Ongoing Social Engineering Campaign Targets Cryptocurrency Users
Cryptocurrency enthusiasts are facing a sustained social engineering campaign that utilizes counterfeit startup companies to deceive users into downloading malware capable of siphoning off their digital assets on Windows and macOS platforms. According to Tara Gould, a researcher at Darktrace, these malicious schemes mimic legitimate AI, gaming, and Web3 enterprises, employing fake social media profiles and project documentation hosted on reputable platforms like Notion and GitHub.
Evolution of the Scam
This intricate social media scam has been active for a considerable time, with earlier instances observed in December 2024, where scammers exploited fake videoconferencing platforms to lure victims under the guise of discussing investment opportunities via messaging apps like Telegram. Those who downloaded the seemingly innocuous meeting software encountered stealthy infections from malware such as Realst. Cado Security, which was acquired by Darktrace earlier this year, dubbed this campaign “Meeten,” referencing one of the bogus videoconferencing services. Reports indicate that this deceptive activity may have started as early as March 2024, when Jamf Threat Labs revealed the use of a domain named “meethub[.]gg” to distribute Realst.
Current Threat Landscape
Recent findings from Darktrace indicate that the campaign not only remains a persistent threat but has also expanded its themes to encompass a wider array of topics, including artificial intelligence, gaming, Web3, and social media. Attackers have been observed utilizing compromised accounts on X, targeting both companies and their employees, especially verified accounts, to approach potential victims, thereby lending an air of credibility to their fictitious enterprises. Gould noted, “They utilize frequently visited sites associated with software firms like X, Medium, GitHub, and Notion, creating professional-looking websites complete with employee profiles, product blogs, whitepapers, and roadmaps.”
Creation of a Deceptive Online Presence
One of the fabricated companies involved in this scheme is Eternal Decay (@metaversedecay), which falsely claims to be a blockchain-based game and has manipulated legitimate images on X to create the illusion of participation in various conferences. The ultimate objective is to establish an online presence that makes these fake entities appear genuine, thereby increasing the chances of user infections. Several other fictitious companies identified include BeeSync, Buzzu, Cloudsign, Dexis, KlastAI, Lunelior, NexLoop, NexoraCore, NexVoo, Pollens AI, Slax, Solune, Swox, Wasper, and YondaAI.
Mechanics of the Attack
The attack process commences when one of these adversarial accounts contacts a potential victim through platforms like X, Telegram, or Discord, enticing them to test their software in exchange for cryptocurrency. If the target consents, they are redirected to a fraudulent website where they are prompted to enter a registration code provided by the attacker to download either a Windows Electron application or an Apple disk image (DMG) file, depending on their operating system. For Windows users, launching the malicious application shows a Cloudflare verification screen while it secretly profiles the machine and downloads an MSI installer. Though the specifics of the payload remain uncertain, it is believed to activate an information stealer at this juncture.
Malware Deployment on macOS
In contrast, the macOS variant of the attack leads to the installation of the Atomic macOS Stealer (AMOS), a known info-stealer that extracts documents, web browser data, and details from cryptocurrency wallets, transmitting this information to an external server. The DMG binary also contains a shell script designed to establish persistence on the system through a Launch Agent, ensuring that the application runs automatically upon user login. Additionally, this script retrieves and executes an Objective-C/Swift binary that logs application usage and interaction timestamps, sending this data to a remote server.
Comparison to Other Threat Campaigns
Darktrace highlighted that this campaign bears tactical similarities to operations conducted by a group known as Crazy Evil, notorious for tricking victims into installing malware such as StealC, AMOS, and Angel Drainer. Gould remarked, “While it is unclear if these campaigns can be directly linked to Crazy Evil or any of its sub-teams, the techniques employed are strikingly similar.” This ongoing campaign underscores the lengths to which cybercriminals will go to fabricate a veneer of legitimacy in their fake companies, aiming to pilfer cryptocurrency from unsuspecting victims while utilizing increasingly sophisticated and evasive malware versions.
