
Cybersecurity researchers have uncovered a sophisticated campaign where attackers use a counterfeit Bitdefender antivirus website to spread VenomRAT malware.
The goal is to steal credentials linked to financial accounts, according to a report by DomainTools.
The threat actors created a fraudulent website nearly identical to Bitdefender’s official Windows download page. Users are tricked into clicking a “Download for Windows” button, which delivers a malicious archive. This archive contains executables designed to install VenomRAT, a remote access Trojan capable of keylogging and data exfiltration.
DomainTools researchers found additional malware components in the payload. These include SilentTrinity and StormKitty, two open-source tools that enable persistent stealth access and credential theft.
StormKitty specifically targets passwords and cryptocurrency wallet data, while SilentTrinity maintains covert control over infected systems.
“These tools work in concert: VenomRAT sneaks in, StormKitty grabs your passwords and digital wallet info, and SilentTrinity ensures the attacker can stay hidden and maintain control,” the report states.
Further investigation revealed that the attackers likely spoofed other trusted organizations, including banks and IT service providers, to expand their phishing reach.
Bitdefender confirmed awareness of the campaign and reported detecting the fake site in early May. The company monitors for typosquatting and similar tactics aimed at deceiving users. Bitdefender’s security solutions have successfully flagged both the malicious payload and URL.
The company is collaborating with its DNS provider, Cloudflare, and other partners to remove the rogue website entirely. Due to VenomRAT’s widespread availability on cybercriminal marketplaces, pinpointing the responsible group remains difficult.
Bitdefender emphasized ongoing efforts to identify and block VenomRAT and other infostealer infections, protecting users before harm occurs.