Malware - Fake FileZilla Downloads Lead to RAT Infections

What Happened

A new malware campaign has emerged, delivering a Remote Access Trojan (RAT) through counterfeit websites that mimic the official FileZilla download page. Attackers have cleverly designed these fraudulent sites to look almost identical to the real FileZilla page. Unsuspecting users are tricked into downloading malicious installer files, believing they are getting a trusted FTP client. This attack aims to silently compromise Windows systems while victims think they are installing legitimate software.

The malicious download bundles a genuine version of FileZilla with a hidden harmful DLL file. This is delivered via a fake domain that closely resembles the official site. Once users download and run the package, the installation appears normal, but hidden malicious code executes in the background, leading to a full system compromise without any visible signs of infection.

Who's Being Targeted

This campaign primarily targets Windows users who are looking for the FileZilla FTP client. As a widely used application, many users may not suspect any foul play when downloading it. The attackers rely on social engineering tactics to exploit user trust, making it essential for individuals to be vigilant about where they download software. The deception lies in the fact that the malware does not exploit any software vulnerabilities; instead, it relies on convincing users to run what appears to be a normal installation.

Signs of Infection

Once the malicious DLL is loaded, it initiates a multi-stage loading process. This involves a series of four sequential loader stages, each decrypting and executing the next entirely within system memory. This design minimizes the chances of detection by security tools, as each stage exists only briefly in memory. The final payload is a fully functional RAT, allowing attackers to steal credentials, record keystrokes, capture screenshots, and control the infected machine through a hidden virtual desktop session.

How to Protect Yourself

To safeguard against this type of malware, users should always download software directly from the official project websites. Avoid third-party portals or unfamiliar download links. Security teams are advised to monitor HTTPS traffic directed at public DNS resolvers and deploy behavior-based endpoint detection tools. These measures can help identify in-memory loader activity that traditional file-based security scanning might miss. Awareness and safe download habits are crucial in defending against these stealthy attacks.