Private cyber security company Bitdefender has revealed information about an Iranian spyware that steals people’s sensitive information using VPN software.
A Romanian company has published a report on efforts by the Iranian regime to spoof information about people using virtual private networks (or VPNs) to circumvent the government’s strict restrictions on internet access.
Iran has censored internet content for more than two decades, but in the past four months, amid anti-government protests, the government has periodically shut down access and blocked popular apps such as Instagram and WhatsApp.
While most people around the world take Internet access for granted, users in Iran have to try dozens of apps and VPNs before finding a way to bypass ISP restrictions. And while some VPNs are fake or blocked, there are others that are deliberately linked to malware, such as 20Speed VPN. This spyware enters the victim’s computer when the user installs the filter cracking file.
Since 2020, when people have started working remotely from home, it has become a challenge for businesses to monitor the activities and productivity of their employees. The solution comes in the form of monitoring software. One company that offers such services is SecondEye, with many features including but not limited to screen recording, keyboard input, and live screen viewing. The monitoring application was developed in Iran and distributed legally through the developer’s website.
At the beginning of the year, Blackpoint Cyber:, which specializes in stopping cyberthreats, detected and responded to two identical suspicious File Transfer Protocol (FTP) events linked to a server in Iran within two months. This server has been determined to be owned by SecondEye.
Researchers from Bitdefender as well as Blackpoint have discovered a malware campaign that uses components and infrastructure from the SecondEye suite, a legitimate monitoring program, to spy on users of the Iran-based VPN service 20Speed, but via Trojan-like installers. VPN software that has installed spyware components along with the VPN product. The software, along with other EyeSpy products, has the ability to completely compromise online privacy through keylogging and theft of sensitive information such as documents, images, crypto wallets, and passwords.
Screenshot from the home page of 20Speed VPN, a spyware as a normal VPN that enters the victim’s computer and steals their sensitive information.
The campaign began in May 2022, but detections peaked in August and September as Iranians rushed to use VPNs to circumvent government restrictions. Most of the newly identified cases originate from Iran, with a smaller number of victims in Germany and the United States.
20Speed’s website is one of the most popular websites where Iranians buy their VPN subscriptions. The site has been operating among Iranian users for about seven years. But if its VPN is loaded with malware and collects personal information, the company can’t protect it from Iran’s intelligence services, which can simply request and gain access.
According to Similarweb, a US company that reviews and analyzes website statistics around the world and provides behind-the-scenes analysis of every site online, 20Speed’s main site had nearly one million hits in three months. In December 2022, most from Iran. Moreover, the Android version of this VPN, which is also available on the Google Play Store, has more than 100,000 active installations.
In early January, the Islamic Republic decided to crack down on sellers of VPNs and circumvention software as a measure further restrict access to the Internet. The Department of Justice, in cooperation with the Ministry of Communications, will take legal action against “unauthorized vendors of VPNs and circumvention tools,” local media reported. This is a way to push real VPNs against software that the government can monitor.
Almost all companies selling VPN services in Iran are affiliated with the government or government organizations. Many of these companies have sharply raised their fees over the past three months as Iranians rushed to buy them to access the Internet. Many Iranians are unable to afford the higher prices of VPNs as the cost of food and other necessities has skyrocketed.
In the long term, if this trend continues, it is possible that low-income people will gradually lose their access to the global Internet, as has happened in China and these days in Russia. The security of such services is another issue, as the Islamic Republic can easily obtain any data accessed by users through VPNs.
Amid heightened restrictions on internet access, the use of VPNs by Iranians increased by more than 3,000 percent in September after the assassination of Mahsa Amin.
“Daily demand VPN services in Iran have grown by over 3000% compared to before the protests,” Simon Migliano, head of research at Top10VPN, told Axios, adding that “this is a massive increase given that demand was already healthy before the social media blackout.”