Tag: cryptocurrency

124 Attack Reports | 0 Vulnerabilities

Attack reports

Albiriox Exposed: A New RAT Mobile Malware Targeting Global Finance and Crypto Wallets

Albiriox is a newly identified Android malware offered as Malware-as-a-Service, likely managed by Russian-speaking threat actors. It employs a two-stage deployment chain using dropper applications and packing techniques to evade detection. The malware exhibits advanced On-Device Fraud capabilities,…
rat
android
cryptocurrency
banking trojan
maas
evasion techniques
overlay attacks
on-device fraud
2025-12-03
vnc
albiriox
Published: December 3, 2025
Downloadable IOCs: 0

Inside DPRK's Fake Job Platform Targeting U.S. AI Talent

This analysis details a sophisticated DPRK-linked operation called Contagious Interview, which uses a fake job platform to target U.S. AI talent. The campaign mimics legitimate recruitment processes, offering job listings from well-known tech companies to lure victims. The platform, hosted at lenvn…
social engineering
cryptocurrency
clickfix
contagious interview
malware delivery
clipboard hijacking
2025-11-26
ai talent
fake job platform
Published: November 26, 2025
Downloadable IOCs: 6

Contagious Interview Actors Now Utilize JSON Storage Services for Malware Delivery

The Contagious Interview campaign, linked to North Korean actors, has evolved to use JSON storage services for hosting and delivering malware. This campaign targets software developers, particularly those in cryptocurrency and Web3 projects, across Windows, Linux, and macOS. The attackers use socia…
rat
social engineering
north korea
infostealer
cryptocurrency
beavertail
web3
invisibleferret
ottercookie
trojanized code
2025-11-14
json storage
tsunami payload
Published: November 14, 2025
Downloadable IOCs: 84

DarkComet RAT Malware Hidden Inside Fake Bitcoin Tool

A malware analysis reveals the reemergence of DarkComet RAT disguised as a Bitcoin-related application. The malware, packed with UPX to evade detection, is distributed as a RAR archive containing an executable file. Once unpacked, it installs itself as 'explorer.exe' in the user's AppData folder an…
rat
cryptocurrency
persistence
bitcoin
keylogging
c2 communication
darkcomet
upx packing
2025-11-14
darkcomet rat
Published: November 14, 2025
Downloadable IOCs: 5

Hurricane Melissa Relief Scams: How Criminals Exploit Disaster

In the aftermath of Hurricane Melissa's devastating impact on Jamaica in October 2025, cybercriminals swiftly exploited the crisis through various online scams. These included phishing campaigns, fake charity drives, and fraudulent financial-relief websites impersonating legitimate aid organization…
phishing
social engineering
cryptocurrency
scams
domain spoofing
2025-11-14
fake charities
hurricane
disaster relief
Published: November 14, 2025
Downloadable IOCs: 16

From primitive crypto theft to sophisticated AI-based deception

The North Korea-aligned threat actor DeceptiveDevelopment employs social engineering tactics to target software developers, especially those in cryptocurrency and Web3 projects. They use fake job offers and trojanized code challenges to deliver malware like BeaverTail and InvisibleFerret. The group…
malware
social engineering
north korea
cryptocurrency
remote access
information theft
beavertail
identity theft
invisibleferret
ottercookie
job scams
tropidoor
multiplatform
2025-09-25
weaselstore
postnaptea
tsunamikit
job offers
akdoortea
2025-11-09
it worker fraud
ai-based deception
Published: November 9, 2025
Downloadable IOCs: 1

LeakyInjector and LeakyStealer Duo Hunts For Crypto and Browser History

A new two-stage malware named LeakyInjector and LeakyStealer has been identified, targeting cryptocurrency wallets and browser history. LeakyInjector uses low-level APIs for injection to avoid detection and injects LeakyStealer into explorer.exe. LeakyStealer implements a polymorphic engine to modi…
cryptocurrency
persistence
injection
polymorphic
data-exfiltration
2025-11-07
two-stage
leakystealer
browser-history
leakyinjector
Published: November 7, 2025
Downloadable IOCs: 5

"Sneaky" new Android malware takes over your phone, hiding in fake news and ID apps

A sophisticated Android Trojan has been discovered that masquerades as trusted apps like news readers or digital ID applications. Once installed, it quietly operates in the background, stealing sensitive information such as login credentials and financial data. The malware exploits Android's Access…
android
cryptocurrency
trojan
banking malware
southeast asia
overlay attack
accessibility services
2025-11-05
android/trojan.spy.banker.aur9b9b491bc44
Published: November 5, 2025
Downloadable IOCs: 0

Crypto wasted: BlueNoroff’s ghost mirage of funding and jobs

BlueNoroff, a financially motivated threat actor, has been conducting two sophisticated campaigns dubbed GhostCall and GhostHire. GhostCall targets macOS devices of tech executives and venture capitalists through fake Zoom-like meetings, while GhostHire targets Web3 developers through fake recruitm…
cryptocurrency
2025-10-28
zoomclutch
rootroy
sysphon
silentsiphon
sneakmain
cosmicdoor
Published: October 28, 2025
Downloadable IOCs: 90

IIS servers owned by RudePanda like it's 2003

A new malicious IIS module called 'HijackServer' has been detected compromising IIS servers by exploiting exposed ASP .NET machine keys. The attackers use a customized rootkit and ready-made tools to gain persistent access. While primarily aimed at search engine optimization for cryptocurrency scam…
rootkit
cryptocurrency
iis
seo
2025-10-22
remote command execution
wingtbcli
hijackserver
asp .net
hijackdrivermanager
Published: October 22, 2025
Downloadable IOCs: 36

New Stealit Campaign Abuses Node.js Single Executable Application

A new Stealit malware campaign has been discovered that utilizes Node.js' Single Executable Application feature to distribute payloads. The campaign bundles malicious scripts into standalone binaries, allowing execution without requiring a pre-installed Node.js runtime. The malware is distributed a…
obfuscation
rat
cryptocurrency
anti-analysis
node.js
information theft
2025-10-11
single executable application
stealit
Published: October 11, 2025
Downloadable IOCs: 12

Disallow: /security-research? Crypto Phishing Sites' Failed Attempt to Block Investigators

An analysis of robots.txt files revealed over 60 cryptocurrency phishing pages impersonating hardware wallet brands Trezor and Ledger. The actor behind these pages attempted to block phishing reporting sites by including their endpoints in the robots.txt file, demonstrating a misunderstanding of it…
phishing
cryptocurrency
github
2025-09-30
hardware wallets
cloudflare pages
robots.txt
Published: September 30, 2025
Downloadable IOCs: 2

DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception

This analysis delves into the operations of DeceptiveDevelopment, a North Korea-aligned threat actor, and its connections to North Korean IT worker campaigns. The group targets software developers across major systems, focusing on cryptocurrency and Web3 projects. They use social engineering techni…
social engineering
north korea
cryptocurrency
remote access
information theft
beavertail
invisibleferret
ottercookie
tropidoor
multiplatform
2025-09-25
weaselstore
postnaptea
tsunamikit
job offers
akdoortea
Published: September 25, 2025
Downloadable IOCs: 33

Unmasked: Salat Stealer – A Deep Dive into Its Advanced Persistence Mechanisms and C2 Infrastructure

Salat Stealer, also known as WEB_RAT, is a sophisticated Go-based infostealer targeting Windows systems. It exfiltrates browser credentials, cryptocurrency wallet data, and session information while employing advanced evasion techniques. The malware uses UPX packing, process masquerading, registry …
evasion
windows
infostealer
cryptocurrency
persistence
malware-as-a-service
maas
russian-speaking
browser credentials
2025-09-06
salat stealer
web_rat
go-based
2025-09-10
Published: September 10, 2025
Downloadable IOCs: 14

The Rise of RatOn: From NFC heists to remote control and ATS

A new Android banking trojan named RatOn has emerged, combining NFC relay attacks with remote access and automated transfer capabilities. Discovered by analysts monitoring the NFSkate threat group, RatOn targets cryptocurrency wallets and banking applications, particularly in the Czech Republic and…
rat
android
cryptocurrency
banking trojan
overlay attacks
nfc relay
2025-09-09
ats
nfskate
raton
Published: September 9, 2025
Downloadable IOCs: 23

Contagious Interview | North Korean Threat Actors Reveal Plans and Ops by Abusing Cyber Intel Platforms

North Korean threat actors associated with the Contagious Interview campaign cluster are actively monitoring cyber threat intelligence platforms to detect infrastructure exposure and scout for new assets. They operate in coordinated teams, likely using Slack for real-time collaboration, and leverag…
social engineering
north korea
cryptocurrency
cyber espionage
lazarus
clickfix
2025-09-04
job seeker targeting
infrastructure monitoring
contagiousdrop
Published: September 4, 2025
Downloadable IOCs: 0

Ethereum smart contracts used to push malicious code on npm

A novel technique utilizing Ethereum smart contracts was discovered in two npm packages to conceal malicious commands for installing downloader malware. The packages, colortoolsv2 and mimelib2, are part of a larger campaign targeting npm and GitHub. The attackers created sophisticated GitHub reposi…
social engineering
cryptocurrency
npm
supply chain attack
ethereum
2025-09-04
smart contracts
colortoolsv2
mimelib2
Published: September 4, 2025
Downloadable IOCs: 0

Three Lazarus RATs coming for your cheese

This report analyzes three remote access trojans (RATs) used by a Lazarus subgroup targeting financial and cryptocurrency organizations: PondRAT, ThemeForestRAT, and RemotePE. It details an incident response case from 2024 involving social engineering and possible zero-day exploitation. PondRAT is …
rat
social engineering
cryptocurrency
zero-day
poolrat
pondrat
financial
2025-09-02
remotepe
themeforestrat
2025-09-03
Published: September 3, 2025
Downloadable IOCs: 0

Boxing Clever: Uncovering a $1M Task Scam Cluster Exploiting Major Brands

A sophisticated task scam cluster has been discovered, exploiting major brands like Delta Airlines, AMC Theatres, and Universal Studios. The scam uses API-driven templates and cryptocurrency payments, with over $1 million in attributable transactions. Victims are lured into 'earning' money by compl…
cryptocurrency
brand impersonation
2025-08-26
dominet
task scam
Published: August 26, 2025
Downloadable IOCs: 7

Android Document Readers and Deception: Tracking the Latest Updates to Anatsa

Anatsa, an Android banking malware first discovered in 2020, has evolved with new capabilities and targets. The latest variant now affects over 831 financial institutions worldwide, including new countries and cryptocurrency platforms. Anatsa has streamlined its payload delivery, implemented DES ru…
android
cryptocurrency
credential theft
banking trojan
anatsa
teabot
evasion techniques
coper
joker
google play store
financial institutions
2025-08-22
harly
facestealer
Published: August 22, 2025
Downloadable IOCs: 0

Cybercriminals Abuse AI Website Creation App For Phishing

Cybercriminals are exploiting an AI-powered website creation platform called Lovable to generate fraudulent websites for credential phishing and malware delivery. The threat actors create or clone sites impersonating well-known brands, use CAPTCHA for filtering, and post stolen credentials to Teleg…
phishing
cryptocurrency
credential theft
zgrat
malware delivery
doiloader
tycoon
2025-08-21
ai-generated websites
lovable platform
Published: August 21, 2025
Downloadable IOCs: 0

Uncovering a Web3 Interview Scam

A Ukrainian Web3 team's interview process involved cloning a GitHub repository containing malicious components. Analysis revealed the project replaced a legitimate dependency with a malicious NPM package, rtk-logger@1.11.5. This package collected sensitive data, including cryptocurrency wallet info…
malware
cryptocurrency
data theft
github
web3
2025-08-13
redux-ace
rtk-logger
npm package
interview scam
Published: August 13, 2025
Downloadable IOCs: 0

Malvertising campaign leads to PS1Bot, a multi-stage malware framework

A malware campaign utilizing malvertising has been distributing PS1Bot, a sophisticated multi-stage framework implemented in PowerShell and C#. PS1Bot features modular design, enabling information theft, keylogging, reconnaissance, and persistent system access. The malware minimizes artifacts and u…
malvertising
powershell
cryptocurrency
modular
in-memory execution
information stealer
multi-stage
c#
2025-08-12
ahk bot
ps1bot
skitnet
Published: August 12, 2025
Downloadable IOCs: 0

Atomic macOS Stealer includes a backdoor for persistent access

The Atomic macOS Stealer (AMOS) has received a major update, now including an embedded backdoor for persistent access to compromised Mac devices. This upgrade allows attackers to maintain access, run remote tasks, and gain extended control over infected machines. The Russia-affiliated AMOS threat g…
backdoor
cryptocurrency
macos
data exfiltration
amos
atomic macos stealer
spear-phishing
spear phishing
command-and-control
persistent access
russia-affiliated
2025-07-10
2025-08-08
Published: August 8, 2025
Downloadable IOCs: 6

Efimer Trojan delivered via email and hacked WordPress websites

The Efimer Trojan is spreading through compromised WordPress sites, malicious torrents, and email campaigns impersonating lawyers. It steals cryptocurrency by replacing wallet addresses in the clipboard and can execute additional malicious scripts. The Trojan communicates with its command-and-contr…
cryptocurrency
wordpress
tor
brute-force
clipbanker
torrent
2025-08-08
email campaign
efimer
Published: August 8, 2025
Downloadable IOCs: 16

PlayPraetor's evolving threat: How Chinese-speaking actors globally scale an Android RAT

A large-scale Malware-as-a-Service operation, orchestrated by Chinese-speaking threat actors, has infected over 11,000 Android devices globally with the PlayPraetor Remote Access Trojan. The campaign primarily targets Europe, with significant presence in Portugal, Spain, and France, but also affect…
rat
android
cryptocurrency
botnet
banking
maas
accessibility services
2025-08-07
playpraetor
Published: August 7, 2025
Downloadable IOCs: 0

Smart Contract Scams | Ethereum Drainers Pose as Trading Bots to Steal Crypto

SentinelLABS has uncovered a series of cryptocurrency scams where threat actors distribute malicious smart contracts disguised as trading bots to drain user wallets. The campaign has stolen over $900,000 US and uses aged YouTube accounts with curated comment sections to create a false sense of legi…
obfuscation
cryptocurrency
youtube
scam
ai-generated content
ethereum
solidity
2025-08-05
mev bot
smart contract
2025-08-07
Published: August 7, 2025
Downloadable IOCs: 0

Sealed Chain of Deception: Actors leveraging Node.JS to Launch JSCeal

A sophisticated malware campaign called JSCEAL is targeting cryptocurrency users through fake apps impersonating popular trading platforms. The attackers use malicious ads to lure victims into downloading installers that deploy a multi-stage infection chain. This includes PowerShell scripts for pro…
evasion
malvertising
powershell
cryptocurrency
stealer
node.js
multi-stage
fake apps
2025-07-31
jsceal
jsc
Published: July 31, 2025
Downloadable IOCs: 268

Chinese Malware Delivery Domains: Part III

This report details an ongoing campaign by a threat actor operating during Chinese time zone hours, targeting Chinese-speaking individuals and entities globally. Since June 2023, the actor has created over 2,800 domains for malware delivery, primarily targeting Windows systems through fake applicat…
phishing
windows
cryptocurrency
2025-07-18
fake-updates
Published: July 18, 2025
Downloadable IOCs: 1159

Powerful MaaS On the Prowl for Credentials and Crypto Assets

Katz Stealer is a sophisticated infostealer marketed as Malware-as-a-Service (MaaS), launched in early 2025. It features robust credential and data theft capabilities, along with modern evasion and anti-analysis techniques. The stealer targets a wide range of personal and sensitive information, inc…
infostealer
cryptocurrency
credential theft
data exfiltration
maas
evasion techniques
browser injection
katz stealer
2025-07-17
Published: July 17, 2025
Downloadable IOCs: 31

Evolution of macOS Odyssey Stealer: New Techniques & Signed Malware

A new variant of the Odyssey infostealer for macOS has been discovered, featuring code signing, notarization, and a persistent backdoor. The malware mimics a Google Meet updater and uses a SwiftUI-based 'Technician Panel' for social engineering. It steals sensitive data, including passwords, browse…
backdoor
infostealer
cryptocurrency
persistence
macos
amos
2025-07-17
code-signing
notarization
odyssey
odyssey stealer
Published: July 17, 2025
Downloadable IOCs: 0

The Solidity Language open-source package was used in a $500,000 crypto heist

A blockchain developer in Russia lost $500,000 in crypto assets due to a malicious Solidity Language extension for Cursor AI IDE. The fake extension, downloaded 54,000 times, appeared higher in search results than the legitimate one due to ranking algorithms. It installed malware that allowed remot…
screenconnect
cryptocurrency
data theft
developers
open-source
quasar
blockchain
2025-07-11
heur:trojan-psw.msil.purelogs.gen
vmdetector
solidity
cursor ai
malicious extension
2025-07-16
Published: July 16, 2025
Linked vulnerabilities : CVE-2024-3721
Downloadable IOCs: 0

Crypto Wallets Continue to be Drained in Elaborate Social Media Scam

An ongoing social engineering campaign is targeting cryptocurrency users through fake startup companies impersonating AI, gaming, and Web3 firms. The scammers create elaborate facades using spoofed social media accounts and project documentation on platforms like Notion and GitHub. They contact vic…
malware
social engineering
impersonation
windows
cryptocurrency
macos
fake companies
atomic stealer
information stealer
realst
2025-07-16
Published: July 16, 2025
Downloadable IOCs: 1

macOS NimDoor | North Korean Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware

DPRK threat actors are targeting Web3 and crypto-related businesses using Nim-compiled binaries and multiple attack chains. The malware, dubbed NimDoor, employs unusual techniques for macOS, including process injection and encrypted WebSocket communications. It uses a novel persistence mechanism le…
cryptocurrency
macos
process injection
web3
applescript
websocket
2025-07-04
nimdoor
Published: July 4, 2025
Downloadable IOCs: 9

The new SparkKitty Trojan spy in the App Store and Google Play

A new spyware campaign dubbed SparkKitty has been discovered targeting both iOS and Android devices. The malware, believed to be connected to the previously identified SparkCat campaign, is distributed through official app stores and unofficial sources. It primarily steals photos from infected devi…
ios
android
cryptocurrency
china
spyware
sparkcat
southeast asia
2025-06-23
sparkkitty
Published: June 23, 2025
Downloadable IOCs: 20

Discord Invite Hijacking: How Fake Links Are Delivering Infostealers

Cybercriminals are exploiting Discord's invite system and content delivery features to distribute malware and steal sensitive data. They use fake invite links, expired codes, and vanity URLs to redirect users to malicious servers. The attack chain involves a sophisticated combination of social engi…
phishing
social engineering
cryptocurrency
asyncrat
discord
multi-stage attack
wallet injection
chromekatz
skuld stealer
2025-06-20
invite hijacking
Published: June 20, 2025
Downloadable IOCs: 0

Crypto Phishing Applications On The Play Store

An investigation uncovered more than 20 cryptocurrency phishing applications on the Google Play Store impersonating legitimate wallets like SushiSwap and PancakeSwap. These malicious apps employ phishing techniques to steal users' mnemonic phrases, allowing access to real wallets and theft of funds…
phishing
android
cryptocurrency
google play store
2025-06-20
webview
mnemonic phrases
median framework
wallet impersonation
Published: June 20, 2025
Downloadable IOCs: 36

Hiding in GitHub

An AMOS malware campaign has been discovered utilizing GitHub repositories to distribute malicious files. The attackers created a fake Ledger Live app that prompts users to enter their secret phrases, which are then exfiltrated. The malware uses obfuscation techniques, including base64 encoding and…
obfuscation
cryptocurrency
stealer
macos
github
amos
ledger
2025-06-20
hardware-wallet
Published: June 20, 2025
Downloadable IOCs: 4

Inside the BlueNoroff Web3 macOS Intrusion Analysis

A detailed analysis of a sophisticated intrusion targeting a cryptocurrency foundation employee is presented. The attack, attributed to the North Korean APT group BlueNoroff, began with a social engineering lure via Telegram, leading to the installation of malicious software disguised as a Zoom ext…
apt
social engineering
cryptocurrency
stealer
macos
dprk
process injection
web3
2025-06-19
root troy v4
injectwithdyld
xscreen
cryptobot
telegram 2
Published: June 19, 2025
Downloadable IOCs: 18

Famous Chollima deploying Python version of GolangGhost RAT

In May 2025, Cisco Talos identified a Python-based remote access trojan (RAT) called 'PylangGhost', used by a North Korean-aligned threat actor. PylangGhost shares similarities with the previously documented GolangGhost RAT. The threat actor, Famous Chollima, has been targeting employees with exper…
rat
cryptocurrency
browser data theft
blockchain
golangghost
2025-06-18
pylangghost
Published: June 18, 2025
Downloadable IOCs: 67

Exploring a New KimJongRAT Stealer Variant and Its PowerShell Implementation

This article analyzes two new variants of the KimJongRAT stealer: a Portable Executable (PE) variant and a PowerShell implementation. Both variants use a multi-stage infection process, starting with a Windows shortcut (LNK) file that downloads a dropper from a content delivery network. The PE varia…
powershell
cryptocurrency
stealer
multi-stage infection
browser extensions
2025-06-17
kimjongrat
content delivery network
Published: June 17, 2025
Downloadable IOCs: 0

Crocodilus Mobile Malware: Evolving Fast, Going Global

A new Android banking Trojan, Crocodilus, has rapidly evolved since its discovery in March 2025. Initially targeting Turkey, it has expanded to European countries and South America. The malware is distributed through malicious advertising on social networks, masquerading as banking and e-commerce a…
social engineering
android
malvertising
cryptocurrency
banking trojan
2025-06-03
crocodilus
Published: June 3, 2025
Downloadable IOCs: 4

Chasing Eddies: New Rust-based InfoStealer used in CAPTCHA campaigns

A novel Rust-based infostealer called EDDIESTEALER has been discovered, distributed through fake CAPTCHA campaigns. The malware uses deceptive verification pages to trick users into executing a malicious PowerShell script, which deploys the infostealer. EDDIESTEALER targets sensitive data including…
powershell
infostealer
cryptocurrency
rust
data exfiltration
captcha
2025-05-29
eddiestealer
Published: May 29, 2025
Downloadable IOCs: 27

Katz Stealer Threat Analysis

Katz Stealer is a sophisticated credential-stealing malware-as-a-service that targets multiple browsers, cryptocurrency wallets, and communication platforms. It employs advanced evasion techniques like geofencing, VM detection, and process hollowing. The infection chain involves obfuscated JavaScri…
cryptocurrency
process-hollowing
credential-stealer
2025-05-26
katz stealer
uac-bypass
browser-targeting
discord-hijacking
evasion-techniques
Published: May 26, 2025
Downloadable IOCs: 34

PyPI package targets Solana developers

A malicious PyPI package named solana-token has been discovered targeting Solana blockchain developers. The package, downloaded over 600 times, attempts to steal source code and developer secrets from infected machines. It uses suspicious behaviors like communicating with IP addresses on non-standa…
infostealer
cryptocurrency
exfiltration
open-source
pypi
blockchain
supply-chain-attack
2025-05-13
solana
solana-token
Published: May 13, 2025
Downloadable IOCs: 0

Recruitment Scams on the Rise: How Threat Actors Exploit Job Seekers

A significant increase in recruitment scams has been observed, with three distinct threat actors targeting job seekers. The first impersonates tech employers using advance fee fraud tactics. The second poses as a logistics recruitment agency, targeting 18 geographies and affecting 63,000 people in …
phishing
social engineering
cryptocurrency
telegram
identity theft
job seekers
2025-05-12
recruitment scams
advance fee fraud
Published: May 12, 2025
Downloadable IOCs: 0

Additional Features of OtterCookie Malware Used by WaterPlum

The article discusses updates to the OtterCookie malware utilized by the North Korea-linked attack group WaterPlum. The malware has evolved through four versions, with v3 and v4 being the focus. OtterCookie v3 introduced Windows support and enhanced file collection capabilities. Version 4 added new…
north korea
windows
cryptocurrency
stealer
macos
credential theft
beavertail
invisibleferret
ottercookie
2025-05-11
financial institutions
Published: May 11, 2025
Downloadable IOCs: 0

New Finance Scam Discovered Abusing Niche X/Twitter Advertising Loophole

A new financial scam has been uncovered that exploits a loophole in X/Twitter's advertising display URL feature. The scam spoofs legitimate domains like CNN while directing users to a cryptocurrency scam website impersonating Apple's brand. The fraudulent site promotes a fake 'iToken' and includes …
cryptocurrency
apple
brand impersonation
2025-05-09
x/twitter
url spoofing
domain redirection
Published: May 9, 2025
Downloadable IOCs: 65

FreeDrain Unmasked | Uncovering an Industrial-Scale Crypto Theft Network

FreeDrain is a sophisticated, large-scale cryptocurrency phishing operation that has been stealing digital assets for years. It exploits search engine optimization, free-tier web services, and layered redirection techniques to target cryptocurrency wallets. Victims are lured through high-ranking se…
phishing
cryptocurrency
seo manipulation
2025-05-09
redirection techniques
search engine poisoning
wallet theft
Published: May 9, 2025
Downloadable IOCs: 71

Unmasking the FreeDrain Network

A collaborative investigation by Validin and SentinelLABS exposes the FreeDrain Network, a large-scale cryptocurrency phishing operation. The campaign exploits search engine optimization, free web services, and redirection techniques to target and drain cryptocurrency wallets. The attackers use lur…
phishing
cryptocurrency
infrastructure analysis
seo manipulation
wallet draining
2025-05-08
redirectors
free hosting abuse
Published: May 8, 2025
Downloadable IOCs: 0

Uncovering Actor TTP Patterns and the Role of DNS in Investment Scams

This report analyzes common techniques, tactics, and procedures (TTPs) used by several investment scam actors who lure victims with fake platforms, including crypto exchanges. Key TTPs include registering large numbers of domains algorithmically, embedding similar web forms to collect user data, hi…
social engineering
cryptocurrency
facebook ads
cloaking
2025-04-29
rdga
dns abuse
web forms
tds
investment scams
2025-05-06
dns exploitation
registered domain generation algorithms
Published: May 6, 2025
Downloadable IOCs: 87

HANNIBAL Stealer: A Rebranded Threat Born from Sharp and TX Lineage

The Hannibal Stealer is a sophisticated information stealer targeting Chromium and Gecko-based browsers, developed in C# and operating on the .NET Framework. It bypasses Chrome Cookie V20 protection and steals data from cryptocurrency wallets, FTP clients, VPNs, and messaging apps. The malware perf…
cryptocurrency
sharp stealer
data exfiltration
information stealer
browser data theft
geofencing
2025-04-26
hannibal stealer
tx stealer
vpn credentials
c2 panel
telegram channels
2025-04-30
rebranded malware
vpn credential theft
Published: April 30, 2025
Downloadable IOCs: 4

Pentagon Stealer: Go and Python Malware Targeting Crypto

Pentagon Stealer is an evolving malware threat that exists in both Python and Golang versions. It primarily targets browser credentials, cookies, crypto wallet data, and messaging app tokens. The malware exploits browser debug modes to bypass encryption and injects into crypto wallets to steal sens…
python
cryptocurrency
data theft
stealer
purecrypter
go
blx stealer
vilsa stealer
2025-04-30
wallet injection
1312 stealer
browser exploitation
pentagon stealer
acab stealer
Published: April 30, 2025
Downloadable IOCs: 19

Gremlin Stealer: New Stealer on Sale in Underground Forum

A new information-stealing malware called Gremlin Stealer, written in C#, has been identified by researchers. Advertised on Telegram since March 2025, it targets a wide range of data including browser information, crypto wallets, FTP and VPN credentials. The malware exfiltrates stolen data to a web…
infostealer
cryptocurrency
vpn
data exfiltration
telegram
browser
2025-04-29
c#
ftp
gremlin stealer
Published: April 29, 2025
Downloadable IOCs: 2

A new version of Triada spreads embedded in the firmware of Android devices

Kaspersky researchers have discovered a new version of the Triada Trojan being distributed through infected Android device firmware. The malware is embedded into system files before devices are sold, making it nearly impossible to remove. It infects the Zygote process to compromise all apps on the …
android
cryptocurrency
trojan
credential theft
triada
sms interception
firmware
reverse proxy
2025-04-25
Published: April 25, 2025
Downloadable IOCs: 0

Russian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations

North Korean cybercrime activities heavily rely on Russian IP ranges in Khasan and Khabarovsk, utilizing extensive anonymization networks. The Void Dokkaebi group, linked to North Korea, employs fictitious companies like BlockNovas to target IT professionals through fraudulent job interviews, aimin…
social engineering
cryptocurrency
beavertail
frostyferret
2025-04-24
blocknovas
invisible ferret
anonymization networks
Published: April 24, 2025
Downloadable IOCs: 45

New Stealer on the Horizon

SvcStealer 2025 is a novel information stealer delivered through spear phishing email attachments. It harvests sensitive data including machine information, installed software, user credentials, cryptocurrency wallets, and browser data. The malware creates a unique folder, terminates specific proce…
cryptocurrency
information stealer
c2 communication
evasion techniques
spear phishing
data harvesting
svcstealer
2025-04-23
Published: April 23, 2025
Downloadable IOCs: 4

Malicious PyPi Package Detected Stealing Crypto Tokens

A malicious PyPI package named ccxt-mexc-futures has been discovered by security researchers. This package claims to extend the capabilities of the legitimate CCXT library for cryptocurrency trading, specifically for futures trading on the MEXC exchange. However, it actually hijacks user orders and…
cryptocurrency
pypi
supply-chain-attack
2025-04-16
api-hijacking
ccxt
mexc
Published: April 16, 2025
Downloadable IOCs: 2

Slow Pisces Targets Developers With Coding Challenges and Introduces New Customized Python Malware

Slow Pisces, a North Korean state-sponsored threat group, is targeting cryptocurrency developers through LinkedIn with malicious coding challenges. The group impersonates recruiters and sends malware disguised as project tasks, infecting systems with RN Loader and RN Stealer. Their campaign uses Gi…
social engineering
north korea
python
infostealer
cryptocurrency
2025-04-14
rn stealer
rn loader
dpkr
slow pisces
yaml deserialization
Published: April 14, 2025
Downloadable IOCs: 41

Atomic and Exodus crypto wallets targeted in malicious npm campaign

A malicious npm package named pdf-to-office was discovered targeting cryptocurrency wallets. The package, posing as a PDF to Office converter, injects malicious code into locally installed Atomic and Exodus wallets. This attack modifies legitimate files to redirect crypto funds to the attacker's wa…
cryptocurrency
persistence
npm
atomic
software supply chain
exodus
patching
2025-04-10
wallet
2025-04-14
trojanized code
atomic wallet
Published: April 14, 2025
Downloadable IOCs: 1

A miner and the ClipBanker Trojan being distributed via SourceForge

A unique malware distribution scheme exploiting SourceForge has been discovered. The attackers create a seemingly legitimate project on sourceforge.net, which automatically generates a sourceforge.io subdomain. This subdomain is then used to host a malicious page that tricks users into downloading …
powershell
cryptocurrency
persistence
autoit
clipbanker
2025-04-08
miner
sourceforge
Published: April 8, 2025
Downloadable IOCs: 0

Lazarus Expands Malicious npm Campaign: 11 New Packages Add Malware Loaders and Bitbucket Payloads

North Korean threat actors have expanded their presence in the npm ecosystem, publishing additional malicious packages that deliver the BeaverTail malware and introduce new remote access trojan loader functionality. The campaign, known as Contagious Interview, aims to compromise developer systems, …
north korea
cryptocurrency
beavertail
invisibleferret
2025-04-08
Published: April 8, 2025
Downloadable IOCs: 6

PoisonSeed Campaign Targets CRM and Bulk Email Providers in Supply Chain Spam Operation

A new threat group, dubbed PoisonSeed, is targeting enterprise organizations and individuals outside the cryptocurrency industry. The campaign focuses on phishing CRM and bulk email providers' credentials to export email lists and send bulk spam. The attackers use a cryptocurrency seed phrase poiso…
phishing
cryptocurrency
supply chain
2025-04-04
2025-04-07
crm
coinbase
bulk email
ledger
seed phrase poisoning
Published: April 7, 2025
Downloadable IOCs: 45

BeaverTail and Tropidoor Malware Distributed via Recruitment Emails

A sophisticated malware campaign has been uncovered, involving the distribution of BeaverTail and Tropidoor malware through fake recruitment emails. The attackers, suspected to be of North Korean origin, impersonated a developer community to lure victims into downloading malicious code. The campaig…
backdoor
phishing
north korea
infostealer
cryptocurrency
downloader
beavertail
recruitment
invisibleferret
2025-04-03
lightlesscan
tropidoor
Published: April 3, 2025
Downloadable IOCs: 6

Crypto Scammers Exploit: Elon Musk Speaks on Cryptocurrency

Cybercriminals are exploiting a live stream featuring Elon Musk, Cathie Wood, and Jack Dorsey discussing cryptocurrency to conduct scams. They modify the original video, adding frames that advertise malicious websites claiming to double users' cryptocurrency investments. Multiple YouTube channels w…
cryptocurrency
youtube
scam
fake websites
2025-04-02
social media exploitation
elon musk
live stream
double investment
Published: April 2, 2025
Downloadable IOCs: 10

From Contagious to ClickFake Interview: Lazarus leveraging the ClickFix tactic

Lazarus, a North Korean state-sponsored threat actor, has launched a new campaign called ClickFake Interview targeting cryptocurrency job seekers. This campaign, an evolution of the previously documented Contagious Interview, uses fake job interview websites to deploy the GolangGhost backdoor on Wi…
backdoor
north korea
cryptocurrency
clickfix
2025-04-01
golangghost
frostyferret
job interviews
cefi
Published: April 1, 2025
Downloadable IOCs: 86

Money Laundering 101, and why there is concern

This newsletter discusses the process of money laundering in the context of cybercrime, particularly ransomware attacks. It explains the three basic steps of money laundering: placement, layering, and integration. The author expresses concern about regulatory changes that might facilitate easier mo…
malware
ransomware
cryptocurrency
spam
cybercrime
email security
w32.file.malparent
coinminer:mbt.26mw.in14.talos
2025-03-28
trojan.generickd.33515991
money laundering
simple_custom_detection
regulatory changes
Published: March 28, 2025
Downloadable IOCs: 0

YouTube Creators Under Siege Again: Clickflix Technique Fuels Malware Attacks

Cybercriminals are targeting YouTube creators with a sophisticated malware campaign using the Clickflix technique. Attackers impersonate popular brands and offer fake collaboration opportunities to lure victims. The campaign employs spearphishing emails with malicious attachments and links to fake …
social engineering
spearphishing
powershell
cryptocurrency
lumma stealer
credential theft
youtube
2025-03-25
clickflix
Published: March 25, 2025
Downloadable IOCs: 5

SVC New Stealer on the Horizon

SvcStealer 2025 is a newly discovered information stealer malware distributed through spear phishing emails. It targets sensitive data including machine information, installed software, user credentials, cryptocurrency wallets, and browser data. The malware creates a unique folder, terminates speci…
cryptocurrency
data exfiltration
information stealer
c2 communication
evasion techniques
spear phishing
2025-03-21
svcstealer
Published: March 21, 2025
Downloadable IOCs: 0

Albabat Ransomware Group Potentially Expands Targets to Multiple OS Uses GitHub to Streamline Operations

The Albabat ransomware group has evolved its malware to target Windows, Linux, and macOS devices, as evidenced by new versions 2.0.0 and 2.5. The group is using GitHub to streamline operations, storing configuration files and essential components. The ransomware ignores specific folders, encrypts c…
ransomware
cryptocurrency
encryption
github
multi-platform
2025-03-21
albabat
database
configuration
system information
Published: March 21, 2025
Downloadable IOCs: 2

Ramadan Scams on the Rise: Fake Giveaways, Crypto Traps & Fraudulent Donations

Cybercriminals are exploiting Ramadan's spirit of generosity through various scams targeting unsuspecting individuals. These include wallet-draining schemes disguised as religious incentives, fraudulent crypto tokens, fake e-commerce sales, and deceptive donation campaigns. Scammers utilize social …
phishing
social engineering
cryptocurrency
scams
e-commerce fraud
2025-03-14
charitable fraud
wallet draining
fake giveaways
ramadan
Published: March 14, 2025
Downloadable IOCs: 28

Investigating Scam Crypto Investment Platforms Using Pyramid Schemes to Defraud Victims

A campaign distributing thousands of fraudulent cryptocurrency investment platforms via websites and mobile applications has been uncovered. The operation impersonates well-known brands and organizations, luring victims with unrealistic promises of high returns. The consistent design of the platfor…
impersonation
cryptocurrency
telegram
2025-03-13
mobile applications
investment scam
pyramid scheme
Published: March 13, 2025
Downloadable IOCs: 36

Unmasking GrassCall Campaign: The Hackers Behind Job Recruitment Cyber Scams

The GrassCall malware campaign, orchestrated by the Russian-speaking cybercriminal group 'Crazy Evil,' targets job seekers in the cryptocurrency and Web3 sectors. The attackers create fake companies and job postings, luring victims into downloading malicious software disguised as a video conferenci…
social engineering
rhadamanthys
cryptocurrency
atomic macos stealer
remote access trojan
web3
grasscall
2025-03-13
job recruitment scam
russian-speaking cybercriminals
Published: March 13, 2025
Downloadable IOCs: 0

Pivots into New Lazarus Group Infrastructure, Acquires Sensitive Intel Related to $1.4B ByBit Hack and Past Attacks

A significant discovery has been made regarding the Lazarus Advanced Persistent Threat (APT) Group's infrastructure. Analysts have uncovered a domain registered by the group shortly before the $1.4 billion Bybit crypto heist, linked to an email address used in previous attacks. The investigation re…
apt
phishing
social engineering
north korea
cryptocurrency
2025-02-26
bybit
Published: February 26, 2025
Downloadable IOCs: 0

DeepSeek Lure Used To Spread Malware

Cybercriminals are exploiting DeepSeek's popularity by creating fake look-alike domains to deliver the Vidar information stealer. The attack chain involves a deceptive website that prompts users to complete a fake partner registration, leading to a malicious CAPTCHA page. This page injects a PowerS…
cryptocurrency
vidar
captcha
brand impersonation
deepseek
2025-02-25
clipboard injection
Published: February 25, 2025
Downloadable IOCs: 40

Fake GitHub projects distribute stealers in GitVenom campaign

The GitVenom campaign involves threat actors creating hundreds of fake repositories on GitHub containing malicious code disguised as legitimate projects. These repositories include well-designed README files and artificially inflated commit numbers to appear genuine. The malicious code, implemented…
cryptocurrency
stealer
asyncrat
open-source
github
quasar
2025-02-24
gitvenom
clipboard-hijacker
fake-projects
Published: February 24, 2025
Downloadable IOCs: 2

Targeting of freelance developers

North Korea-aligned cybercriminals are targeting freelance software developers through fake job offers and coding challenges containing malware. The campaign, dubbed DeceptiveDevelopment, uses two main malware families - BeaverTail and InvisibleFerret - to steal cryptocurrency wallets and login cre…
north korea
spearphishing
infostealer
cryptocurrency
beavertail
invisibleferret
2025-02-21
job scams
freelancers
Published: February 21, 2025
Downloadable IOCs: 0

Zhong Stealer Analysis: New Malware Targeting Fintech and Cryptocurrency

A new malware called Zhong Stealer has been identified targeting the cryptocurrency and fintech sectors through a phishing campaign. The attackers exploited chat support platforms, posing as customers to trick agents into downloading the malware. Zhong Stealer's execution flow involves multiple sta…
phishing
cryptocurrency
persistence
credential theft
data exfiltration
fintech
2025-02-18
zhong stealer
Published: February 18, 2025
Downloadable IOCs: 5

Don't Ghost the SocGholish: GhostWeaver Backdoor

The article details a sophisticated malware infection chain involving SocGholish, MintsLoader, and the GhostWeaver backdoor. The attack begins with a fake browser update, progressing through multiple stages to deploy a PowerShell backdoor and various plugins. These components work together to steal…
backdoor
powershell
cryptocurrency
socgholish
credential theft
boinc
fakeupdates
netsupport rat
mintsloader
2025-02-17
web injection
ghostweaver
juniper stealer
Published: February 17, 2025
Downloadable IOCs: 14

Valentine's Day Cyber Attack Landscape: Exploiting Love Through Digital Deception

Valentine's Day 2025 has become a focal point for sophisticated cybersecurity threats, with attackers exploiting emotional vulnerabilities and seasonal shopping behaviors. A complex network of scams has emerged, including OAuth-based phishing, brand impersonation, and cryptocurrency fraud. These th…
phishing
social engineering
cryptocurrency
financial fraud
social media
e-commerce
brand impersonation
oauth
2025-02-15
valentine's day
Published: February 15, 2025
Downloadable IOCs: 0

Inside the Scam: North Korea's IT Worker Threat

North Korea has exploited remote work opportunities to infiltrate international companies with fraudulent IT workers, generating revenue and posing cybersecurity risks. The group PurpleBravo targets cryptocurrency firms using malware like BeaverTail and InvisibleFerret. At least seven suspected Nor…
malware
espionage
north korea
cryptocurrency
beavertail
invisibleferret
remote work
2025-02-13
ottercookie
front companies
it workers
Published: February 13, 2025
Downloadable IOCs: 43

Fake DeepSeek Sites Used for Credential Phishing, Crypto Theft, Scams

Researchers have identified numerous fake DeepSeek websites being used for malicious purposes, including credential phishing, cryptocurrency theft, and various scams. Over 50 active sites and thousands of potentially malicious domains have been observed. These fake sites range from obvious imitatio…
phishing
cryptocurrency
credential theft
scams
2025-02-06
deepseek
qr code scams
wallet drainers
fake websites
Published: February 6, 2025
Downloadable IOCs: 0

Uncovering Cyber Threat Networks: SmartApeSG & NetSupport RAT

This investigation explores the connections between SmartApeSG, a FakeUpdate threat, and NetSupport RAT. Through analysis of Internet telemetry data, the research uncovered related C2 management hosts, active NetSupport RAT servers, and cross-connections to suspicious infrastructure. Key findings i…
cryptocurrency
socgholish
quasar rat
netsupport rat
clearfake
c2 infrastructure
2025-02-04
moldovan ips
pivoting analysis
fakeupdate
landupdate808
ispmanager
smartapesg
lycantrox
Published: February 4, 2025
Downloadable IOCs: 57

Analysis of Astral Stealer

Astral Stealer v1.8 is a powerful malware tool coded in Python, C#, and JavaScript, designed for data theft and crypto wallet exploitation. It targets gaming accounts, browser credentials, and cryptocurrency wallets while employing anti-debugging and VM bypass techniques. The stealer offers advance…
cryptocurrency
stealer
data exfiltration
information theft
2025-01-31
browser injection
discord injection
astral stealer
Published: January 31, 2025
Downloadable IOCs: 3

Operation Phantom Circuit: North Korea's Global Data Exfiltration Campaign

In December 2024, the Lazarus Group, a North Korean threat actor, launched a sophisticated global campaign targeting cryptocurrency and technology developers. The operation, code-named 'Phantom Circuit,' involved embedding malware into trusted development tools, compromising hundreds of victims wor…
north korea
cryptocurrency
data exfiltration
software supply chain
command-and-control
2025-01-30
phantom circuit
Published: January 30, 2025
Downloadable IOCs: 13

APT-C-26 (Lazarus) continues to upgrade its attack weapons, using Electron programs to target the cryptocurrency industry

The APT-C-26 (Lazarus) group has been observed using Electron-packaged malicious programs disguised as cryptocurrency trading tools to target individuals in the cryptocurrency industry. The attack involves a multi-stage process, including the use of poisoned open-source projects, obfuscated malicio…
cryptocurrency
data theft
electron
2025-01-22
uniswapsniperbot
Published: January 22, 2025
Downloadable IOCs: 0

Sneaky 2FA: exposing a new AiTM Phishing-as-a-Service

A new Adversary-in-the-Middle (AiTM) phishing kit called Sneaky 2FA has been discovered targeting Microsoft 365 accounts. The kit is sold as Phishing-as-a-Service by a cybercrime service called Sneaky Log, which operates via a Telegram bot. Sneaky 2FA uses anti-bot and anti-analysis features, authe…
obfuscation
phishing
aitm
cryptocurrency
telegram
2025-01-17
Published: January 17, 2025
Downloadable IOCs: 26

Infostealer LummaC2 Spreading Through Fake CAPTCHA Verification Page

A new distribution method for the LummaC2 infostealer malware has been identified, using a fake CAPTCHA verification page. The process begins with a deceptive authentication screen that copies a malicious command to the clipboard when users click 'I'm not a robot'. This command executes an obfuscat…
obfuscation
phishing
powershell
lummac2
infostealer
cryptocurrency
captcha
2025-01-13
clipbanker
Published: January 13, 2025
Downloadable IOCs: 4

Banshee: The Stealer That "Stole Code" From MacOS XProtect

A new version of the Banshee macOS stealer, linked to Russian-speaking cybercriminals, has been monitored since September. This version went undetected for over two months, using a string encryption algorithm identical to Apple's XProtect antivirus engine. The malware targets browser credentials, c…
phishing
cryptocurrency
macos
lumma stealer
github
string encryption
banshee
2025-01-09
xprotect
Published: January 9, 2025
Downloadable IOCs: 25

CoinLurker: The Stealer Powering the Next Generation of Fake Updates

CoinLurker is a sophisticated stealer designed to exfiltrate data while evading detection. Written in Go, it employs advanced obfuscation and anti-analysis techniques, making it highly effective in modern cyberattacks. The malware is delivered through fake update campaigns, leveraging deceptive ent…
cryptocurrency
2024-12-17
coinlurker
Published: December 17, 2024
Downloadable IOCs: 50

Technical Analysis of RiseLoader

RiseLoader, a new malware loader family observed in October 2024, implements a custom TCP-based binary network protocol similar to RisePro. It uses VMProtect for obfuscation and has been observed dropping malware families like Vidar, Lumma Stealer, XMRig, and Socks5Systemz. The malware collects inf…
xmrig
cryptocurrency
lumma stealer
malware loader
vidar
risepro
socks5systemz
2024-12-16
riseloader
Published: December 16, 2024
Downloadable IOCs: 0

CURLing for Crypto on Honeypots

An analysis of honeypot activity reveals a pattern of repeated curl commands targeting various websites, primarily originating from a single IP address. The commands, executed on multiple honeypots, focus on cryptocurrency-related sites, bot construction platforms, and communication services. The a…
cryptocurrency
ddos
botnet
mining
telegram
siem
2024-12-09
curl
honeypot
cowrie
Published: December 9, 2024
Downloadable IOCs: 37

Malicious PyPI crypto pay package aiocpa implants infostealer code

ReversingLabs detected a malicious package named 'aiocpa' on PyPI, engineered to compromise cryptocurrency wallets. Unlike typical attacks, the actors published their own crypto client tool to attract users before compromising them through a malicious update. The package appeared legitimate, with m…
obfuscation
infostealer
cryptocurrency
pypi
machine learning
software supply chain
2024-11-29
threat hunting
Published: November 29, 2024
Downloadable IOCs: 0

Matrix Unleashes A New Widespread DDoS Campaign

A new widespread Distributed Denial-of-Service (DDoS) campaign orchestrated by a threat actor named Matrix has been uncovered. The operation combines public scripts, brute-force attacks, and exploitation of weak credentials to create a botnet capable of global disruption. Matrix targets vulnerabili…
cryptocurrency
ddos
iot
botnet
mirai
discord
vulnerability exploitation
CVE-2018-10562
CVE-2018-10561
CVE-2017-17215
telegram
2024-11-27
CVE-2014-8361
brute-force
CVE-2017-18368
script kiddie
CVE-2018-9995
pybot
CVE-2024-27348
CVE-2017-17106
discordgo
CVE-2022-30525
CVE-2022-30075
Published: November 27, 2024
Linked vulnerabilities : CVE-2024-27348, CVE-2021-20090, CVE-2022-30525, CVE-2018-10562, CVE-2018-10561, CVE-2022-30075, CVE-2018-9995, CVE-2017-17106, CVE-2017-18368, CVE-2014-8361, CVE-2017-17215
Downloadable IOCs: 12

BlueNoroff used macOS malware with novel persistence

SentinelLabs researchers identified a North Korea-linked threat actor targeting crypto businesses with new macOS malware as part of a campaign called 'Hidden Risk'. The attackers, linked to BlueNoroff, used fake cryptocurrency news emails and a malicious app disguised as a PDF to deliver multi-stag…
apt
phishing
north korea
cryptocurrency
persistence
macos
2024-11-08
lessonone
growth
Published: November 8, 2024
Downloadable IOCs: 0

North Korean remote workers landing jobs in the West

North Korean threat actors are utilizing Contagious Interview and WageMole campaigns to secure remote employment in Western countries, evading financial sanctions. The Contagious Interview campaign has been updated with improved script obfuscation and multi-platform support, targeting over 100 devi…
social engineering
cryptocurrency
data theft
beavertail
contagious interview
invisibleferret
2024-11-06
wagemole
sanctions evasion
remote work
job fraud
Published: November 6, 2024
Downloadable IOCs: 56

G700: The Next Generation of Craxs RAT

G700 RAT, an advanced variant of Craxs RAT, targets Android devices and cryptocurrency applications. It employs sophisticated techniques like privilege escalation, phishing, and malicious APK distribution to infiltrate devices. The malware bypasses authentication, captures sensitive data, and manip…
obfuscation
phishing
android
cryptocurrency
craxs rat
privilege escalation
2024-11-04
apk distribution
transaction hijacking
sms interception
g700 rat
Published: November 4, 2024
Downloadable IOCs: 3

Cryptocurrency Enthusiasts Targeted in Multi-Vector Supply Chain Attack

A sophisticated malware campaign targeting cryptocurrency enthusiasts has been uncovered, utilizing multiple attack vectors including a malicious Python package on PyPI and deceptive GitHub repositories. The multi-stage malware, disguised as cryptocurrency trading tools, aims to steal sensitive dat…
supply-chain
cryptocurrency
data-theft
social-engineering
pypi
github
2024-11-04
multi-stage
gui
cryptoaitools
Published: November 4, 2024
Downloadable IOCs: 2

Tenacious Pungsan: A DPRK threat actor linked to Contagious Interview

Datadog Security Research discovered three malicious npm packages: passports-js, bcrypts-js, and blockscan-api, containing BeaverTail malware associated with North Korean threat actors. The packages, downloaded 323 times, targeted job-seekers in the US tech industry through a campaign named Contagi…
infostealer
cryptocurrency
npm
dprk
beavertail
contagious interview
2024-10-25
invisibleferret
software supply chain
namesquatting
Published: October 25, 2024
Downloadable IOCs: 1

Lazarus APT steals cryptocurrency and user data via a decoy MOBA game

Lazarus APT launched a sophisticated attack campaign using a decoy MOBA game website to exploit a zero-day vulnerability in Google Chrome. The exploit allowed remote code execution and bypassed the V8 sandbox. The attackers used social engineering tactics on social media to promote the fake game, w…
apt
exploit
social engineering
cryptocurrency
zero-day
CVE-2024-4947
2024-10-23
google chrome
manuscrypt
game
v8 sandbox
Published: October 23, 2024
Linked vulnerabilities : CVE-2024-4947
Downloadable IOCs: 2

Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA

Lumma Stealer, a sophisticated information-stealing malware, has evolved its tactics to employ fake CAPTCHA verification for payload delivery. The malware exploits legitimate software and uses multi-stage fileless techniques to evade detection. Its infection chain involves PowerShell scripts, proce…
powershell
cryptocurrency
lumma stealer
information-stealing
data exfiltration
fileless
maas
process hollowing
fake captcha
2024-10-21
Published: October 21, 2024
Downloadable IOCs: 23

Stealers on the rise: Kral, AMOS, Vidar and ACR

This intelligence report analyzes the increasing prevalence of information stealers, focusing on Kral, AMOS, Vidar, and ACR. Kral, delivered by its downloader, targets cryptocurrency wallets and browser data. AMOS, a macOS stealer, spreads through malvertising impersonating Homebrew. Vidar distribu…
cryptocurrency
macos
credential theft
vidar
data exfiltration
amos
aurora
2024-10-21
dll hijacking
information stealers
kral
penguish
acr
Published: October 21, 2024
Downloadable IOCs: 0

The Will of D: A Deep Dive into Divulge Stealer, Dedsec Stealer, and Duck Stealer

This analysis examines three emerging malware threats: Divulge Stealer, DedSec Stealer, and Duck Stealer. These stealers, often promoted on platforms like GitHub and Telegram, target browser data, game information, and sensitive personal details. Divulge Stealer, a successor to Umbral Stealer, feat…
infostealer
cryptocurrency
browser data theft
2024-10-21
anti-vm
doenerium
divulge stealer
umbral stealer
duck stealer
azstealer
dedsec stealer
Published: October 21, 2024
Downloadable IOCs: 3

ClickFix tactic: The Phantom Meet

This analysis explores the ClickFix social engineering tactic that emerged in 2024, focusing on a cluster impersonating Google Meet pages to distribute malware. The tactic tricks users into running malicious code by displaying fake error messages. The investigated cluster targets both Windows and m…
phishing
social engineering
rhadamanthys
infostealer
cryptocurrency
stealc
clickfix
2024-10-18
web3
amos stealer
google meet
Published: October 18, 2024
Downloadable IOCs: 171

YUNIT STEALER

Yunit Stealer is a sophisticated malware targeting sensitive user data through credential theft and system manipulation. It employs advanced evasion techniques to bypass security measures, maintaining persistence on compromised systems. The malware performs comprehensive data extraction, including …
cryptocurrency
data theft
2024-10-07
gaming
credential extraction
yunit stealer
Published: October 7, 2024
Downloadable IOCs: 0

VILSA STEALER

A new malware called Vilsa Stealer has emerged on GitHub, notable for its speed and efficiency in extracting sensitive data. This sophisticated tool targets browser credentials, tokens, and various application data. It supports major browsers and over 40 crypto wallets, using Python as its programm…
cryptocurrency
data theft
exfiltration
persistence
anti-analysis
2024-10-07
vilsa stealer
browser credentials
Published: October 7, 2024
Downloadable IOCs: 3

North Korea Still Attacking Developers via npm

Recent weeks have seen a resurgence of North Korean-aligned groups targeting developers through npm packages. The campaign, which began on August 12, 2024, involves multiple groups using various publication patterns and attack types. The malicious packages contain obfuscated JavaScript that downloa…
malware
obfuscation
python
cryptocurrency
exfiltration
persistence
javascript
moonstone sleet
npm
2024-09-30
contagious interview
multi-stage attack
Published: September 30, 2024
Downloadable IOCs: 12

WalletConnect Scam: A Case Study in Crypto Drainer Tactics

An investigation uncovered a malicious app on Google Play targeting mobile users to steal cryptocurrency. The app, posing as a legitimate WalletConnect tool, used advanced evasion techniques to avoid detection for nearly five months. It achieved over 10,000 downloads through fake reviews and brandi…
android
cryptocurrency
mobile malware
2024-09-26
ms drainer
Published: September 26, 2024
Downloadable IOCs: 6

Russia-linked crypto threat actor involved in political spoofing tracked

A Russia-linked threat actor is deploying domains for crypto scams targeting the US Presidential Election and prominent tech brands. The scams involve fake Bitcoin and Ethereum giveaways, asking users to send coins to attacker-controlled wallets with false promises of doubling returns. A large clus…
phishing
cryptocurrency
2024-09-20
political spoofing
us elections
Published: September 20, 2024
Downloadable IOCs: 6

Deep Fake Crypto Scams

Cybercriminals exploited the U.S. presidential debate to launch a cryptocurrency scam using deep fake videos. The scam featured fake streams on hijacked YouTube channels, claiming to show Elon Musk and Donald Trump debating Kamala Harris. The videos directed viewers to invest in cryptocurrency duri…
cryptocurrency
2024-09-20
deep fake
presidential debate
Published: September 20, 2024
Downloadable IOCs: 24

Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors

Unit 42 researchers have uncovered an ongoing campaign involving poisoned Python packages that deliver Linux and macOS backdoors. The attackers, believed to be the North Korean-affiliated group Gleaming Pisces, uploaded malicious packages to PyPI. The campaign's objective appears to be gaining acce…
rat
cryptocurrency
macos
poolrat
pondrat
2024-09-19
applejeus
Published: September 19, 2024
Linked vulnerabilities : CVE-2024-3400, CVE-2024-3094
Downloadable IOCs: 16

A Network of Harm: Gigabud Threat and Its Associates

An investigation reveals a significant connection between Gigabud and Spynote malware families, targeting over 50 financial apps including banks and cryptocurrency platforms. The campaign utilizes sophisticated distribution methods, including 11 command and control servers and 79 phishing websites …
phishing
cryptocurrency
spynote
banking trojan
2024-09-17
gigabud
android rat
Published: September 17, 2024
Downloadable IOCs: 116

Hadooken Malware Targets Weblogic Applications

Aqua Nautilus researchers identified a Linux malware, named Hadooken, targeting Oracle WebLogic servers. Upon gaining initial access through an exploited weak password, Hadooken deploys a cryptominer and the Tsunami malware. The report details the attack flow, techniques employed by the threat acto…
linux
backdoor
cryptocurrency
mallox
lateral movement
tsunami
2024-09-13
weblogic
hadooken
Published: September 13, 2024
Downloadable IOCs: 4

BLX STEALER

Identified as a sophisticated dropper binary designed to deploy an information stealer dubbed BLX Stealer or XLABB Stealer, this malware has been actively promoted on Telegram and Discord platforms. It targets credentials, browser data, cryptocurrency wallets, and other sensitive personal informati…
cryptocurrency
stealer
persistence
credential
data exfiltration
2024-09-11
xlabb stealer
blx stealer
Published: September 11, 2024
Downloadable IOCs: 5

Atomic macOS Stealer leads sensitive data theft on macOS

The report discusses the Atomic macOS Stealer (AMOS), an infostealer malware targeting macOS systems. It is designed to steal sensitive information like passwords, cookies, cryptocurrency wallets, and other data from infected machines. The malware is distributed through malvertising, SEO poisoning,…
malvertising
infostealer
cryptocurrency
macos
2024-09-09
amos
atomic macos stealer
passwords
Published: September 9, 2024
Downloadable IOCs: 17

From the Depths: Analyzing the Cthulhu Stealer Malware for macOS

This report analyzes Cthulhu Stealer, a malware-as-a-service targeting macOS users to steal credentials and cryptocurrency wallets. It explores the malware's functionality, including prompting users for passwords, dumping keychain data, and exfiltrating stolen information. The analysis compares Cth…
cryptocurrency
stealer
macos
golang
atomic stealer
2024-08-23
maas
cthulhu stealer
Published: August 23, 2024
Downloadable IOCs: 9

TodoSwift Disguises Malware Download Behind Bitcoin PDF

This report details a macOS threat actor likely originating from North Korea that employs a dropper application written in Swift/SwiftUI. The dropper presents the user with a seemingly legitimate Bitcoin pricing PDF while simultaneously downloading and executing a malicious payload. The malware's t…
cryptocurrency
macos
dropper
2024-08-19
rustbucket
kandykorn
todoswift
Published: August 19, 2024
Downloadable IOCs: 7

2024 Paris Olympic Games Infrastructure Attack Report

This report examines the malicious activities surrounding the 2024 Paris Olympic Games, where adversaries set up fraudulent social media profiles, online stores, ticketing systems, and cryptocurrencies to exploit the event's popularity. Researchers analyzed newly registered domains (NRDs) before th…
phishing
cryptocurrency
cybercrime
fraud
olympics
2024-08-16
Published: August 16, 2024
Downloadable IOCs: 148

Campaign uses infostealers and clippers for financial gain

Kaspersky has uncovered a complex malware campaign orchestrated by Russian-speaking cybercriminals. The threat actors create sub-campaigns mimicking legitimate projects, using social media to enhance credibility. They host initial downloaders on Dropbox to deliver infostealers like Danabot and Stea…
phishing
evasion
infostealer
cryptocurrency
injection
danabot
stealc
russian
2024-08-16
clipper
Published: August 16, 2024
Downloadable IOCs: 68

How do cryptocurrency drainer phishing scams work?

Cryptodrainer phishing scams have emerged as a significant threat, targeting unsuspecting individuals through deceptive tactics to steal their digital assets. These scams lure victims with promises of profits while covertly siphoning their cryptocurrency. Attackers employ social engineering techniq…
phishing
social engineering
cryptocurrency
financial fraud
cybercrime
2024-07-10
Published: July 10, 2024
Downloadable IOCs: 14

We're not talking about cryptocurrency as much as we used to, but there are still plenty of scammers out there

While cryptocurrency and blockchain have lost mainstream attention, cybercriminals continue to exploit these technologies through various scams like memecoins, rug pulls, and unregulated social media platforms. This report also highlights the SneakyChef threat actor's ongoing campaign targeting gov…
espionage
cryptocurrency
sugargh0st
spicerat
2024-06-28
Published: June 28, 2024
Linked vulnerabilities : CVE-2024-5806 (CVSS 7.4)
Downloadable IOCs: 4

Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API Servers

This report details a cryptojacking campaign exploiting exposed Docker remote API servers. Threat actors employ the cmd.cat/chattr Docker image for initial access, utilizing techniques like chroot and volume binding to break out of the container and access host systems. They deploy cryptocurrency m…
malware
cryptocurrency
cloud
2024-06-07
cryptojacking
docker
containers
ziggystartux
Published: June 7, 2024
Downloadable IOCs: 7

Malware Targets Message Queuing Services Applications

The report describes a recent campaign targeting Apache RocketMQ platforms, where attackers exploited a known vulnerability (CVE-2023-33246) to gain remote code execution on the systems. They then downloaded and executed the Muhstik malware, which provides persistence, evades detection, performs la…
evasion
cryptocurrency
vulnerability
persistence
apache
2024-06-06
irc
rocketmq
lateral
muhstik
CVE-2023-33246
Published: June 6, 2024
Linked vulnerabilities : CVE-2023-33246
Downloadable IOCs: 21

Romance Scams Urging Investment

The report details an investigation into romance scams that exploit emotional connections to solicit money under the guise of cryptocurrency investments. Perpetrators pose as potential romantic partners or friends to gain trust and eventually introduce victims to fake cryptocurrency exchanges desig…
phishing
social engineering
impersonation
cryptocurrency
2024-05-08
scam
fraud
romance
2024-05-09
2024-05-10
2024-05-13
Published: May 13, 2024
Downloadable IOCs: 3
Click here to see more Attack Reports