Cryptocurrency users are the target of an ongoing social engineering campaign that employs fake startup companies to trick users into downloading malware that can drain digital assets from both Windows and macOS systems.
“These malicious operations impersonate AI, gaming, and Web3 firms using spoofed social media accounts and project documentation hosted on legitimate platforms like Notion and GitHub,” Darktrace researcher Tara Gould said in a report shared with The Hacker News.
The elaborate social media scam has been for sometime now, with a previous iteration in December 2024 leveraging bogus videoconferencing platforms to dupe victims into joining a meeting under the pretext of discussing an investment opportunity after approaching them on messaging apps like Telegram.
Users who ended up downloading the purported meeting software were stealthily infected by stealer malware such as Realst. The campaign was codenamed Meeten by Cado Security (which was acquired by Darktrace earlier this year) in reference to one of the phony videoconferencing services.
That said, there are indications that the activity may have been ongoing since at least March 2024, when Jamf Threat Labs disclosed the use of a domain named “meethub[.]gg” to deliver Realst.
The latest findings from Darktrace show that the campaign not only still remains an active threat, but has also adopted a broader range of themes related to artificial intelligence, gaming, Web3, and social media.
Furthermore, the attackers have been observed leveraging compromised X accounts associated with companies and employees, primarily those that are verified, to approach prospective targets and give their fake companies an illusion of legitimacy.
“They sites that are used frequently with software companies such as X, Medium, GitHub, and Notion,” Gould said. “Each company has a professional looking website that includes employees, product blogs, whitepapers and roadmaps.”
One such non-existent company is Eternal Decay (@metaversedecay), which claims to be a blockchain-powered game and has shared digitally altered versions of legitimate pictures on X to give the impression that they are presenting at various conferences. The end goal is to build an online presence that makes these firms appear as real as possible and increases the likelihood of infection.
Some of the other identified companies are listed below –
- BeeSync (X accounts: @BeeSyncAI, @AIBeeSync)
- Buzzu (X accounts: @BuzzuApp, @AI_Buzzu, @AppBuzzu, @BuzzuApp)
- Cloudsign (X account: @cloudsignapp)
- Dexis (X account: @DexisApp)
- KlastAI (X account: Links to Pollens AI’s X account)
- Lunelior
- NexLoop (X account: @nexloopspace)
- NexoraCore
- NexVoo (X account: @Nexvoospace)
- Pollens AI (X accounts: @pollensapp, @Pollens_app)
- Slax (X accounts: @SlaxApp, @Slax_app, @slaxproject)
- Solune (X account: @soluneapp)
- Swox (X accounts: @SwoxApp, @Swox_AI, @swox_app, @App_Swox, @AppSwox, @SwoxProject, @ProjectSwox)
- Wasper (X accounts: @wasperAI, @WasperSpace)
- YondaAI (X account: @yondaspace)
The attack chains begin when one of these adversary-controlled accounts messages a victim through X, Telegram, or Discord, urging them to test out their software in exchange for a cryptocurrency payment.
Should the target agree to the test, they are redirected to a fictitious website from where they are promoted to enter a registration code provided by the employee to download either a Windows Electron application or an Apple disk image (DMG) file, depending on the operating system used.
On Windows systems, opening the malicious application displays a Cloudflare verification screen to the victim while it covertly profiles the machine and proceeds to download and execute an MSI installer. Although the exact nature of the payload is unclear, it’s believed that an information stealer is run at this stage.
The macOS version of the attack, on the other hand, leads to the deployment of the Atomic macOS Stealer (AMOS), a known infostealer malware that can siphon documents as well as data from web browsers and crypto wallets, and exfiltrate the details to external server.
The DMG binary is also equipped to fetch a shell script that’s responsible for setting up persistence on the system using a Launch Agent to ensure that the app starts automatically upon user login. The script also retrieves and runs an Objective-C/Swift binary that logs application usage and user interaction timestamps, and transmits them to a remote server.
Darktrace also noted that the campaign shares tactical similarities with those orchestrated by a traffers group called Crazy Evil that’s known to dupe victims into installing malware such as StealC, AMOS, and Angel Drainer.
“While it is unclear if the campaigns […] can be attributed to CrazyEvil or any sub teams, the techniques described are similar in nature,” Gould said. “This campaign highlights the efforts that threat actors will go to make these fake companies look legitimate in order to steal cryptocurrency from victims, in addition to the use of newer evasive versions of malware.”
