Trojanized FileZilla FTP Client Targets Developer Credentials via DLL Sideloading
Ddos 
A fake FileZilla site | Image: Malwarebytes
Cybersecurity researchers from Malwarebytes have identified a dangerous new campaign circulating a trojanized version of the popular open-source FTP client, FileZilla 3.69.5. This attack is part of a “growing trend of trusted software, poisoned packages” where attackers add a single malicious file to a legitimate application to bypass security controls.
The attack does not exploit a bug in FileZilla itself; instead, it relies on “simple deception, such as lookalike domains or search poisoning”. Attackers have stood up a fraudulent website, filezilla-project[.]live, which perfectly mimics the official project’s appearance to host the malicious archive.
The technical trick at play is a well-known Windows behavior called DLL search order hijacking. When a user launches the tampered filezilla.exe, Windows automatically loads a malicious library named version.dll sitting in the same folder before checking the actual system directory. As the report notes, “From that moment on, the malware runs inside what appears to be a normal FileZilla session”, allowing it to access saved FTP credentials and contact its command-and-control (C2) server without the victim realizing anything is wrong.
For vigilant users, the attack carries a visible “giveaway.” While the legitimate files in the archive are dated late 2025, the malicious version.dll stands out with a much newer timestamp of 2026-02-03. Furthermore, “A clean FileZilla portable distribution does not include a version.dll”, as this is a Windows system library that normally lives in the System32 folder.
The malware is built with a sophisticated anti-analysis toolkit, including BIOS version checks and VirtualBox registry probing, to detect if it is running in a sandbox. If it determines the environment is safe, it uses DNS-over-HTTPS (DoH) to resolve its C2 domain.
By sending requests to Cloudflare’s public resolver, the malware “bypasses corporate DNS monitoring, DNS-based blocklists, and security appliances that inspect traffic on port 53”. Behavioral analysis suggests the implant is capable of more than just theft; it showed signs of “process injection, persistence, and potentially data encryption”.
The report urges users to treat software downloaded from unofficial domains with the same level of caution as suspicious email attachments. To secure your environment:
- Check for version.dll: If this file exists inside your FileZilla portable directory, “treat the system as compromised”.
- Use Official Sources: Only download FileZilla from filezilla-project.org and verify the download hash against the value published on the site.
- Monitor Network Activity: Watch for DoH traffic (outbound HTTPS to 1.1.1.1 or 8.8.8.8) from non-browser applications like FTP clients.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
