Adware bundles are installing a VPN software called Pirate Chick, which then connects to a remote server to download and install malicious payloads such the AZORult password-stealing Trojan. A hidden malicious payload When you execute the installer for the Pirate Chick VPN, it will download and install a payload to the %Temp% folder and execute it. When first executed, the installer will combine a series of strings into process names, such as ImmunityDebugger, Fiddler, Wireshark, Regshot, and ProcessHacker. It will then check your list of running processes and if one of the processes is detected, it will skip the installation of the malware payload. Pirate Chick Install After installing the VPN, the user will be shown a splash screen asking them to signup. Pirate Chick VPN Signup Currently, this signup screen is broken, but shows how the Trojan was pretending to be a VPN program, while install a malicious payload.