The title also doesn’t state that VPNs need closing. They are talking about VPNs being a loophole to the “age” verification that needs closing. For anyone being even a little bit tech savvy, it was crystal clear from the beginning that forcing people to provide official identification documents or a picture/video of themselves will create a response of attempts to circumvent this. And VPNs being the easiest (as in affordable, ease of use, and various providers being available) way of doing that, are now obviously the next ones to take the hit. If, or rather when, the EU decides to crack down on VPN providers, they are effectively closed. Why would I use a service that forces me to ID myself to circumvent the ID requirement of other services? The only reason to use a VPN is anonymity.

My interpretation was OP isn’t necessarily the target here, but a victim of some Windows hack spreading around their shared network. It’s possible the whole network was “worth” such attention.

Yeah, it might be that another system in the network was the initially compromised system, but I’m questioning whether Windows malware would be able to spread over wine to a unix machine to actually cause damage there. But that’s an attack vector I literally have zero idea about, just kinda seems suspicious.

And yeah, everything in OPs story is absolutely plausible, but it’s more of a gut feeling given the provided information that it just feels off. I might be fully in the wrong here, and they’re the unluckiest random person to ever have touched a unix machine, I don’t know. Definitely curious how this will develop though.

Something about this post is weird as fuck and some part of this story is missing for sure.

First of all, routine scans with ClamAV. Why are you routinely scanning your system, and what’s your expectation here? In most cases system compromise happens by executing something malicious or by exploiting something on your system, For the former, an active background scanner would help, but not a routine scan, and it’s easier to just not execute suspicious stuff. For the latter, your routine scanning is worthless.

Then the compromise over a WINE DLL seems something between borderline impossible on one hand, and like a very targeted and handcrafted attack on the other hand. Sure, wine is not a sandbox, but seeing this as the point of entry for a full blown persistent RAT is weirding me out massively.

Lastly, “them” setting up seemingly good persistence on your system, yet not hiding any indicators of compromise, and then nuking everything when they are seen. Why that effort? Either set yourself up for the long run and hide, or when detected just say “eh, whatever”. This also seems weird, since on one hand there’s indication for a professional, targeted attack, and other points sound more like rookie script kiddies.

Lastly, you. You seem like a pretty confident user while getting hit like that. It just feels off.

I’m not claiming you’re lying, and I couldn’t blame you for leaving information out because of opsec. But everything about this story feels off. I kinda assume that you’ve been actively targeted, and you should ask yourself why. What information or access do you have? How have you been pwned that “easily” and where did that DLL come from? How was it placed and executed?