Malicious actors have been leveraging trojanized VPN installers to facilitate the distribution of EyeSpy spyware since May, The Hacker News reports. Iran was the source of most EyeSpy infections, which were also observed to originate in Europe and the U.S., according to a report from Bitdefender. EyeSpy was found to feature the components of the monitoring app SecondEye to compromise users of Iran-based VPN service 20Speed VPN. Attacks commence with the download of a malicious executable from the VPN service's website, which then stealthily triggers other malicious activities for persistence and next-stage payload downloads in a bid to exfiltrate personal data in compromised computers. "EyeSpy has the ability to fully compromise online privacy via keylogging and stealing of sensitive information, such as documents, images, crypto wallets, and passwords. This can lead to complete account takeovers, identity theft, and financial loss," said Bitdefender researcher Janos Gergo Szeles. There has been no sufficient evidence to link the latest EyeSpy activity with the previous use of SecondEye in a campaign reported by Blackpoint Cyber in August.