A WhoIs lookup reveals the domain was registered via NameCheap on April 3, 2019 (updated March 16, 2021) - Whois easyasvpn.com
VirusTotal - VirusTotal
Program contains the Tool.Nssm.5 riskware, which allows executables to run as services on Windows operating systems. While used by legitimate software, it is also used for malicious purposes such as crypto-mining.
First of all, just to make sure ppl know, a VPN service using nssm is not suspicious at all. VPNs often have to run other services in the background and nssm lets them do that. That said, there are plenty of other clues that this is malicious, but nssm is not one of them.
The actual download link is hosted on turninted-suradios.icu, which was registered by Key-Systems LLC and they used whoisproxy.com. The application itself also references monetizemyapp.net inside app-update.yml, which is also hosted by NameCheap but they used a different whois proxy, WithheldForPrivacy.
Both easyasvpn.com and turninted-suradios.icu use Cloudflare.
I’m working on compiling a report on this that I can send to Cloudflare, NameCheap, Key-Systems, WithheldForPrivacy, and whoisproxy.com. Did you send any reports yet?
As for evidence, I have so far that it:
*.ovpn file, which is weird)Not evidence, but definitely suspicious:
Hopefully this is enough to convince Cloudflare et al. If you have any other evidence it would be great if you could post it here (don’t go into too much detail ofc).
Thanks!
UPDATE: I’ve reported them to all the parties I mentioned above, and gave them detailed information on the points I already outlined and a few other indicators that I just found. Hopefully this gets taken down soon, and thanks so much for posting this :)