Fake Bitdefender Website Spreads Venom RAT Malware
Researchers at DomainTools Intelligence (DTI) have uncovered a malicious campaign using a fake website, bitdefender-download[.]com, to spread Venom RAT, a remote access trojan disguised as Bitdefender Antivirus for Windows.
The fake download page tricks users into clicking a “Download for Windows” button. This leads to a Bitbucket URL that redirects to an Amazon S3-hosted ZIP file. Inside is a malicious executable named StoreInstaller.exe, which includes:
- Venom RAT, a Quasar RAT fork used for remote control and credential theft
- StormKitty, a stealer that extracts passwords and other sensitive information
- SilentTrinity, a post-exploitation framework for stealthy and persistent access
The goal is to steal credentials, drain crypto wallets, and potentially sell access to compromised systems.
The attackers used IP 67.217.228[.]160:4449 as a command-and-control server, and researchers found multiple Venom RAT samples linked to this campaign. They also observed overlapping infrastructure with phishing sites impersonating banks and tech companies like Microsoft and the Royal Bank of Canada.
DomainTools warns that attackers are increasingly using modular malware built from open-source components, making campaigns more efficient, adaptive, and harder to detect. While open-source tools help defenders analyze threats, the primary victims are ordinary users who may mistake fake downloads for legitimate software.
The report includes Indicators of Compromise (IOCs) and urges users to verify download sources and remain cautious with unexpected links or attachments.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
