Exclusive: ExpressVPN code hints at upcoming Shadowsocks support

TechRadar has uncovered evidence that ExpressVPN is secretly preparing to add Shadowsocks support.

During routine analysis of the latest ExpressVPN Windows app (v12.201.0), we discovered a Shadowsocks executable file: ss-local.exe.

Shadowsocks is an open-source obfuscation tool used to bypass strict internet censorship. As this file is absent from previous builds, its addition suggests a new protocol rollout may be imminent.

Despite the findings, Shay Peretz, ExpressVPN's COO, told TechRadar that the company doesn't "have any specific feature announcements to share regarding Shadowsocks support or a timeline for potential availability."

You can read ExpressVPN's full response below.

What is Shadowsocks? (and why do VPNs use it?)

Shadowsocks is an obfuscation technology used by VPNs such as Mullvad and PIA to secure access to the internet in regions with tight internet restrictions, such as China and Russia.

The lightweight proxy prioritizes speed and censorship circumvention over comprehensive, system-wide privacy. However, it can be used with other protocols — the rules that determine how your traffic is handled — to improve its privacy-preserving credentials.

Standard VPN protocols have highly recognizable signatures. By comparison, Shadowsocks is based on standard TCP or UDP connections paired with encryption.

This strips away the recognizable VPN metadata and makes the traffic look indistinguishable from normal HTTPS web browsing, making it significantly more successful at evading censorship mechanisms like the Great Firewall.

Finding Shadowsocks in ExpressVPN

TechRadar's routine analysis of the latest ExpressVPN Windows application reveals a newly added Shadowsocks file (ss-local.exe). Furthermore, traffic analysis confirms the app now queries backend servers for a "hasShadowsocks" status flag.

Although currently set to false for all observed locations, the integration of both the local executable and the server-side parameter strongly suggests ExpressVPN is preparing to launch Shadowsocks support on select servers.

The network traffic containing this server configuration can be seen below. It shows the app is receiving data about the Los Angeles server, including whether it has Shadowsocks capabilities.

{
  "71": {
    "autoSafe": false,
    "dedicatedIp": "",
    "geoLocated": false,
    "hasShadowsocks": false,
    "id": "71",
    "latency": null,
    "latitude": 33.916,
    "longitude": -118.3,
    "minimumEndpointCount": 50,
    "name": "USA - Los Angeles - 5",
    "offline": false,
    "popularity_order": 33115,
    "portForward": false,
    "priority": 55,
    "slug": "usa-los-angeles-5",
    "smartLocationData": null
  }
}

What does this mean for ExpressVPN users?

Currently, ExpressVPN applies obfuscation to all internet traffic automatically. This means users have no manual control if a connection fails in heavily censored regions like China.

Introducing Shadowsocks support could fix this issue, providing users with a vital workaround when standard connections are blocked. As with any obfuscation method, there are no guarantees. Still, when you're trying to connect in a highly censored country, the more options you have, the better.

It's unclear exactly how Shadowsocks will be used by the app, or whether it will roll out across other operating systems. Regardless, its addition likely signals a renewed emphasis on censorship circumvention from the best secure VPN on the market.

This discovery aligns with a broader push from ExpressVPN to modernize its ecosystem. Following the recent rollout of its new password manager, AI client and private email relay, giving power users manual control over their obfuscation feels like a natural next step.

For anyone thinking of trying out ExpressVPN, it's worth noting that it's currently down to its lowest ever price. Take a look at the deal below.

ExpressVPN: lowest-ever prices on plans from only $2.27 per month - up to 83% off
ExpressVPN is our best secure VPN. Now, a potential Shadowsocks integration could bolster its position at the top. Right now, two-year plans start from $2.27 per month, but for the best value, we recommend the Advanced plan. It includes:

📱 12 simultaneous connections (more than NordVPN)
⚡️ Lightway Turbo (one of the fastest VPN protocols)
🛑 Ad and malware blocking
📧 ExpressMailGuard email protection
🔐 ExpressKeys password management
🪪 Identity Defender
🌴 3 days of Holiday.com eSIM data

Alternatively, monthly plans start from only $12.99. No matter the plan you choose, all offer a 30-day money-back guarantee too.

View Deal

ExpressVPN's response

When reached for comment, ExpressVPN's COO Shay Peretz said:

"As part of the ongoing evolution of our Windows app, we regularly evaluate and test different technologies that could help improve connectivity and reliability for users, particularly in challenging network environments, including experimental or inactive components.

"At this stage, we don’t have any specific feature announcements to share regarding Shadowsocks support or a timeline for potential availability. As always, if and when we introduce new capabilities designed to enhance connectivity or circumvention resilience, we’ll communicate those updates publicly.

"In the meantime, our focus remains on continuously improving the performance and reliability of the ExpressVPN app. The latest versions already include enhanced HTTPS-based connectivity mechanisms that help users maintain stable access across a wide range of network conditions, and we’re already seeing strong adoption, which shows we’re heading in the right direction."