If you thought your antivirus was the ultimate good guy on your network, researchers have some terrible news. Security researchers at Google’s Mandiant and its Threat Intelligence Group (GTIG) discovered that threat actors have found a slick new trick: using antivirus tools for malware delivery by hijacking the very protection you paid for.
The Wake-Up Call Nobody Saw Coming
Triofox, a popular remote file-sharing and collaboration platform used by many small-to-mid-size companies, ships with a handy built-in antivirus scanner to ensure files don’t contain anything unexpected. Unfortunately, the Google security researchers discovered that it had a massive security misconfiguration baked in.
Tracked as CVE-2025-12480 and rated a critical 9.1 out of 10 on Google’s Common Vulnerability Scoring System, the bug was an improper access control issue. Even after completing the initial setup wizard and establishing security controls, anyone on the network could still reach those admin pages without authentication. That amounted to serving up privilege escalation to hackers on a silver platter.
From Zero-Day Exploit to Full Network Takeover
Attackers didn’t waste time exploiting this vulnerability as a true zero-day, sneaking in and using the trusted antivirus component to drop malicious payloads. Once inside, they deployed a remote access trojan (RAT) that provided lateral movement across the victim’s environment. In other words, the bad guys went from knocking on the door to owning every room in the house because the antivirus itself became the malware delivery vehicle.
Triofox released a patch for the exploit that turns antivirus tools into malware delivery tools in late July 2025, but users still spotted successful attacks almost a month later. Companies that didn’t promptly install the updates (or skipped them entirely) left the door open for threat actors.
Why Antivirus Tools Malware Delivery Is a Nightmare for Security Leaders
The Triofix vulnerability is only the beginning of a new era in cyberattacks. Sophisticated groups are increasingly hunting for trusted processes like endpoint protection, backup agents, and collaboration tools to use as Trojan horses. These antivirus bypass techniques let them blend in with normal traffic and sail past EDR and XDR solutions that whitelist “known-good” binaries.
The takeaway from this is brutal but simple: even the tools meant to protect you can become the weak link if they’re misconfigured or left unpatched. However, with a few simple fixes, you can reduce the risk.
- Inventory every tool with built-in security features to identify risks.
- Turn on auto-updates everywhere. This is especially crucial for programs that touch antivirus or file scanning.
- Segment your network. This way, if one tool is compromised, attackers can’t instantly pivot to your domain controllers.
- Add a “trust but verify” layer. Behavioral monitoring or a zero-trust file-access model can detect malicious payloads even when they originate from a “trusted” process.
The bottom line is that antivirus protection alone is no longer enough to protect your business. Threat actors are exploiting antivirus tools for malware delivery, and they’re getting scarily good at it. Patch fast, verify often, and never assume the bad guys can’t use the good guys against you.
