← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
A fake FileZilla site hosts a malicious download
WHITE PetrP.73 2026-03-03 Modified: 2026-04-02
8
IOCs
LOW VOLUME
A compromised version of the open-source FTP client FileZilla, specifically version 3.69.5, has emerged, containing a malicious DLL that facilitates credential theft and communicates with a command-and-control (C2) server. This malicious variant is distributed through the lookalike domain http://filezilla-project.live, which hosts a tampered archive. The malware exploits DLL search order hijacking, a Windows behavior where applications load DLL files from their own directory before checking the system path. In this case, when users execute the compromised FileZilla, the malicious DLL is loaded, and from that point, it operates seamlessly within what appears to be a normal FileZilla session, making detection difficult for unsuspecting users.
filezillawindowsftp clientdllsprocess monitorname notfoundnotepad updatefilezilla sitedll searchstefancompromiseiocsfilesha256domainsnetworkc2 server
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (8)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 9d7c559f1885ede6911611165eff07f7 MD5 of e4c6f8ee8c946c6bd7873274e6ed9e41dec97e05890fa99c73f4309b60fd3da4 2026-03-03
FileHash-SHA1 698df970335e724c97acc900016755ab5e4c94f2 SHA1 of e4c6f8ee8c946c6bd7873274e6ed9e41dec97e05890fa99c73f4309b60fd3da4 2026-03-03
FileHash-SHA256 665cca285680df321b63ad5106b167db9169afe30c17d349d80682837edcc755 2026-03-03
FileHash-SHA256 e4c6f8ee8c946c6bd7873274e6ed9e41dec97e05890fa99c73f4309b60fd3da4 2026-03-03
URL http://95.216.51.236:31415 2026-03-03
URL https://welcome.supp0v3.com/d/callback?utm_tag=tbs2&utm_source=dll 2026-03-03
domain filezilla-project.live 2026-03-03
hostname welcome.supp0v3.com 2026-03-03
References (1)
↗ https://www.malwarebytes.com/blog/threat-intel/2026/03/a-fake-filezilla-site-hosts-a-malicious-download