Cybercriminals recently set up impostor websites for the NordVPN virtual private network service and two office software products, in an attempt to infect visitors with the Win32.Bolij.2 banking trojan, according to researchers.

Launched on Aug. 8, the fake NordVPN site, nord-vpn[.]club, has already drawn thousands of visitors so far this month, Dr.Web reports in an Aug. 19 company blog post. The site is very realistic, featuring the same over design, color schemes and fonts as the true site, nordvpn.com. And it even has a valid SSL certificate.

The fraudulent site attempts to coax visitors into downloading a program that comes bundled with Bolij2. Dr.Web researchers describe the trojan as an upgraded version of Win32.Bolik.1, noting it “has qualities of a multicomponent polymorphic file virus” and is “capable of performing web injections, traffic intercepts, keylogging and stealing information from different bank-client systems.”

The attackers launched a similar plot last June when it copied the websites of Invoice 360 Enterprise and Crystal Office Systems, both of which make business/office applications. Dr.Web says this particular scheme delivered not only Bolij.2, but also Trojan.PWS.ZStealer.26645, otherwise known as the Predator the Thief information stealer.

Last April, Dr.Web reported that the same cybercriminal group compromised the website of video editing software VDSC and used its links to distribute Bolij.2 and KPOT Stealer malware. In these more recent campaigns, however, no website compromise was necessary, as the attackers simply created their own fake sites instead.