Trojanized FileZilla Download Uses DLL Hijacking and DoH to Steal FTP Credentials

By Ash K
Trojanized FileZilla Download Uses DLL Hijacking and DoH to Steal FTP Credentials

A malicious copy of the popular open-source FTP client FileZilla is circulating online, weaponized through a simple but effective DLL sideloading technique. Researchers at Malwarebytes identified a lookalike domain, filezilla-project[.]live, hosting a tampered portable version of FileZilla 3.69.5 that includes a single malicious library hidden inside an otherwise legitimate archive.

The attack does not exploit a vulnerability in FileZilla itself. Instead, it relies on deception. Victims download what appears to be a normal portable release, extract the archive, and launch FileZilla. At that point, Windows loads the malicious DLL before the legitimate system version, embedding malware directly into what looks like a normal FileZilla session.

One File That Should Not Be There

Fake FileZilla site hosting malicious download
Image credit: Malwarebytes

The archive contains 918 files. Of those, 917 share the same modification date of November 12, 2025, consistent with the official FileZilla 3.69.5 portable build. One file stands out: version.dll, timestamped February 3, 2026.

A legitimate FileZilla portable package does not include version.dll. That library is a Windows system component typically located in C:\Windows\System32. Its presence inside the FileZilla directory is the entire attack vector.

The malware abuses a well-known Windows behavior called DLL search order hijacking. When FileZilla starts, Windows checks the application directory first for required libraries. If a malicious DLL with a trusted name is present there, it will be loaded before the legitimate system copy.

Observed Execution Behavior

Using Process Monitor, researchers confirmed that filezilla.exe loads the rogue version.dll directly from its own directory. Within milliseconds, the malicious DLL attempts to locate version_original.dll, a common proxying technique where attackers forward legitimate API calls to preserve normal application functionality.

In this case, the renamed original library was missing, which may contribute to application instability. On some test systems, FileZilla terminated almost immediately after launch.

Anti-Analysis and Environment Checks

The embedded loader contains multiple checks designed to detect virtual machines and sandbox environments before activating its payload. These include BIOS version checks, manufacturer queries, VirtualBox registry probes, disk enumeration, and write-watch memory allocation techniques used to detect analysis tools.

In virtualized environments that appeared suspicious, the malware remained dormant. In environments resembling real user systems, it resolved its command-and-control infrastructure and attempted outbound connections.

DNS-over-HTTPS to Bypass Monitoring

Rather than relying on traditional DNS resolution, the malware uses DNS-over-HTTPS (DoH) to contact Cloudflare’s public resolver: 

https://1.1.1.1/dns-query?name=welcome.supp0v3[.]com&type=A

This approach bypasses many corporate DNS monitoring systems and blocklists that inspect traffic on port 53. Once resolved, the loader calls back to its staging server at welcome.supp0v3[.]com, using embedded configuration data containing campaign tracking tags.

In addition, the malware attempts communication with 95.216.51[.]236 on TCP port 31415. Network captures show repeated retry attempts, indicating persistence in maintaining contact with the operator.

Potential Capabilities

Behavioral analysis flagged possible credential harvesting, process injection, autorun persistence through registry modifications, and runtime .NET compilation via csc.exe. The context of the infection strongly suggests FTP credential theft as a primary objective.

Given FileZilla’s role in managing hosting credentials, compromised accounts could expose web servers and hosting environments far beyond the infected endpoint.

Indicators of Compromise

File hashes (SHA-256):

  • 665cca285680df321b63ad5106b167db9169afe30c17d349d80682837edcc755 — Trojanized FileZilla archive
  • e4c6f8ee8c946c6bd7873274e6ed9e41dec97e05890fa99c73f4309b60fd3da4 — Malicious version.dll

Domains:

  • filezilla-project[.]live
  • welcome.supp0v3[.]com

Network indicator:

  • 95.216.51[.]236:31415

Defensive Recommendations

Users should download FileZilla only from the official domain filezilla-project.org and verify file hashes prior to execution. Inspect portable directories for unexpected DLLs, particularly version.dll.

Organizations should monitor outbound HTTPS connections to public DoH resolvers from non-browser processes and block listed domains and IPs at the network perimeter. Timestamp anomalies within archive contents can also serve as a simple but effective red flag.

Malwarebytes reports that it detects and blocks known variants of this threat.

Credit: Research and technical analysis provided by Malwarebytes.

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.