Ongoing research by Darktrace has revealed an increasingly sophisticated social engineering campaign targeting cryptocurrency users and Web3 employees with custom-built malware.
First detailed in late 2024 by Cado Security Labs through the “Meeten” campaign, the current wave persists with threat actors establishing professional-looking AI, gaming, and blockchain startup brands.
These entities, complete with polished websites, technical documentation, and an active presence on X (formerly Twitter), Medium, Notion, and Github, are engineered specifically to trick victims into downloading info-stealer malware disguised as legitimate software.
Social Engineering Campaigns
Leveraging compromised and verified X accounts, the attackers present themselves as credible company employees, often reaching out directly via X, Telegram, or Discord.
The campaign’s targets are lured with offers to test upcoming software products in exchange for cryptocurrency payments.
Once engaged, the victim is directed to a company-branded website requiring a unique registration code for software download.
Depending on the user’s OS, a Windows Electron app or macOS DMG is delivered, with both pathways harboring malware engineered to compromise crypto wallets and harvest sensitive user data.
The Windows version is an Electron-based application that profiles the victim’s system before downloading Python-based payloads from remote servers.
If verification is passed, a signed executable or MSI is quietly installed, utilizing stolen code signing certificates from legitimate firms such as Jiangyin Fengyuan Electronics Co., Ltd. and Paperbucketmdb ApS (revoked as of June 2025) to evade detection mechanisms.
Historical evidence and victim reports confirm payloads at this stage are info-stealer variants aimed at draining crypto holdings.
Multi-Platform Malware Distribution
On macOS, the supplied DMG contains a heavily obfuscated bash script that leverages AppleScript to mount the malware, move a hidden binary to a temporary directory, and execute it.
The primary threat here is Atomic Stealer, a notorious macOS info-stealer known for extracting browser data, crypto wallets, cookies, and documents, then exfiltrating the compressed package to attacker-controlled infrastructure.
Additional scripts establish persistence via launch agents, ensuring continued monitoring and data theft.
The fake enterprise façade is reinforced through fake social media marketing, fabricated conference presentations, plagiarized technical content, and even fraudulent links to official company registers.
Some operations go further, staging merchandise stores and promoting false investor material.
Notably, observed campaigns have reused codebases and branding across several “companies,” with little attempt to diversify underlying malware, suggesting a coordinated and scalable attack infrastructure.
The scale and structure of the campaign align with tactics seen in organized traffer groups, such as “CrazyEvil,” identified by Recorded Future.
According to Darktrace Report, these groups specialize in driving traffic and installs to malicious binaries for profit, especially targeting the cryptocurrency and gaming sectors.
While direct attribution to CrazyEvil is unconfirmed, many operational similarities are evident, including coordinated use of marketing platforms, social engineering, and deployment of both Windows and macOS stealer tools.
This ongoing threat underscores the critical need for heightened vigilance within the crypto and Web3 user bases, as threat actors continue to refine the legitimacy of their social engineering playbooks and malware delivery techniques.
Indicators of Compromise (IoCs)
| Domain/IP | Notes |
|---|---|
| manboon[.]com | Malicious infrastructure |
| https://gaetanorealty[.]com | Malicious infrastructure |
| troveur[.]com | Malicious infrastructure |
| bigpinellas[.]com | Malicious infrastructure |
| dsandbox[.]com | Malicious infrastructure |
| conceptwo[.]com | Malicious infrastructure |
| aceartist[.]com | Malicious infrastructure |
| turismoelcasco[.]com | Malicious infrastructure |
| ekodirect[.]com | Malicious infrastructure |
| https://mrajhhosdoahjsd[.]com | C2/data exfiltration |
| https://isnimitz.com/zxc/app[.]zip | Malware hosting |
| http://45[.]94[.]47[.]112/contact | Data exfiltration endpoint |
| 45[.]94[.]47[.]167/contact | Data exfiltration endpoint |
| 77[.]73[.]129[.]18:80 | Remote code/script hosting |
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
