Cybercriminals have launched a sophisticated malware campaign using a fake Bitdefender antivirus website to distribute a dangerous trio of malicious programs designed to steal financial data and maintain persistent access to victims’ computers.
DomainTools Intelligence (DTI) has identified the fraudulent site as part of a broader operation targeting users’ cryptocurrency wallets, banking credentials, and personal information.
The malicious domain “bitdefender-download[.]co” closely mimics the legitimate Bitdefender antivirus download page, making it difficult for users to distinguish between the authentic and fraudulent sites.
When visitors click the “Download For Windows” button, they unknowingly trigger the download of a ZIP file containing three distinct pieces of malware: VenomRAT, StormKitty, and SilentTrinity.
Multi-Stage Attack Strategy
The attack begins with a file hosted on Bitbucket that redirects to Amazon S3 storage, lending an air of legitimacy to the download process.
The bundled executable, disguised as “StoreInstaller.exe,” contains configurations for all three malware families, each serving a specific purpose in the cybercriminals’ operation.
VenomRAT, described by security firm Acronis as a remote access tool with “dangerous consequences,” serves as the primary gateway, providing attackers with initial and ongoing access to victim machines.
This malware, which originated as a fork of the open-source Quasar RAT, can steal files, cryptocurrency wallets, browser data including credit card details, and perform keylogging activities.
StormKitty functions as a rapid credential harvester, quickly gathering sensitive information from the infected system.
Meanwhile, SilentTrinity, an open-source post-exploitation framework, ensures stealthy long-term access for potential repeat compromises or selling access to other criminals.
The malware specifically targets financial data, with VenomRAT capable of stealing cryptocurrency wallets and browser-stored banking information.
Recent analysis shows that newer versions of VenomRAT have expanded their capabilities to include credit card information theft.
DomainTools Intelligence (DTI) team discovered that the fake Bitdefender site shares infrastructure with other malicious domains impersonating banks and IT services, suggesting a coordinated phishing operation.
The campaign includes fraudulent sites that spoof the Armenian IDBank and Royal Bank of Canada online banking portals.
DomainTools researchers note that the inclusion of multiple open-source malware tools indicates “the attacker’s dual focus: rapidly harvesting financial credentials and crypto wallets during initial access, while also establishing stealthy, persistent access for potential long-term exploitation”.
The attackers have been using the same command and control infrastructure across multiple samples, with researchers identifying the IP address 67.217.228.160:4449 as a consistent connection point.
Protection Recommendations
Bitdefender has acknowledged the threat, stating they are working to have the fraudulent site taken offline and that their security software detects the malicious files.
Google Chrome now flags the fake download link as malicious, preventing users from accessing it.
Security experts recommend exercising extreme caution when downloading software, verifying website authenticity, and avoiding suspicious links or email attachments.
Users should only download antivirus software from official vendor websites and be wary of unsolicited security warnings that prompt immediate software downloads.
This campaign highlights the evolving sophistication of cybercriminal operations, where legitimate-looking websites serve as gateways for multi-stage attacks targeting users’ most sensitive financial information.
Try in-depth sandbox malware analysis for your SOC team. Get ANY.RUN special offer only until May 31 -> Try Here
