Introduction
A malicious campaign has been identified that utilizes a spoofed website mimicking the legitimate Bitdefender antivirus page to distribute malware. This campaign involves the dissemination of three key malware programs: VenomRAT, StormKitty [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], and SilentTrinity [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], posing significant threats to users by compromising their systems and stealing sensitive information.
Description
A spoofed website mimicking the legitimate Bitdefender antivirus page [6], specifically bitdefender-download[. [3]]com, is being utilized in a malicious campaign to distribute three key malware programs: VenomRAT, StormKitty [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], and SilentTrinity [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]. This counterfeit site closely replicates Bitdefender’s authentic download page [2], featuring a misleading “Download for Windows” button that initiates a file download from an Amazon S3 bucket [6]. When users click this button, they inadvertently download a ZIP archive containing an executable named StoreInstaller.exe [3], which initiates the infection process [8].
VenomRAT [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], a remote access trojan derived from the Quasar RAT project, enables cybercriminals to gain control over compromised Windows systems [6] [7], facilitating file theft [7], keylogging [3] [4] [7] [8] [9], webcam access [7], and remote command execution [7] [8]. This malware is particularly focused on stealing sensitive information such as login credentials, cryptocurrency wallets [1] [3] [4] [6] [9] [10], and banking details, including credit card information [9]. StormKitty functions as a credential harvester [9], rapidly collecting sensitive data from infected systems [9]. SilentTrinity [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], an open-source post-exploitation framework [4] [6] [9] [10], facilitates stealthy long-term access and data exfiltration [10], allowing for potential repeat compromises [9]. The integration of these malware tools indicates a dual strategy of immediate financial gain and persistent control over victim systems, enabling attackers to operate swiftly and remain undetected [8].
The malicious domain is suspected to be involved in phishing attacks [1], as it overlaps with infrastructure hosting other fraudulent sites impersonating banks and IT services [1], including those targeting the Armenian IDBank and the Royal Bank of Canada [7]. Security researchers from DomainTools have identified that the infrastructure behind these attacks utilizes a “build-your-own-malware” approach using open-source components [5], making the malware more efficient and adaptable [5]. The malware samples associated with this campaign exhibit consistent configurations [8], particularly the reuse of command-and-control (C2) IPs and ports [8], such as 67.217.228[. [8]]160:4449, linking multiple samples to the same threat actor [10]. Researchers have traced additional VenomRAT samples and IPs through matching RDP configurations [8], suggesting further infrastructure likely managed by the same group [8]. Although the site remains operational [1], Google’s Chrome browser flags it as malicious [1], preventing downloads [1]. Bitdefender has confirmed that the site is not affiliated with them and is actively working to have it taken offline [1].
The use of cloud services like Bitbucket, Amazon S3 [2] [3] [4] [6] [7] [8] [10], and GitHub for malware delivery complicates efforts to disrupt the campaign. Users are advised to download applications only from official app stores [5], verify website authenticity [10], exercise caution with email links and attachments [2], and refrain from entering credentials on suspicious pages [10]. Additionally, scanning files with up-to-date antivirus tools before execution is crucial to defend against such threats [3].
Conclusion
The ongoing malicious campaign leveraging a spoofed Bitdefender website highlights the evolving tactics of cybercriminals in distributing malware. The use of sophisticated tools like VenomRAT, StormKitty [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], and SilentTrinity underscores the need for heightened vigilance and robust cybersecurity measures. Users must remain cautious, ensuring they download software from trusted sources and regularly update their security protocols. As cyber threats continue to evolve, ongoing research and collaboration among security experts are essential to mitigate risks and protect users from potential breaches.
References
[1] https://uk.pcmag.com/security/158278/dont-fall-for-it-fake-bitdefender-site-will-infect-your-pc-with-malware
[2] https://blog.netmanageit.com/fake-bitdefender-site-spreads-trio-of-malware-tools/
[3] https://cyberinsider.com/fake-bitdefender-site-spreads-venomrat-and-stormkitty-malware/
[4] https://securityaffairs.com/178366/malware/fake-antivirus-spreads-venom-rat.html
[5] https://www.forbes.com/sites/zakdoffman/2025/05/27/microsoft-windows-warning-do-not-install-these-apps-on-your-pc/
[6] https://www.techradar.com/pro/security/watch-out-that-antivirus-website-could-be-a-fake-and-infecting-your-pc-with-malware
[7] https://wol.com/watch-out-that-antivirus-website-could-be-a-fake-and-infecting-your-pc-with-malware/
[8] https://www.infosecurity-magazine.com/news/fake-bitdefender-site-spreads/
[9] https://cybersecuritynews.com/hackers-mimic-popular-antivirus-site/
[10] https://www.hendryadrian.com/inside-a-venomrat-malware-campaign/
