Fake antivirus websites spread Venom RAT malware to steal crypto wallets

Cybersecurity researchers have discovered a sophisticated malicious campaign in which cybercriminals cloned an official site of the antivirus publisher Bitdefender to entice internet users to download a remote access Trojan known as Venom RAT.

According to the DomainTools Intelligence (DTI) report, this malicious operation demonstrates a clear intent to compromise victims' credentials, access their cryptocurrency wallets, and potentially resell access to their systems.

A Fraudulent Site Mimicking Bitdefender to Distribute Malware

The fake site, hosted at bitdefender-download[.]com, faithfully mimics the appearance of the official Bitdefender site. It invites visitors to download a Windows version of the antivirus. By clicking on the "Download for Windows" button, the user downloads a file from a Bitbucket repository redirecting to an Amazon S3 space. The Bitbucket repository has since been disabled.

The compressed file, titled BitDefender.zip, contains a malicious executable called StoreInstaller.exe. This file embeds several payloads, notably:

The Venom RAT Trojan

The open-source post-exploitation framework SilentTrinity

The StormKitty stealer, used to steal credentials and sensitive data

What is Venom RAT?

Venom RAT is an advanced variant of Quasar RAT. It allows the attacker to maintain persistent remote access to the victim's system, exfiltrate confidential data, and execute commands remotely.

DomainTools states that the fake site shares technical and temporal similarities with other phishing campaigns targeting financial institutions like the Royal Bank of Canada or trusted IT services like Microsoft. These operations seek to harvest credentials by exploiting the reputation of major brands.

A Modular and Hard-to-Detect Attack

One of the notable aspects of this campaign is the use of nested open-source tools. Venom RAT discreetly infiltrates the system, StormKitty collects sensitive data (passwords, crypto wallets), and SilentTrinity allows the attacker to maintain lasting control without being detected.

This modular approach makes the attacks more effective, adaptable, and difficult to spot by traditional security solutions.

Other Similar Campaigns Detected

This discovery comes shortly after an alert from Sucuri regarding a "ClickFix" campaign using fake Google Meet screens. These fraudulent pages entice users to execute a PowerShell command, promising to fix an alleged microphone problem.

Furthermore, another sophisticated phishing campaign exploiting Google's AppSheet platform was reported. This aims to bypass email security mechanisms (SPF, DKIM, DMARC) by sending messages from a valid domain, noreply@appsheet[.]com, in order to impersonate Meta (Facebook). The trap links redirect to adversary-in-the-middle (AitM) pages, capable of stealing credentials and 2FA codes in real-time.

Conclusion: Remaining Vigilant Against Advanced Phishing Campaigns

This series of campaigns demonstrates the growing sophistication of online threats. By relying on open-source tools and exploiting user trust in established brands, cybercriminals are redoubling their ingenuity.

To protect oneself, it is essential to:

Verify the authenticity of visited sites.

Never download applications outside of official sources.

Use up-to-date security solutions.

Strengthen user awareness of phishing techniques.

Collective vigilance and the implementation of cybersecurity best practices remain the best defenses against these targeted attacks.