Be careful if you are about to download ProtonVPN software. There is a fake version of the popular VPN client that infects computers with malware designed to steal your passwords and any bitcoins you have on hand.

Kaspersky researchers reported yesterday (February 18) that Russian fraudsters have copied the real ProtonVPN site at protonvpn.com and posted a complete replica on protonvpn-dot-store. The scammers lured victims to the fake ProtonVPN site by placing malicious banner ads on other websites.

However, clicking on the big green "Get ProtonVPN Now" button in the middle of the page would download something that looked like a ProtonVPN installer but was actually an AZORult Trojan horse, a notorious information thief.

"Threat actors can steal cryptocurrency from locally available wallets (Electrum, Bitcoin, Etherium, etc.), FTP logins and passwords from FileZilla, email credentials, locally installed browser information (cookies WinSCP, Pidgin messenger, etc.)," wrote Kaspersky's Dmitry Bestuzhev, "We designed the malware to steal authentication information.

A few months ago, Bleeping Computer recalled that another (or perhaps the same) gang cloned the NordVPN website and forced people to download the Bolik banking-type Trojan.

In this case, the tainted NordVPN software actually worked. In yesterday's report, Kaspersky did not indicate whether the fake ProtonVPN installer worked as well.

The fake ProtonVPN site is still up and running, but the big green button now directs users to a random Twitter post extolling ProtonVPN's virtues.