Skip to content
Join Censys for a Threat Hunting Workshop & Happy Hour! | April 17 at City Winery in Philadelphia | Register Now
Blogs

SoftEther VPN: Identifying VPN Software Across the Internet

Executive Summary

SoftEther VPN is a free, open-source VPN client created by researchers in Japan and used for commercial and non-commercial use. The United States, Japan, and China are the top three countries where Censys observed the highest number of SoftEther hosts. Censys also found that four of the top ten autonomous systems where SoftEther was found are China-based organizations.

From 2019 to February 2023, several threat groups, including APT 41, Gallium, Venomous Bear, and Hydrochasma, have used SoftEther VPN software to maintain persistent access in their victims’ environments. These threat actors install SoftEther VPN on a victim’s host and configure it to connect to the threat actor’s infrastructure. This enables them to create and maintain a foothold in the victim’s network and facilitate follow-on actions (1,2,3,4).

Additionally, the FBI has stated that APT 41, a Chinese-based threat group, has specifically exploited vulnerabilities in the SoftEther VPN software to deploy the “Skeleton Key” malware to create a master password that allows them access to any account on the victim’s domain (5).

Findings

Between 20-21 March 2023, Censys discovered over 148,000 SoftEther VPN servers globally; of those, around 32,000 also run IKE (Internet Exchange Key), a commonly observed VPN protocol, and upwards of 36,000 are running the SSH protocol, which can be used and abused by attackers for remote administration.

Censys found that nearly 13% of the SoftEther VPN servers Censys identified worldwide (via HTTP HTML titles, and SoftEther-specific Jarm fingerprints) were located in the United States, closely followed by Japan with 8% and China immediately following with 7%.

Heatmap of all SoftEther VPN servers 

At the time of writing, the following are the top ten countries where Censys could observe SoftEther VPN hosts, along with a short detailed breakdown of these servers in the United States.

The following statistics depict the top-ten Autonomous Systems (based on BGP routing) that are announcing IP addresses that host SoftEther VPN servers. Four of the autonomous systems Censys found in the top ten are China-based organizations.

Censys also looked at the three Chinese-owned Autonomous Systems from the above listing (TENCENT-NET-AP-CN, CHINANET-BACKBONE, TENCENT-NET-AP, and ALIBABA-CN-NET) and broke out the IP addresses being announced inside of the United States and found 1, 154 hosts running SoftEther VPN servers. California has the most China-announced US hosts, with 1,143 (99.05% of the total), while Virginia had only 11 hosts (0.95%).

The following statistics cover the number of hosts by top ten countries based on the following Censys syntax searches:

 

In addition to the above data, Censys identified “SoftEther” within a number of certificates presented on a total of 606 hosts globally.

About the Author

Nick Hogan
Technical Security Analyst
Nick Hogan is a Technical Security Analyst at Censys. Nick served over 11 years in the United States Army Reserve as an Intelligence Officer working across multiple Combatant Commands as well as a Strategic Intelligence Analyst with various federal agencies. Nick has extensive experience in national security covering state and non-state actors, specializes in technical and non-technical threats, and holds a number of professional security certifications.

Similar Content

Back to Resources Hub
Attack Surface Management Solutions
Learn more