Proofpoint has identified a new malware strain called ZenRAT [1] [3], which is being distributed through counterfeit Bitwarden installation packages [1] [4]. This modular remote access trojan (RAT) specifically targets Windows users and redirects non-Windows users to legitimate websites to avoid detection.


The exact method of distribution for ZenRAT is unclear [4], but it may involve tactics such as SEO poisoning [4], adware bundles [2] [4], or email-based attacks [4]. ZenRAT poses a significant cybersecurity threat as it has the ability to steal information. What makes ZenRAT particularly dangerous is its selective distribution strategy [4], offering the fake Bitwarden download only to Windows users while redirecting others to a legitimate website [4]. The malware authors have taken steps to obscure the payload’s hosting domain [4], making it difficult to trace its origin [4]. ZenRAT disguises itself as a different application in its metadata and collects extensive host information once executed [4]. This stolen data [2] [4], along with browser data and credentials [4], is sent back to the malware’s command and control server [4].

Proofpoint advises users to only download software from reputable sources and to be cautious of ads in search engine results [2]. They also warn about the risk of infections through ads in search engine results [3]. It is important for users to stay informed and practice good online security measures [3].


ZenRAT’s discovery highlights the ongoing threat of malware and the need for users to remain vigilant. By downloading software only from trusted sources and being cautious of ads in search engine results [2], users can reduce their risk of infection. It is crucial for individuals to stay informed about cybersecurity threats and practice good online security measures to protect their personal information and devices.