article featured image


The VPN market has grown considerably in the last few years due to the increasing popularity of VPN technologies. However, corrupted VPN installers have been used by threat actors to deliver a piece of spyware called EyeSpy, as part of a malware campaign that started in May 2022.

Cybersecurity researchers have discovered the components are part of a monitoring application called SecondEye, developed in Iran and distributed legitimately via the developer’s website. However, the components were delivered through trojanized installers of VPN software, that dropped the spyware along with the VPN product.

More about SecondEye

According to The Hacker News, SecondEye offers wide range of features that allow taking screenshots, microphone recording, log keystrokes, as well as gather files and saved passwords from web browsers, and remotely control the machines to run arbitrary commands.

SecondEye was first mentioned in August 2022, when Blackpoint Cyber revealed the use of its spyware modules and infrastructure for data and payload storage by unknown threat actors. The mechanism used to gain access in the first place in these incidents is yet unknown. Even though the spyware components used in both sets of activities are similar, there isn`t sufficient evidence to link them together.

The latest attack chain begins when an unsuspecting user downloads a malicious executable from 20Speed VPN (an Iranian VPN service) website. By using trojanized installers, attackers can spy on users of 20Speed VPN, using SecondEye components.

EyeSpy has the ability to fully compromise online privacy via keylogging and stealing of sensitive information, such as documents, images, crypto wallets, and passwords. This can lead to complete account takeovers, identity theft and financial loss.


Infections are reported to have mostly originated from the Iranian region, with small detections in Germany and the U.S.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Author Profile

Mihaela Popa


Mihaela is a digital content creator for Heimdal® and the proud owner of an old soul and a curious mind. Passionate to learn and discover more about cybersecurity, she will gladly share her latest finds with you.

Leave a Reply

Your email address will not be published. Required fields are marked *