A spoofed Bitdefender website has been used in a malicious campaign to distribute VenomRAT and two other malware tools, giving attackers deep access to victims’ systems.
The fake site, titled DOWNLOAD FOR WINDOWS, mimics Bitdefender’s legitimate antivirus download page but redirects visitors to malicious files hosted on Bitbucket and Amazon S3.
The downloaded package contains an executable named StoreInstaller.exe, which initiates the infection process. Researchers found this file bundled with code from three separate malware families: VenomRAT, StormKitty and SilentTrinity.
Modular Malware for Maximum Exploitation
According to DomainTools, who uncovered the campaign, it demonstrates a layered approach to compromise with each tool playing a distinct role:
-
VenomRAT ensures remote and persistent access
-
StormKitty gathers credentials and crypto wallet data
-
SilentTrinity facilitates stealthy exfiltration and long-term control
Together, these components allow attackers to move swiftly while remaining hidden.
The use of SilentTrinity and StormKitty, both open-source frameworks, suggests the attackers are targeting users not just for immediate gain but for prolonged exploitation or resale of access.
VenomRAT has roots in the Quasar RAT project and supports keylogging, credential theft and remote command execution (RCE).
The malware samples tied to this campaign share consistent configurations, particularly the reuse of command-and-control (C2) IPs like 67.217.228[.]160:4449 and 157.20.182[.]72:4449.
Analysts traced additional VenomRAT samples and IPs through matching RDP configurations, revealing further infrastructure likely managed by the same threat actor.
Read more on phishing attacks using spoofed antivirus platforms: Cybercriminals Exploit CheckPoint Antivirus Driver in Malicious Campaign
Fake Login Pages Pose Additional Risks
In addition to the spoofed antivirus site, researchers identified related phishing domains impersonating banks and IT services. These include:
-
idram-secure[.]live, spoofing Armenian IDBank
-
royalbanksecure[.]online, mimicking Royal Bank of Canada
-
dataops-tracxn[.]com, posing as a Microsoft login portal
The infrastructure behind these domains overlaps in timing and setup, reinforcing the assessment of a coordinated, financially motivated campaign.
Growing Use of Open-Source Malware
The attackers’ reliance on open-source tools shows how accessible cybercrime has become. By repurposing existing frameworks, they can quickly assemble flexible, effective malware kits. While this can help defenders recognize patterns, it also increases the speed and scale of potential attacks.
DomainTools researchers emphasize vigilance and encourage users to verify download sources, avoid entering credentials on untrusted sites and remain cautious with email links or attachments.
Image credit: T. Schneider / Shutterstock.com