Is ExpressVPN secure or does the xvpnd.exe connect to hidden trackers or malware?

I have worked for xvpnd.exe and No, this is not malware. Here’s what’s happening:

The ExpressVPN app for Windows is composed of two parts: the UI and the “engine”. The UI runs as a regular Windows app. The engine (xvpnd.exe) runs as a Windows service and is responsible for controlling the VPN. One benefit of this design is that the VPN is not affected if the app crashes, and that the VPN killswitch can start as early as possible on boot.

The app and engine communicate with each other using http. That’s why you see the engine listening on port 2015. Important: the engine binds to the local network only. No outside traffic can reach that port. When the user connects to the VPN, the engine is responsible for testing which of our VPN endpoints is likely to give the most reliable and fastest VPN connection. It does that by sending UDP packets to various VPN server IP addresses. The IP you mentioned (199.19.94.101) belongs to our “Canada - Toronto” VPN server location.

It’s possible you encountered a bug here. The engine is only supposed to test VPN servers when you’re about to connect to a location, and it seems what you’ve reproduced is a case where the engine was testing VPN servers regardless. Our team is investigating and will fix once we determine the root cause. Thanks for raising the issue.

We ourselves haven't been able to reproduce the warning yet in Malwarebytes, however we will contact them for further information. In the meantime you can add an exclusion for ExpressVPN by following these steps: https://support.malwarebytes.org/customer/portal/articles/1835329-how-do-i-stop-malwarebytes-anti-malware-from-blocking-scanning-a-file-or-program-that-i-trust-?b_id=6438