ExpressVPN "normal behaviour" is to make DNS requests to malicious sites

VPN
1

Recently, my PC was flagged by the IT firewall of one of my clients. They reported connections to a malicious address: p8464oxs com, which had been flagged as a threat.

To be sure, I reformatted my PC and installed Portmaster to monitor network activity. What I discovered was alarming: all these connections were DNS requests made by the ExpressVPN app while in standby.

I contacted ExpressVPN’s support team, and their response was even more surprising—they said this is “normal behaviour”.

This is a heads-up for anyone using ExpressVPN on work devices. It seems their app might trigger red flags on IT systems due to these kinds of DNS requests. Be cautious!

2637×2427 526 KB

2

Express has gone to crap. I switched to Proton. Speed maybe not quite as high, but I got a year for $35 on BF, and I generally trust the company more.

3

So when you toggled the option off, was there a change?

Oh, and what did support say after you asked if the website was malicious?

4

Thanks for flagging this. We’d like to clarify that this isn’t a malicious domain—it is one of ours that has been mistakenly flagged as malicious. We’re looking into why this has happened.

To add to what our Support Team mentioned, these random-looking domains are part of our system that ensures the app has the latest servers to connect to. This is sometimes triggered on corporate networks if those networks block our normal domains.

5

p8464oxs com

That domain name is listed on VirusTotal as:

Criminal IP: Phishing

6

Did you notice a real speed difference? Considering the same move as you did, and speed may be a concern

7

Where can you see this?
I’ve tried VT and it doesn’t give me any results: https://www.virustotal.com/gui/search/http%253A%252F%252Fp8464oxs%2520com

8

It’s maybe a bit slower, but not appreciably so.

9

Where can you see this?
I’ve tried VT and it doesn’t give me any results

10

Thx, appreciate the reply! :+1: