Cybercriminals are using a fake Bitdefender antivirus website to spread a dangerous set of malware designed to steal financial data and maintain long-term access to victims’ systems.
Researchers at DomainTools Intelligence (DTI) discovered the fake website, bitdefender-download[.]co, which closely resembles the official Bitdefender download page. The site is part of a larger phishing campaign aimed at stealing banking credentials, cryptocurrency wallets, and personal information.
How the Attack Works
When users click the “Download For Windows” button on the fake site, a ZIP file downloads containing three malware programs: VenomRAT, StormKitty, and SilentTrinity.
The attack starts with a file hosted on Bitbucket. This file redirects to Amazon S3 storage, which makes the download process appear more legitimate.
The downloaded file, disguised as StoreInstaller.exe, includes all three malware tools, each with a specific function in the cyberattack.
Three-Part Malware Payload
- VenomRAT: A remote access tool that provides full control of the victim’s machine. It can steal files, browser data, cryptocurrency wallets, and credit card details. It also performs keylogging.
- StormKitty: A credential stealer that quickly collects passwords and other sensitive information.
- SilentTrinity: A post-exploitation tool that allows hackers to stay hidden and maintain access for future attacks or resale.
VenomRAT, originally based on Quasar RAT, now includes enhanced features to steal even more data, such as saved credit card information from browsers.
Wider Operation and Infrastructure
DomainTools found that the fake Bitdefender site uses the same infrastructure as other fraudulent websites, including ones impersonating the Armenian IDBank and the Royal Bank of Canada.
The malware campaign uses a shared command and control server, consistently connecting to IP address 67.217.228.160:4449.
“The attacker’s dual focus is clear: harvest financial data quickly and maintain stealthy, long-term access,” DomainTools researchers said.
Protecting Yourself
Bitdefender confirmed the threat and is working to take down the fake site. Their software now detects the malicious files. Google Chrome also blocks access to the download link.
Security experts advise users to:
- Download antivirus software only from official vendor websites.
- Be cautious of urgent security alerts that push software downloads.
- Avoid clicking suspicious links or opening unexpected email attachments.
- Verify website URLs carefully before downloading any software.
This attack highlights how cybercriminals are becoming more sophisticated, using convincing fake websites to launch multi-stage attacks that target users’ most sensitive financial data.
