Pierluigi Paganini May 28, 2025

Researchers found a fake Bitdefender site spreading the Venom RAT by tricking users into downloading it as antivirus software.

DomainTools Intelligence (DTI) researchers warn of a malicious campaign using a fake website (“bitdefender-download[.]com”) spoofing Bitdefender’s Antivirus for Windows download page to trick visitors into downloading a remote access trojan called Venom RAT.

“A malicious campaign using a fake website to spread VenomRAT, a Remote Access Trojan (RAT), is detailed in this analysis. The malware includes tools for password theft and stealthy access.” reads the report published by DomainTools. “This research examines the attackers’ methods, such as deceptive websites and command infrastructure, indicating a clear intent to target individuals for financial gain by compromising their credentials, crypto wallets, and potentially selling access to their systems.”

The malware is designed for password theft and stealthy access, aiming to steal credentials, crypto wallets, and sell system access for financial gain.

Upon clicking the fake “Download for Windows” button it triggers a Bitbucket URL that redirects to an Amazon S3 link, downloading a ZIP file. The archive contains the executable StoreInstaller.exe, which bundles the VenomRAT malware, code from the open-source post-exploitation framework SilentTrinity, and StormKitty stealer.

The VenomRAT is a fork of the open-source Quasar RAT and is used for gaining and maintaining access to victim systems. It supports remote control, credential theft, keylogging, and data exfiltration. In this campaign, attackers also used StormKitty to quickly steal credentials and SilentTrinity for stealthy, long-term access, suggesting goals of immediate financial gain and persistent system control for future use or resale.

The researchers discovered that multiple VenomRAT samples likely came from the same attacker, based on shared details like the same C2 server at IP 67.217.228[.]160 on port 4449. DomainTools noted that the fake Bitdefender site also overlaps in timing and infrastructure with other phishing domains impersonating banks and IT services, including sites used to steal logins for Microsoft and the Royal Bank of Canada.

“This campaign underscores a constant trend: attackers are using sophisticated, modular malware built from open-source components. This “build-your-own-malware” approach makes these attacks more efficient, stealthy, and adaptable. While the open-source nature of these tools can help security experts spot them faster, the primary victims here are everyday internet users.” concludes the report that also provides Indicators of compromise. “These criminals are after your hard-earned money, targeting your bank accounts and cryptocurrency wallets with fake login pages and malware disguised as safe software.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Venom RAT)