A sophisticated malware campaign is actively distributing a Remote Access Trojan (RAT) by tricking users into downloading fake versions of the popular FileZilla FTP client. Fraudulent websites have been meticulously designed to mimic the official FileZilla download page, leading unsuspecting individuals to download malicious installer files. This stealthy attack aims to compromise Windows systems unnoticed while users believe they are installing a trusted software application.
EST Security analysts identified this ongoing operation, confirming it as a coordinated effort by a specific threat actor. The attack leverages social engineering, exploiting user trust in legitimate software sources to deliver a potent RAT. Initial analysis has revealed two primary delivery methods, both designed to bypass standard security measures and infect systems silently.
Fake FileZilla Downloads Lead to RAT Infections Through Stealthy Multi-Stage Loader
The campaign’s effectiveness stems from its ability to bundle a legitimate copy of FileZilla with a hidden malicious DLL. This is achieved through fake domains that closely resemble the real FileZilla website. When a user downloads and executes the package, the FileZilla installation proceeds normally, while the concealed malicious code operates in the background without any visible indication of compromise.
One confirmed delivery format involves distributing FileZilla 3.69.5 Portable within a compressed archive that also contains a malicious DLL file named `version.dll`. When the user extracts and runs the FileZilla executable, Windows may load this malicious DLL before any legitimate libraries. This technique, known as DLL sideloading, exploits the default DLL loading order in Windows systems.
A second variant was found to pack both the legitimate FileZilla installer and the malicious DLL into a single executable file. During the installation process, the DLL is silently dropped into the program’s directory and is designed to load every time FileZilla is launched. The ultimate payload delivered by this infection chain is a fully functional Remote Access Trojan.
Once active on a victim’s system, the RAT grants attackers extensive control. It possesses the capability to steal credentials stored within web browsers, log every keystroke, capture live desktop screenshots, and remotely control the machine through a hidden virtual desktop session utilizing Hidden Virtual Network Computing (HVNC). This hidden desktop feature allows attackers to download additional malware and navigate internal network systems without raising any suspicion on the victim’s screen.
This campaign is particularly concerning as it does not exploit any software vulnerabilities. Its success relies entirely on social engineering tactics, manipulating users into executing what appears to be a routine software download. This renders traditional patch management strategies ineffective against this specific threat, placing user awareness and secure download practices as the primary lines of defense.
Multi-Stage Loader Architecture and C2 Evasion
Upon successful loading of the malicious DLL, the RAT payload is not immediately deployed. Instead, the malware initiates a chain of four sequential loader stages. Each stage is responsible for decrypting and executing the subsequent stage entirely within system memory, crucially avoiding the creation of any suspicious files on disk. This layered approach significantly complicates detection by security tools, as each stage exists only temporarily in memory, leaving minimal forensic traces on the file system.
For command-and-control (C2) communication, the malware employs DNS-over-HTTPS. This method encrypts malicious DNS lookups within ordinary-looking HTTPS traffic, sending them to Cloudflare’s public resolver at 1.1.1.1 to establish connections with the C2 domain, identified as `welcome.supp0v3.com`. This technique effectively bypasses port-53 filters and DNS monitoring tools commonly relied upon by security teams.
Further analysis of the C2 communication data revealed the presence of UTM-style tracking parameters. This indicates that the attackers are systematically tracking the sources of infections and actively managing groups of victims. Before deploying its final payload, the malware performs a scan of the infected host for indicators of virtual machines and sandboxes. It scrutinizes BIOS manufacturer details, active processes, loaded drivers, and registry values against an internal list of known virtual environment signatures. If any sandbox markers are detected, the payload is withheld, preventing the malware from being analyzed in a controlled research environment.
Users are strongly advised to always download software directly from official project websites and to exercise caution with third-party portals or unfamiliar download links. Security teams should implement monitoring of HTTPS traffic directed at public DNS resolvers and deploy behavior-based endpoint detection tools. These tools can help identify in-memory loader activity that bypasses file-based security scanning, offering a more robust defense against such stealthy threats.
IoCs
Indicator: C608AC44ED1F4FE707B9520F87FB1564, Type: MD5, Description: Malicious DLL file, Detection Name: Backdoor.Agent.361984A
Indicator: 9D7C559F1885EDE6911611165EFF07F7, Type: MD5, Description: Malicious DLL file, Detection Name: Backdoor.Agent.361984A
Indicator: D7C3ECB76C03C1C0AA98D4E2D71C2BCF, Type: MD5, Description: FileZilla installation file, Detection Name: Trojan.Dropper.Agent
Indicator: filezilla-project.live, Type: Domain, Description: Fake FileZilla site
Indicator: hxxps://welcome.supp0v3[.]com/dcallback, Type: URL, Description: C2 server callback
Indicator: 95.216.51.236:31415, Type: IP:Port, Description: C2 server
The ongoing nature of this campaign suggests that attackers will likely continue to refine their techniques to evade detection. Users should remain vigilant, and security professionals will need to adapt their monitoring strategies to account for the increasing sophistication of malware distribution methods that bypass traditional security controls.