New Data-Stealing Malware Detected on DrayTek VPN Business Routers

You don't want to be compromised, and if your business uses DrayTek Vigor router models 2960 and 3900, you may be at risk.

Another VPN has been hacked: This time, DrayTek Vigor router models 2960 and 3900 have been compromised.

The threat actors behind the campaign, which has been dubbed “Hiatus,” have operated since July 2022, successfully getting away with system and networking data that could set them up well for further data breaches.

At least a hundred businesses have been hacked through the campaign, and it’s global as well, with hacked businesses operating out of Europe, North America, and South America. Here’s what to know.

The DrayTek VPN Hack

The news comes from Lumen’s Black Lotus Labs, which released a blog post explaining what they know about how the hack works.

DrayTek Vigor devices help small businesses get remote connectivity to corporate networks, making them a great target for a hacker out to swipe data. Sadly, Black Lotus Labs couldn’t figure out the initial entry point the bad actors used to get into the DrayTek routers. Once in, they deploy a bash script that downloads a malicious program.

The malware, HaitusRat, does a few different tasks: It downloads further payloads, it runs commands on the compromised device, and it eventually turns the entire device into its own SOCKS5 proxy to gain control over server traffic. It then sucks up a ton of data, including:

  • System-level Information: MAC address, Kernel version, Architecture, and Firmware release version
  • Networking Information: ifconfig command outputs and ARP cache, including the local IP addresses
  • File System Information: Mount point names, directory-level path locations, and the file system type
  • Process List: The process name, ID, UID, and arguments

It’s a lot. You don’t want to be compromised, but if your business uses DrayTek Vigor router models 2960 and 3900, you may be at risk.

Which VPNs Are Safest?

The 2022 VPN Risk Report, out last year from Cybersecurity Insiders and Zscaler, found that 44% of cybersecurity professionals had seen an “increase in exploits targeting their VPNs.”

The personal sector isn’t doing much better. One other survey covering more than 2,000 internet users determined that 80% of global VPN users are considering switching to free versions, a switch that could leave them at even greater risk.

At, our research team has combed through the best VPNs on the market, with an eye to the most secure options. In the end, we have handful of tips: Don’t go for a free option, make sure the VPN comes with a kill switch, and always check the terms and conditions.

Once you’ve committed that advice to heart, check out our list of the safest VPNs available today, from Surfshark to NordVPN. Not on the list? Anything related to DrayTek.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at

Written by:
Adam is a writer at and has worked as a tech writer, blogger and copy editor for more than a decade. He was a Forbes Contributor on the publishing industry, for which he was named a Digital Book World 2018 award finalist. His work has appeared in publications including Popular Mechanics and IDG Connect, and his art history book on 1970s sci-fi, 'Worlds Beyond Time,' is out from Abrams Books in July 2023. In the meantime, he's hunting down the latest news on VPNs, POS systems, and the future of tech.
Explore More See all news
Back to top
close Thinking about your online privacy? NordVPN is's top-rated VPN service See Deals