> the malware just needs to wait for the user to activate the VPN, and then can access the company's network
In theory, you are correct, and it does increase the risk compared to never having it connected. However, it doesn’t mean it’s automatically compromised, since the initial point of infection happened through a user action (installing the mod), not through an unknown exploit that spreads through a specific network protocol. So just connecting it doesn’t mean infection, not to mention the VPN settings. Maybe they have file transfer disabled or similar, different OS, protection, etc., where it makes it harder to infect. The worst scenario is he was infected with a RAT type (remote access trojan), where the attacker actively tries to scan other hosts connected to the network through VPN to find vulnerabilities.
That being said, accessing the company network through VPN is still the best practice. After all, you need to access the network remotely for a lot of reasons.
In theory, you are correct, and it does increase the risk compared to never having it connected. However, it doesn’t mean it’s automatically compromised, since the initial point of infection happened through a user action (installing the mod), not through an unknown exploit that spreads through a specific network protocol. So just connecting it doesn’t mean infection, not to mention the VPN settings. Maybe they have file transfer disabled or similar, different OS, protection, etc., where it makes it harder to infect. The worst scenario is he was infected with a RAT type (remote access trojan), where the attacker actively tries to scan other hosts connected to the network through VPN to find vulnerabilities.
That being said, accessing the company network through VPN is still the best practice. After all, you need to access the network remotely for a lot of reasons.