Cyber-threat actors continue to abuse trusted open-source software by trojanizing legitimate installers and distributing them via lookalike websites. A recent campaign involving a fake FileZilla download site highlights the sophistication and stealth of such attacks—yet the underlying techniques remain tied to well-known Windows behaviors and DLL sideloading strategies.
Threat researchers discovered that an unofficial domain, filezilla-project[.]live, was hosting an archive purporting to contain FileZilla 3.69.5—a legitimate version of the popular open-source FTP client. The catch: the package was trojanized by inserting a malicious DLL alongside the genuine executable.
When a user runs the compromised filezilla.exe, the OS unknowingly loads the injected DLL first, giving malicious code execution inside a seemingly normal application session.
Technical Breakdown
DLL Search Order Hijacking
Windows uses a defined search order when loading DLLs requested by an executable:
- Application directory
- System directories (e.g.,
C:\Windows\System32) - Other locations in the path
By placing a malicious version.dll in the same folder as filezilla.exe, attackers ensured that Windows would load the attacker’s DLL instead of the legitimate system one.
Critically, the presence of version.dll inside a FileZilla portable distribution is suspicious—such a DLL is not part of the official bundle, making it a reliable indicator of tampering.
Behavioral Observations
Using dynamic analysis tools like Process Monitor:
- FileZilla loads its expected DLLs normally.
- When requesting
version.dll, the OS loads the malicious version in the app’s directory. - The malicious payload then executes with the privileges of FileZilla’s process, blending into normal activity.
Anti-Analysis Techniques
The malicious DLL contains checks to detect analysis environments such as:
- BIOS version querying
- VirtualBox registry probes
- Memory allocation patterns used in sandboxes
If it detects a suspicious environment, the DLL avoids networking behavior, hindering remote analysis.
Network Behavior & Evasion
DNS-over-HTTPS (DoH)
Instead of standard DNS, the malware resolves its command-and-control (C2) domain using DNS-over-HTTPS, typically via Cloudflare’s 1.1.1.1 resolver. DoH hides C2 traffic within legitimate HTTPS flows, bypassing:
- Traditional DNS monitors
- Port-53 based filtering
- Basic firewall inspection
This is a powerful evasion tactic increasingly favored in contemporary campaigns.
Secondary C2 Channel
In addition to DoH, the malware repeatedly attempts to connect to a hardcoded IP (95.216.51[.]236) over TCP port 31415, a high, non-standard port likely chosen to evade signature-based filtering.
Potential Capabilities
Automated behavioral analysis suggests the trojanized binary may be capable of:
- Extracting and exfiltrating stored FTP credentials
- Creating or injecting into suspended processes
- Runtime code compilation
- Persistence via registry modifications
- Invoking file encryption APIs
These capabilities point toward a multifunctional implant with theft, persistence, and possibly destructive potential.
Indicators of Compromise (IOCs)
Malicious file hashes:
- Trojanized archive (
FileZilla_3.69.5_win64.zip):665cca285680df... - Malicious
version.dll:e4c6f8ee8c946c...
Suspicious domains/IPs:
filezilla-project[.]live– fake distribution sitewelcome.supp0v3[.]com– C2 server95.216.51[.]236:31415– network callback endpoint
Mitigation & Best Practices
To defend against similar threats:
Only Use Official Software Sources
Download software exclusively from verified and trusted domains. For FileZilla, use the official site and validate file hashes when available.
Inspect Archive Metadata
Anomalies in ZIP archive timestamps or unexpected files (e.g., unfamiliar DLLs) are red flags.
Monitor Suspicious Outbound Traffic
Look for unusual DoH requests from non-browser processes. Legitimate applications rarely need encrypted DNS lookups to third-party resolvers.
Block Known IOCs
At network perimeters, block connections to the listed domains and IPs where feasible.
Final Thoughts
This campaign underscores a broader trend: attackers piggybacking on legitimate, often open-source, software to distribute malware. The techniques—DLL sideloading, DoH, evasion checks—are not new, but their fusion into convincing social engineering campaigns makes them dangerous.
Staying vigilant about download sources, validating artifacts, and monitoring unexpected network behavior are essential defenses as threat actors continue to improve their delivery and evasion tactics.
