X-VPN Installer Hijacked to Spread STX RAT Malware

A Month-Long Supply Chain Operation Targets Crypto Users

A threat actor known as Leda Elacoate spent roughly a month building a trojanized software distribution operation, and the X-VPN DLL sideloading campaign turned out to be its biggest swing yet. According to Howler Cell Threat Research, the operation began with cryptocurrency trading tools and expanded into a VPN client used by over 100 million people worldwide.

From Crypto Wallets to a Massive VPN User Base

The campaign started in late January 2026 with trojanized installers for Binance, MEXC, Bybit, MetaTrader 5, and Exodus, all software likely to be running on machines with exchange credentials or wallet access. A renamed installer disguised as a Steam package followed, widening the net to non-crypto users. Then, on February 26, the actor swapped everything out for a single new package: X-VPN.

Every one of the 11 identified packages relies on the same delivery method. A malicious CRYPTBASE.dll gets sideloaded alongside the legitimate installer, kicking off what the report calls an identical multi-stage unpack chain that loads STX RAT in memory. Because the malware runs entirely in memory, it leaves few traces once the initial DLL has executed.

What STX RAT Actually Does

STX RAT is a remote access trojan with infostealer capabilities. Once active, it can harvest saved browser credentials, session tokens, and clipboard data, while giving an operator ongoing remote control of the infected machine. All communication happens over HTTPS, blending in with normal traffic.

The trojanized bundles were hosted in a Bitbucket repository, amos-trading/dist-internal, tied to an account using the email pufferfish11@firemail[.]cc. Commit logs show a clear progression, with each new package added roughly every few days before the entire crypto-focused lineup was deleted and replaced by X-VPN.zip in the final commit.

The X-VPN Pivot

X-VPN’s massive install base made it the standout target in this campaign. The bundle contained the malicious CRYPTBASE.dll alongside genuine X-VPN and WireGuard components, so the legitimate app worked normally while STX RAT loaded quietly in the background. The X-VPN DLL sideloading sample also showed a notable configuration change: its referrer value was set to a placeholder, “changeme,” which researchers say indicates parameters are injected prior to targeted delivery, a sign of a builder-based toolkit rather than fully custom code.

Infrastructure That Refused to Go Dark

All campaign waves trace back to a shared root domain, supp0v3[.]com. After the initial disclosure covering earlier packages like HWMonitor and CPUZ, the actor rotated the callback subdomain from helloworld to welcome and kept staging new releases. Researchers describe this as a deliberate, ongoing operation rather than an opportunistic upload.

Coordinated Disclosure and the Fix

Howler Cell notified X-VPN on May 18, 2026, and the vendor acknowledged within two business days. X-VPN shipped version 77.5.3 on May 28, adding stricter system DLL loading, startup hash verification, and hardened per-process load policies to close the CWE-427 vulnerability the attacker exploited. X-VPN’s official servers and accounts were never breached, and only users who downloaded the trojanized installer outside official channels are at risk.

For the full technical breakdown of the attack chain and configuration analysis, Howler Cell has published its complete research on the campaign. Windows users should update X-VPN to version 77.5.3 or later and avoid downloading installers from unofficial repositories.