Cybersecurity researchers have disclosed a new malicious campaign that uses a fake website advertising antivirus software from Bitdefender to dupe victims into downloading a remote access trojan called Venom RAT.
The campaign indicates a “clear intent to target individuals for financial gain by compromising their credentials, crypto wallets, and potentially selling access to their systems,” the DomainTools Intelligence (DTI) team said in a new report shared with The Hacker News.
The website in question, “bitdefender-download[.]com,” advertises site visitors to download a Windows version of the Antivirus software. Clicking on the prominent “Download for Windows” button initiates a file download from a Bitbucket repository that redirects to an Amazon S3 bucket. The Bitbucket account is no longer active.
The ZIP archive (“BitDefender.zip”) contains an executable called “StoreInstaller.exe,” which includes malware configurations associated with Venom RAT, as well as code related to the open-source post-exploitation framework SilentTrinity and StormKitty stealer.
Venom RAT is an offshoot of Quasar RAT that comes with capabilities to harvest data and provide persistent remote access to attackers.
DomainTools said the decoy website masquerading as Bitdefender shares temporal and infrastructure overlaps with other malicious domains spoofing banks and generic IT services that have been used as part of phishing activity to harvest login credentials associated with Royal Bank of Canada and Microsoft .
“These tools work in concert: Venom RAT sneaks in, StormKitty grabs your passwords and digital wallet info, and SilentTrinity ensures the attacker can stay hidden and maintain control,” the company said.
“This campaign underscores a constant trend: attackers are using sophisticated, modular malware built from open-source components. This “build-your-own-malware” approach makes these attacks more efficient, stealthy, and adaptable.”
The disclosure comes as Sucuri warned of a ClickFix-style campaign that employs bogus Google Meet pages to deceive users into installing noanti-vm.bat RAT, a heavily obfuscated Windows batch script that grants remote control over the victim’s computer.
“This fake Google Meet page doesn’t present a login form to steal credentials directly,” security researcher Puja Srivastava said. “Instead, it employs a social engineering tactic, presenting a fake ‘Microphone Permission Denied’ error and urging the user to copy and paste a specific PowerShell command as a ‘fix.'”
It also follows a spike in phishing attacks that exploit Google’s AppSheet no-code development platform to mount a highly targeted, sophisticated campaign impersonating Meta.
“Utilizing state-of-the-art tactics such as polymorphic identifiers, advanced man‑in‑the‑middle proxy mechanisms and multi-factor authentication bypass techniques, the attackers aim to harvest credentials and two-factor authentication (2FA) codes, enabling real-time access to social media accounts,” the KnowBe4 Threat Lab said in a report.
The campaign entails the use of AppSheet to deliver phishing emails at scale, allowing the threat actors to bypass email security defenses such as SPF, DKIM, and DMARC owing to the fact that the messages originate from a valid domain (“noreply@appsheet[.]com”).
Furthermore, the emails claim to be from Facebook Support and employ account deletion warnings to trick users into clicking on fake links under the pretext of submitting an appeal within a 24-hour time period. The booby-trapped links lead victims to an adversary-in-the-middle (AitM) phishing page designed to harvest their credentials and two-factor authentication (2FA) codes.
“To further evade detection and complicate remediation, the attackers leverage AppSheets’ functionality for generating unique IDs, shown as Case IDs in the body of the email,” the company said.
“The presence of unique polymorphic identifiers in each phishing email ensures every message is slightly different, helping them bypass traditional detection systems that rely on static indicators such as hashes or known malicious URLs.”
