Cybersecurity experts at Darktrace have issued a warning about the growing threat of sophisticated social engineering tactics being used by malicious actors to spread crypto-stealing malware. In a recent blog post, Darktrace researchers revealed a complex scheme in which scammers were impersonating AI, gaming, and Web3 startups to deceive users into downloading malicious software.
The scam involves the use of verified and compromised X accounts, as well as project documentation hosted on legitimate platforms, to create a facade of credibility. The perpetrators typically initiate contact with potential victims on platforms like X, Telegram, or Discord, posing as representatives of promising startups and offering cryptocurrency payments in exchange for software testing.
Once the victims are lured in, they are directed to professional-looking websites that mimic authentic startups, complete with detailed whitepapers, roadmaps, GitHub entries, and even fake merchandise stores. Upon downloading the malicious application, a Cloudflare verification screen appears, during which the malware discreetly collects system information such as CPU details, MAC address, and user ID. This data, along with a CAPTCHA token, is then sent to the attacker’s server to assess the system’s vulnerability.
If the verification is successful, a second-stage payload, often an info-stealer, is delivered stealthily, extracting sensitive information including cryptocurrency wallet credentials. Both Windows and macOS versions of the malware have been identified, with some Windows variants utilizing stolen code-signing certificates from legitimate companies.
Darktrace noted that the tactics employed in this campaign resemble those used by “traffer” groups, cybercriminal networks specializing in generating malware installs through deceptive content and social media manipulation. While the specific threat actors behind this campaign remain unknown, the methods used align with those seen in previous campaigns attributed to CrazyEvil, a group notorious for targeting crypto communities and reportedly earning millions of dollars from their illicit activities.
This latest incident is just one in a series of similar malware campaigns detected throughout the year. For example, a North Korea-linked operation was discovered using fake Zoom updates to compromise macOS devices at crypto firms, deploying a new malware strain called “NimDoor” to extract sensitive data while maintaining persistence on the system. Additionally, the Lazarus hacking group was found posing as recruiters to distribute a new malware strain named “OtterCookie” during fake interview sessions.
Earlier research by blockchain forensic firm Merkle Science also highlighted social engineering scams targeting celebrities and tech leaders through compromised X accounts. These incidents underscore the ongoing threat posed by sophisticated social engineering tactics in the realm of cybersecurity and the importance of staying vigilant against such malicious activities.