ZenRAT Malware Delivered Through Fake Bitwarden Installation Packages

According to the recent findings by Proofpoint, a new malware called ZenRAT has been discovered. This malware is being spread via fraudulent download packages disguised as Bitwarden installations.

This malware primarily targets Windows users and redirects non-Windows users to benign web pages.

The method of distribution remains unknown, but historical precedents include SEO Poisoning, adware bundles, and email.

ZenRAT is a modular Remote Access Trojan (RAT) with information-stealing capabilities.

The threat landscape in the digital realm is ever-evolving, with malicious actors constantly devising new tactics to exploit unsuspecting victims. 

On August 10, 2023, Jérôme Segura, Senior Director of Threat Intelligence at Malwarebytes, brought to light a concerning discovery – a malware sample concealed within a Windows software installation package. 

This sample was initially found on a website posing as Bitwarden, bitwariden[.]com, an eerily convincing replica of the legitimate Bitwarden website, reads the report


Fake Bitwarden website, bitwariden[.]com bears a remarkable resemblance in theme with bitwarden[.]com. It is uncertain as to how traffic is being directed to this domain.

Mystery ZenRAT Malware

Hidden within a standard Bitwarden installation package was a malicious .NET executable, now known as “ZenRAT.”

How this malware is distributed remains a mystery. Historically, similar attacks have been executed through SEO Poisoning, bundled with adware, or disseminated via email.

A distinctive aspect of this malware campaign is its selective targeting. The malicious website displays the counterfeit Bitwarden download link when accessed from a Windows host. 

Non-Windows users who visit the same website are redirected to a cloned opensource.com article, meticulously replicating legitimate content.


If non-Windows users attempt to visit the malicious website, they are instead redirected to a cloned opensource(.)com article. This screen capture was taken using Mozilla Firefox on Ubuntu 22.04. 

Furthermore, Windows users attempting to download Bitwarden for Linux or MacOS are redirected to the genuine Bitwarden site, vault.bitwarden[.]com. 

However, clicking the “Download” button or the “Desktop installer for Windows” results in an attempt to download “Bitwarden-Installer-version-2023-7-1.exe,” hosted on the domain crazygameis[.]com.

The domain registrar for both the malicious domains appears to be NiceNIC International Group, while the sites themselves are seemingly hosted on Cloudflare.

The malicious installer, Bitwarden-Installer-version-2023-7-1.exe, first appeared on VirusTotal on July 28, 2023, under a different name, “CertificateUpdate-version1-102-90.” Intriguingly, the installer claims to be “Speccy,” a legitimate application used for gathering system specifications. Notably, the digital signature on this installer is invalid.

ZenRAT, also known as “ApplicationRuntimeMonitor.exe,” is the core component of this malware. Interestingly, it masquerades as an entirely different application, displaying metadata that suggests it was created by “Monitoring Legacy World Ltd.”

Upon execution, ZenRAT conducts an array of system checks and gathers the following information about the host:

  • CPU Name
  • GPU Name
  • OS Version
  • Installed RAM
  • IP address and Gateway
  • Installed Antivirus
  • Installed Applications

This information is sent to its command and control (C2) server, along with stolen browser data and credentials packaged in a zip file named “Data.zip.” This zip file contains “InstalledApps.txt” and “SysInfo.txt,” containing system and application information, respectively.

ZenRAT establishes communication with its C2 server upon execution. The C2 protocol it employs is unique, with distinct client and server-side communication structures.

Client-Side Communication: The client initiates communication with a 73-byte packet containing a Command ID and data size, followed by additional packets in the same TCP stream.

Server-Side Communication: The server sends a fixed-length nine-byte packet followed by additional packets in response to the client’s requests.

ZenRAT exhibits various Command IDs, with some of the more intriguing ones being:

– **Send Logs:** ZenRAT sends logs in plaintext format to the C2 server, including system checks and verifications.

– **Send Module Results:** This command is used to transmit results from modules, with data encrypted using AES-256-CBC.

Task and Module IDs indicate that ZenRAT is designed to be modular and extensible, though other modules have not yet been observed in the wild.

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.