SilentRoute Trojan: a Fake VPN Tool Hijacking Credentials Under the Radar

A Trusted Name Turned Trojan Horse

Another cybersecurity threat is making waves in the security landscape, and it's not the usual suspect. Dubbed SilentRoute, this Trojan malware has been discovered embedded in a fake version of SonicWall's widely used NetExtender VPN client. The attack targets users looking to download legitimate software, tricking them into installing a compromised version instead.

At its core, NetExtender is meant to securely connect remote users to corporate networks, allowing them to access files, internal applications, and other resources as though they were sitting at a desk in the office. However, when weaponized, as in the case of SilentRoute, this connectivity becomes a gateway for attackers to steal sensitive data right from the user's device. Needless to say, SonicWall is not associated with the proliferation of this malware.

SilentRoute’s Method of Infiltration

The infected software, posing as version 10.3.2.27 of NetExtender, was discovered being served through a fraudulent website that has since been taken offline. What makes the ruse convincing is that the installer came digitally signed—apparently by a legitimate company named CITYLIGHT MEDIA PRIVATE LIMITED. This digital signature likely helped bypass user skepticism and security controls.

Microsoft, which partnered with SonicWall to investigate the campaign, identified the Trojan and tracked its distribution. The attackers appear to have employed familiar but effective methods to lure victims—using tactics like search engine optimization (SEO) poisoning, spear-phishing, and even malvertising to spread the counterfeit software. Users searching for NetExtender online may have unknowingly ended up on the malicious site, downloaded the fake client, and exposed their credentials in the process.

How SilentRoute Works Behind the Scenes

Once installed, the malicious version of NetExtender behaves deceptively like the real application. But under the hood, two of its main components—NeService.exe and NetExtender.exe—have been modified to send configuration data to an attacker-controlled server. This data includes login credentials such as usernames, passwords, domain names, and other configuration information critical for VPN access.

The malware does this by hijacking the connection process. When users input their VPN credentials and press "Connect," the malicious code intercepts the information and transmits it to a remote server over port 8080, using the IP address 132.196.198.163. Notably, the malware also bypasses typical certificate checks, ensuring the tampered files don't raise immediate red flags.

What This Means for Users and Organizations

The implications of this campaign go beyond individual credential theft. Because VPNs are often the first line of access into a secure corporate network, compromised credentials could grant attackers significant privileges, enabling lateral movement, data exfiltration, and long-term surveillance. For organizations relying on remote work infrastructure, SilentRoute poses a serious risk to internal systems and sensitive data.

Moreover, the deceptive use of digital signatures further complicates the detection process. By signing the malware with what appears to be a valid certificate, the attackers are sidestepping many conventional antivirus and endpoint protection tools, especially those that rely on signature-based detection.

The Broader Threat Landscape: EvilConwi and Related Campaigns

SilentRoute is not an isolated incident. Around the same time, German cybersecurity firm G DATA reported on a related threat cluster dubbed EvilConwi, where attackers similarly manipulated trusted tools—in this case, ConnectWise installers—to deploy malware. These campaigns leverage "authenticode stuffing," a technique that allows malicious code to be injected without breaking a file's digital signature.

Infections in EvilConwi's case often start with phishing emails linking to a Canva page, which then downloads a tampered ConnectWise installer. From there, attackers deploy fake Windows update screens to keep victims from shutting down their systems while remote access is quietly established in the background.

This broader trend highlights a growing tactic among threat actors: leveraging the legitimacy of well-known software to cloak their operations, making their activities harder to detect and easier to trust.

Staying Ahead of the Threat

The SilentRoute campaign underscores the importance of vigilance when downloading software, especially tools related to security and remote access. Users and administrators should always verify the source of downloads, ideally obtaining them directly from official vendor websites rather than relying on search engine results.

For organizations, this is also a wake-up call to bolster endpoint monitoring, implement certificate pinning where possible, and consider behavioral-based detection mechanisms that can flag unusual network activity or file modifications.

As attackers become more adept at masking their intent through trusted channels, cybersecurity defenses must evolve in parallel. The SilentRoute Trojan serves as a timely reminder that trust—especially in software—must constantly be verified, not assumed.