A recent cyber attack campaign has been uncovered, using a fake Bitdefender website to distribute VenomRAT and other malware tools. This malicious campaign gives attackers deep access to victims’ systems, allowing them to compromise security and steal sensitive information.
The spoofed website, titled DOWNLOAD FOR WINDOWS, closely mimics Bitdefender’s legitimate antivirus download page. However, instead of downloading legitimate antivirus software, visitors are redirected to malicious files hosted on Bitbucket and Amazon S3. The downloaded package contains an executable file named StoreInstaller.exe, which initiates the infection process. Researchers have identified three separate malware families bundled with this file: VenomRAT, StormKitty, and SilentTrinity.
Each of these malware tools plays a distinct role in the compromise process. VenomRAT provides remote and persistent access to the victim’s system, while StormKitty is used to gather credentials and crypto wallet data. SilentTrinity facilitates stealthy exfiltration and long-term control, allowing attackers to move quickly while remaining undetected. The use of open-source frameworks like SilentTrinity and StormKitty suggests that the attackers are targeting users for prolonged exploitation or resale of access.
VenomRAT, with its roots in the Quasar RAT project, supports keylogging, credential theft, and remote command execution. The malware samples associated with this campaign share consistent configurations, including the reuse of command-and-control IPs like 67.217.228[.]160:4449 and 157.20.182[.]72:4449. Analysts have traced additional VenomRAT samples and IPs through matching RDP configurations, revealing further infrastructure likely managed by the same threat actor.
In addition to the spoofed Bitdefender website, researchers have identified phishing domains impersonating banks and IT services. These domains include idram-secure[.]live, royalbanksecure[.]online, and dataops-tracxn[.]com. The infrastructure behind these domains overlaps in timing and setup, suggesting a coordinated, financially motivated campaign.
The attackers’ reliance on open-source tools highlights the accessibility of cybercrime. By repurposing existing frameworks, attackers can quickly assemble effective malware kits. While this can aid defenders in recognizing patterns, it also increases the speed and scale of potential attacks. DomainTools researchers emphasize the importance of vigilance, urging users to verify download sources, avoid entering credentials on untrusted sites, and exercise caution with email links and attachments.
As cyber threats continue to evolve, it is crucial for individuals and organizations to stay informed and take proactive measures to protect their digital assets and sensitive information.