Inside a VenomRAT Malware Campaign

A malicious campaign using a fake website to spread VenomRAT, a Remote Access Trojan (RAT), is detailed in this analysis. The malware includes tools for password theft and stealthy access. This research examines the attackers' methods, such as deceptive websites and command infrastructure, indicating a clear intent to target individuals for financial gain by compromising their credentials, crypto wallets, and potentially selling access to their systems.

VenomRAT, StormKitty, and SilentTrinity Deployment

Malicious domain “bitdefender-download[.]com” resolves a website titled “DOWNLOAD FOR WINDOWS,” which spoofs Bitdefender’s Antivirus for Windows download page.

The “Download For Windows” button initiates a file download from the following bitbucket URL: 

“https[:]//bitbucket[.]org/sadsafsadfsadf/dsfgdsgssdfgdsg/downloads/BitDefender.zip,” 

The bitbucket URL redirects to its content source on Amazon S3.

“https[:]//bbuseruploads.s3.amazonaws[.]com/9e2daa63-bae3-4cbb-9f88-8154ba43261f/downloads/aa7b9593-2ccd-4cd0-9e04-9b4a7da9276b/BitDefender.zip.”

‍

‍

The bundled executable StoreInstaller.exe was found to contain malware configurations associated with VenomRAT. It also contained code associated with open source post-exploitation framework SilentTrinity and StormKitty stealer.

A report by Arconis describes VenomRAT as a RAT that originated as a fork of the open-source Quasar RAT. It is often used for initial access and persistence. Capabilities include remote access, stealing credentials, keylogging, exfiltration and more. 

At a high level, the three malware families function as follows:

• VenomRAT provides initial and ongoing access to victim machines
• StormKitty quickly gathers credentials on the system
• SilentTrinity is used for exfiltration and stealthy long term access

The inclusion of SilentTrinity and StormKitty (both open-source malware tools) indicates the attacker’s dual focus: rapidly harvesting financial credentials and crypto wallets during initial access, while also establishing stealthy, persistent access for potential long-term exploitation. The implications of long term access may include repeat compromise or selling access.

VenomRAT

Observed VenomRAT configurations showed multiple identifiable attributes that allowed for reliable pivots to other samples likely created by the same actor including the reuse of the same IP and port, 67.217.228[.]160:4449, for command and control.

Related samples using the same VenomRAT configurations:

‍

VenomRAT C2 IPs

‍

A reused 3389 service configuration was identified via Shodan “hash:-971903248” allowing for pivots to additional IP addresses with the same configurations. Multiple of the IPs were confirmed to be used as C2s for VenomRAT and are suspected to have also been configured by the same actor.

‍

Delivery Sites:

‍

Credential Harvesting Sites

The lure website domain spoofing as Bitdefender was observed with infrastructure and time proximity overlaps to other malicious domains impersonating banks and generic IT services, suspected of being used for phishing activity. 

NameServer: cloudflare.com

IP ISP: cloudflare.com

Registrar:

• PDR Ltd
• GMO Internet
• NameSilo

SSL Issuer:

• Cloudflare TLS
• WE1

Server Type: cloudflare

‍

idram-secure[.]live Spoofs as Armenian IDBank page
idram-secure[.]live Clicking directs to a site titled “ArmCoin” and the content alleges to be IDBank. The text is in Armenian and translates to: “To connect you to Idram Secure, please write to us in the chat. 🎉 Our chat is located in the bottom right corner of the page”
royalbanksecure[.]online Spoofs as Royal Bank of Canada online banking login portal
dataops-tracxn[.]com Spoofs as Microsoft login page

‍

Protection from Open-Source Malware

This investigation reveals a deceptive campaign using VenomRAT, a powerful remote access tool, disguised as a legitimate Bitdefender antivirus download. Imagine clicking a button on what looks like a trusted site, only to unleash a trio of malicious programs – VenomRAT, StormKitty, and SilentTrinity – onto your system. These tools work in concert: VenomRAT sneaks in, StormKitty grabs your passwords and digital wallet info, and SilentTrinity ensures the attacker can stay hidden and maintain control. We tracked down the attackers' command centers, identified other malware they likely used, and uncovered their web of fake download sites and phishing traps spoofing as banks and online services.

This campaign underscores a constant trend: attackers are using sophisticated, modular malware built from open-source components. This "build-your-own-malware" approach makes these attacks more efficient, stealthy, and adaptable. While the open-source nature of these tools can help security experts spot them faster, the primary victims here are everyday internet users. These criminals are after your hard-earned money, targeting your bank accounts and cryptocurrency wallets with fake login pages and malware disguised as safe software.

This isn't just a problem for big companies – it's a threat to everyone online. So, what can you do?

• Be extremely cautious when downloading software. Double-check website addresses to make sure they're legitimate, especially for banking or login pages.
• Never enter your credentials on a site you're not 100% sure about.
• Practice safe internet habits: avoid clicking on suspicious links or opening unexpected email attachments.

IOCs on GitHub

https://github.com/DomainTools/SecuritySnacks/blob/main/2025/VenomRAT-Malware-Campaign.csv

If the community has any additional input, please let us know.

Sign Up For DomainTools Investigations’ Newsletter for the Latest Research

Want more from DomainTools Investigations? Be sure to sign up for our monthly newsletter to get the latest research from the team – available on LinkedIn or email.