Cybercriminals are using a fake Bitdefender antivirus website to spread the VenomRAT malware in a campaign aimed at stealing people’s credentials for financial accounts, according to new research.

The attackers created a website that closely mimics Bitdefender’s legitimate Windows download page. Victims are infected after clicking a seemingly authentic “Download for Windows” button, which delivers a malicious archive. The archive contains executable files configured to deploy VenomRAT, which is used for remote access, keylogging and data exfiltration.

Researchers at cybersecurity firm DomainTools also identified code linked to SilentTrinity and StormKitty — two open-source malware tools — within the same payload. The inclusion of these tools suggests a dual strategy, according to researchers: harvesting financial data and crypto wallet credentials via StormKitty, while using SilentTrinity to maintain stealthy, persistent access.

“These tools work in concert: VenomRAT sneaks in, StormKitty grabs your passwords and digital wallet info, and SilentTrinity ensures the attacker can stay hidden and maintain control,” DomainTools said in its report.

Beyond impersonating Bitdefender, the threat actor likely spoofed other trusted entities, including banks and IT service providers, to broaden the reach of its phishing activities.

Bitdefender told Recorded Future News it was aware of the campaign and first detected the rogue site in early May. “We monitor the internet for websites using typosquatting or other techniques to mislead the user into believing these are official Bitdefender websites,” the company said.

Bitdefender products flagged both the malware payload and the URL as malicious. The company is working with its DNS provider, Cloudflare, and other partners to fully remove the site from the internet.

Because VenomRAT is widely sold as a service on criminal forums, attributing the campaign to a specific group remains challenging. “Our efforts go into making sure that we correctly identify VenomRAT and other infostealer infections and block them before they harm internet users,” Bitdefender said.