Cybersecurity firm Darktrace has revealed a sophisticated social engineering campaign targeting cryptocurrency users on Windows and macOS. The scheme employs fake start‑up companies themed around AI, gaming, Web3, video conferencing, and social media to trick individuals into downloading malware disguised as legitimate software.
Darktrace’s analysis shows threat actors are establishing plausible digital identities using compromised or spoofed X accounts—sometimes verified—for both companies and employees, hosted on platforms like Medium, Notion, GitHub and X to lend credibility. Notably, the group evolved from a December 2024 Web3 “Meeten” video‑call scam identified by Cado Security Labs into a broader and more enduring operation.
Attackers initiate contact via Telegram, Discord or X, offering test access to new software in exchange for cryptocurrency payments. Victims receive a registration code to download tailored Windows Electron apps or macOS DMG files. Upon installation, the malware surreptitiously profiles the device, displays a fake Cloudflare verification, and initiates the payload: a stealer or drainer aimed at crypto wallets.
On Windows, the malware utilizes stolen code‑signing certificates, installing an MSI payload that harvests credentials and wallet data. On macOS, variants include the Atomic macOS Stealer, capable of extracting browser cookies, documents, wallet credentials and maintaining persistence via Launch Agents.
Darktrace’s report highlights the extensive list of fake companies involved: BeeSync, Buzzu, Cloudsign, Dexis, KlastAI, Lunelior, NexLoop, NexoraCore, NexVoo, Pollens AI, Slax, Solune, Swox, Wasper, YondaAI, among others. Victims cross‑checked these brands against polished websites, whitepapers and employee profiles on Notion and GitHub that imitate authentic early‑stage tech companies.
Darktrace notes the campaign bears hallmarks similar to that of the traffer group CrazyEvil, known for deploying StealC, AMOS and Angel Drainer malware. While attribution remains unconfirmed, shared evasion techniques and targeting broadly align.
Experts have raised concerns about this tactic of ‘legitimacy laundering’. The use of compromised X accounts—especially verified ones—with stolen certificates and AI‑generated content underscores a refinement in social engineering methods. Darktrace threat researcher Tara Gould emphasises that this illustrates “the efforts that threat actors will go to make these fake companies look legitimate”.
Emerging trends in the campaign include multi‑platform targeting and increasingly authentic deception. Windows versions show paranoia‑level evasion: they bundle obfuscation, sandbox‑avoidance checks and stolen signing certificates to bypass defences. On the macOS side, apart from AMOS, the infection employs staged shell or bash scripts to install launch‑agents and maintain persistence post‑reboot.
This campaign also marks a shift from opportunistic blast‑campaigns to more tailored, lure‑based attacks. Actors undertake reconnaissance—observing target roles in Web3 and crypto—before approaching them via trusted‑looking channels. In some cases, attackers impersonated actual contacts and shared internal presentations to build trust.
Security experts stress that safeguarding against such threats requires cautious validation of unsolicited software offers, robust code‑signing certificate vetting, and network segmentation. Users are urged to verify company legitimacy externally—checking domain registrations, team credentials and cross‑referencing claims.
Defensive strategies recommended by Darktrace include enhanced telemetry on installation attempts, stricter code‑signing policies, and behavioural detection tuned to recognise post‑installation profiling and exfiltration patterns. For macOS, entry‑point monitoring and examination of Launch Agent activity provide early alerts.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
