A new malware campaign has been using a fake Bitdefender website to spread VenomRAT alongside StormKitty and SilentTrinity, aiming to steal credentials, drain crypto wallets, and maintain persistent access for future exploitation.
The campaign was discovered by DomainTools researchers, who traced the campaign’s infrastructure, malware configurations, and delivery methods.
Bitdefender, the Romanian cybersecurity firm being spoofed, is a major player in the antivirus and cybersecurity software industry, known for its consumer and enterprise endpoint protection solutions. Its brand recognition makes it a prime candidate for impersonation by attackers, who leverage this trust to lure victims into downloading malicious payloads.
Attackers set up a malicious domain, bitdefender-download[.]com, that spoofs Bitdefender’s legitimate antivirus download page. The site’s “Download for Windows” button serves a ZIP archive hosted via Bitbucket and Amazon S3. Inside, an executable named StoreInstaller.exe contains configurations and embedded code linking to VenomRAT, the credential-stealing StormKitty, and the post-exploitation framework SilentTrinity.
Domain Tools
VenomRAT, as detailed in prior reports by Arconis, is a remote access trojan that evolved from the Quasar RAT project, offering features such as remote desktop access, keylogging, credential theft, and data exfiltration. StormKitty, an open-source infostealer, focuses on rapidly harvesting saved passwords, browser cookies, and cryptocurrency wallet data. SilentTrinity, also open-source, is a powerful post-exploitation toolkit built on IronPython, designed to provide stealthy long-term access to compromised machines.
This attack chain illustrates the attacker’s dual objectives: immediate financial gain through stolen credentials and wallet data and long-term monetization by maintaining stealthy access, which could allow for repeat exploitation or the sale of access on dark web marketplaces.
DomainTools researchers traced the attacker infrastructure to a network of related command-and-control (C2) servers, notably IP 67.217.228[.]160:4449, which was reused across multiple samples. The existence of additional active C2 nodes shows a dispersed infrastructure supporting multiple malware deployments. The team also uncovered related phishing domains, such as idram-secure[.]live, impersonating Armenian IDBank, royalbanksecure[.]online spoofing Royal Bank of Canada’s portal, and dataops-tracxn[.]com, a fake Microsoft login page, indicating a broad financial targeting strategy.
The malware delivery paths in this campaign are varied, including cloud services such as Bitbucket, Amazon S3, and GitHub, making takedowns and blocking efforts more complicated. Researchers also noted overlaps in infrastructure, including reused Remote Desktop Protocol (RDP) service configurations identified through Shodan under hash -971903248, suggesting a common actor or toolkit behind the broader operation.
To defend against such threats, users are recommended to always verify software download sources and scan downloaded files on an up-to-date antivirus tool before executing.
Leave a Reply