIL.BLADABINDI.THA , while associated malicious files are detected by Trend Micro as Trojan.MSIL.BLADABINDI.THIOABA .

We want to point out that these back-doors are fraudulent and are NOT from Windscribe’s official download center or app stores for Google or Apple, yet they do look pretty authentic.

What cyber-criminals do is they bundle these malicious files with legitimate installers and lure users on other platforms like video conferencing apps.

Another way that they do this is by creating “fake” download sites and promoting them via Google Search ads.

For example, a reddit user googled “ free vpn” and found a malicious website is using Google AdWords to advertise the suspicious domain.

As you can see from the screenshot below, we’ve circled this suspicious website that says it is the World’s fastest VPN but the website is www(.)wlndscrlde(.)com – not – note that they replaced the “i” with an “l” and the “b” with a “d’ :

Windscribe Fake Site

For the untrained or hurried eye, you may not notice that this is a malicious site and the download will give the hackers access to your system.

If you were to download a file from a malicious source, like the one above, the bundled application drops three components into the users system:

  • The legitimate VPN installer
  • The malicious file which is named lscm.exe and contains the backdoor
  • The win.vbs application that serves as the runner of the malicious file

The user will see an installation window on their screen which masks that malicious activity that is actually occurring in the background!

Once the backdoor infiltrates the system, it can perform commands like downloading, executing, and updating files, as well as taking screenshots of the user’s screen.

The malware also gathers information like the machines name, operating system, username, and antivirus products.

Although VPN’s are used to increase a systems security, accidentally downloading an installer bundled with the malicious files will do the exact opposite.

With more and more organizations having employees work virtually, there have been in increase in these types of malicious attacks.

Organizations should be proactive about teaching employees to look for threats and files that may be infected.

For more information on how exactly this malicious software works, read the full report here on

About the author


Jay David Paul

Jay David Paul has been in the IT & Cyber Security Industry for over 16 yrs, with Experience in Linux, Cisco and Windows Server Environments. He's great with communication and getting into security issues that matter.

Jay David Paul has an Experience in configuring, troubleshooting and optimizing Linux environments & Web Servers. He loves traveling, scenic tours and exploring the outdoors.

What Topics Interest You?