A trojanized copy of the open-source FTP client FileZilla 3.69.5 is circulating online, with the archive containing the legitimate application but a single malicious DLL added to the folder. When downloaded, extracted, and launched, Windows loads the malicious library first, allowing the malware to run inside the FileZilla session and access saved FTP credentials. The attack relies on DLL search order hijacking and uses a lookalike domain, filezilla-project[.]live, to host the malicious archive.
DoH traffic is used to contact a C2 domain at welcome.supp0v3[.]com, and the malware also reaches out to 95.216.51[.]236 on TCP port 31415, indicating a dual-channel exfiltration and control setup. According to Malwarebytes, the package includes a version[.]dll that does not belong in a FileZilla distribution and demonstrates DLL proxying and anti-analysis checks aimed at evading sandbox environments.