GoodPersonRAT Abuses Fake LetsVPN Installer for Stealthy System Compromise
A malicious installer for the LetsVPN service is distributing GoodPersonRAT, a stealthy remote access trojan designed to grant attackers full control over infected systems.

A sophisticated campaign is leveraging a fake installer for the popular Chinese VPN service, LetsVPN, to distribute a potent remote access trojan (RAT) known as GoodPersonRAT. This malicious MSI package is designed to appear legitimate by bundling the actual, signed LetsVPN installer alongside the hidden malware. Once executed, the installer silently deploys GoodPersonRAT, which operates primarily in memory to evade detection by security software, before allowing the legitimate VPN to install normally. This tactic exploits user trust in censorship-circumventing tools to bypass initial scrutiny.
Researchers at ThreatLocker first identified this campaign, noting that the malicious MSI file, named Kuailianwin-setup.86.msi, contains three distinct components. The first is the legitimate LetsVPN installer. The second component acts as a loader, reserving memory and decrypting a third component – an encrypted shellcode payload. This shellcode then decrypts and loads the main GoodPersonRAT client directly into memory, a technique that significantly hinders traditional file-based antivirus detection.
Upon successful deployment, GoodPersonRAT provides attackers with extensive control over the compromised system. Its capabilities include logging keystrokes, capturing screenshots, exfiltrating files, and rerouting network traffic through a hidden proxy. The malware maintains a persistent, open communication channel with its command-and-control (C2) servers, allowing for near real-time command execution by the attacker.
The RAT exhibits specific targeting, notably focusing on Telegram Desktop. It attempts to steal session data and reroute the application's traffic through an attacker-controlled server, while also patching the application to prevent any user-facing warnings. This targeted approach suggests a focus on espionage and communication interception.
To further evade detection, GoodPersonRAT actively probes for and attempts to disable security defenses. On systems running Microsoft Defender, it has been observed creating exclusions to prevent its own files from being scanned and disabling automatic sample submission. Persistence is established through the creation of a background service and a scheduled task designed to run at system startup, ensuring the infection survives reboots.
The malware's modular design also allows for self-updating. Attackers can push new versions of the core RAT code from the C2 server, enabling them to introduce new features or patch vulnerabilities in their own malware. The C2 infrastructure is diverse, with multiple server addresses and domains, some of which translate from Chinese to phrases like "you are a good person," a detail that inspired the malware's name.
While the bundled VPN software is legitimate and signed, the outer installer file itself is unsigned and thus suspicious. Users are advised to verify the digital signature of any downloaded setup files, especially for tools used to bypass internet censorship. This campaign highlights the evolving tactics of threat actors who exploit user reliance on essential tools for covert malicious operations.