Fake FileZilla Downloads Lead to RAT Infections Through Stealthy Multi-Stage Loader

A new malware campaign has been discovered delivering a Remote Access Trojan through fake websites impersonating the official FileZilla download page.

Attackers designed these fraudulent sites to closely mirror the real FileZilla page, tricking users into downloading malicious installer files. The goal is to silently compromise Windows systems while victims believe they are installing a familiar and trusted FTP client.

The attack bundles a legitimate copy of FileZilla with a hidden malicious DLL file, delivered through a fake domain built to resemble the real FileZilla site. 

When a user downloads and runs the package, the normal installation proceeds without issue while hidden malicious code executes quietly in the background with no visible sign of infection.

EST Security analysts identified this campaign after analyzing malware samples from their threat detection system, confirming it as an active and coordinated operation driven by a specific threat actor.

Two distinct delivery formats were confirmed during the investigation. In the first, FileZilla 3.69.5 Portable was distributed inside a compressed archive containing a malicious DLL named version.dll. 

When the user extracts and runs the FileZilla executable, Windows loads the malicious DLL before any legitimate library — a technique called DLL sideloading that exploits the default DLL loading order in Windows.

In the second variant, the attacker packed both the real FileZilla installer and the malicious DLL into a single executable file. 

During installation, the DLL is silently dropped into the directory and loads each time FileZilla starts. The final payload is a fully functional Remote Access Trojan.

Once active on a victim’s system, it lets attackers steal credentials stored in web browsers, record every keystroke, capture live desktop screenshots, and control the machine through a hidden virtual desktop session using HVNC (Hidden Virtual Network Computing).

This hidden desktop feature lets attackers download more malware and navigate internal systems without any suspicious activity showing on the victim’s screen.

This campaign is particularly alarming because it exploits no software vulnerability. It relies entirely on social engineering — convincing users to run what looks like a normal software download.

This makes traditional patch management powerless against the threat, leaving user awareness and safe download habits as the primary defense.

Multi-Stage Loader Architecture and C2 Evasion

Once the malicious DLL is loaded, it does not deliver the RAT payload right away. Instead, it launches a chain of four sequential loader stages, where each stage decrypts and runs the next entirely within system memory, without writing any suspicious file to disk.

This layered design makes it harder for security tools to catch the final payload, as each stage exists only briefly in memory and leaves almost no trace on the file system.

For command-and-control communication, the malware uses DNS-over-HTTPS, sending encrypted HTTPS requests to Cloudflare’s public resolver at 1.1.1.1 to look up the C2 domain welcome.supp0v3.com.

This hides the malicious DNS lookup inside ordinary-looking HTTPS traffic, bypassing port-53 filters and DNS monitoring tools that security teams depend on.

Analysis of the C2 JSON data also uncovered UTM-style tracking parameters, showing the attacker is systematically tracking infection sources and managing victim groups.

Before deploying its payload, the malware scans the infected host for virtual machine and sandbox indicators.

It checks BIOS manufacturer details, active processes, loaded drivers, and registry values against a built-in list of known virtual environment signatures.

When any sandbox markers are found, the payload is withheld, preventing the malware from being examined in a controlled environment.

Users should always download software directly from official project websites and avoid third-party portals or unfamiliar download links.

Security teams should monitor HTTPS traffic directed at public DNS resolvers and deploy behavior-based endpoint detection tools to identify in-memory loader activity that bypasses file-based security scanning.

IoCs

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.