Fake FileZilla Downloads Spread RAT via Stealthy Multi-Stage Loader

The rise of counterfeit software downloads underscores a shift in attacker tactics from exploiting code flaws to exploiting human trust. By cloning the FileZilla download page, threat actors bypass traditional vulnerability scanners and lure users into executing a seemingly benign installer. This approach, known as DLL sideloading, abuses the Windows search order, allowing a malicious library such as version.dll to load before legitimate components. The technique is attractive because it requires no zero‑day exploit, yet delivers a full‑featured RAT capable of deep system infiltration.

Once the malicious DLL is loaded, it initiates a multi‑stage loader that decrypts subsequent payloads entirely in memory, minimizing forensic footprints. Each stage incorporates anti‑analysis checks, including detection of virtual machines and VMware drivers, to evade sandbox environments. Communication with the attacker’s infrastructure is routed through DNS‑over‑HTTPS (DoH) using Cloudflare resolvers, blending malicious traffic with legitimate encrypted DNS queries. This stealthy C2 channel complicates detection for organizations that rely on conventional DNS logging, prompting a reevaluation of DoH monitoring policies.

For security teams, the incident highlights several practical defenses. Enforcing strict application whitelisting and blocking unsigned installers can stop the initial execution vector. Network defenders should implement DNS filtering that restricts external DoH resolvers and alerts on anomalous HTTPS traffic to newly registered domains. End‑users must be educated to verify download sources, avoiding sponsored links and third‑party mirrors. Together, these measures reduce the attack surface and improve visibility into sophisticated, multi‑stage threats that exploit trusted utilities for malicious gain.