A new phishing campaign, dubbed PoisonSeed, has emerged as a significant cybersecurity threat, targeting customer relationship management (CRM) platforms and bulk email service providers.
The campaign is part of a broader supply chain attack aimed at compromising enterprise organizations and individuals outside the cryptocurrency industry.
PoisonSeed employs advanced phishing techniques to steal credentials, exfiltrate email lists, and execute cryptocurrency scams.
Attack Methodology
PoisonSeed’s operation begins with highly convincing phishing pages that mimic login portals for prominent CRM and email platforms such as Mailchimp, SendGrid, HubSpot, Mailgun, and Zoho.
These pages are nearly indistinguishable from legitimate ones, tricking victims into providing their credentials.
Once access is gained, the attackers automate the export of email lists and create new API keys to maintain persistence even if passwords are reset.
These compromised accounts are then used to send bulk phishing emails targeting cryptocurrency holders.
The phishing emails often employ urgent lures, such as notifications about “restricted sending privileges” or fake wallet migration notices.
For instance, in one attack, victims were urged to set up a new Coinbase Wallet using a provided seed phrase.
If entered into a cryptocurrency wallet, this seed phrase allows attackers to later access the wallet and steal funds.
Connections to Other Threat Actors
While PoisonSeed shares some tactics with known groups like Scattered Spider and CryptoChameleon both linked to the threat actor community The Comm Silent Push analysts have classified it as a distinct entity.
Unlike Scattered Spider, which primarily targets corporate environments for ransomware attacks, PoisonSeed focuses on cryptocurrency theft through phishing campaigns.
Similarly, although CryptoChameleon has targeted cryptocurrency holders in the past, its methods differ in execution speed and infrastructure design.
Indicators of Compromise (IoCs)
Silent Push analysts have identified an extensive list of IoCs associated with PoisonSeed’s infrastructure.
These include domains used for phishing pages and command-and-control (C2) servers:
- Phishing Domains: Examples include
mailchimp-sso[.]com,hubservices-crm[.]com,firmware-server12[.]com, andcloudflare-sendgrid[.]com. - C2 Servers: IP addresses such as
212.224.88[.]188were found hosting malicious content like fake Ledger Wallet firmware upgrade pages.
The campaign also exhibits unique patterns in WHOIS registration data. Many domains feature obscene or nonsensical strings in their WHOIS “State” fields (e.g., “asdf” or “123123”), which analysts used to trace additional infrastructure.
The PoisonSeed campaign underscores the risks posed by supply chain attacks on trusted third-party platforms.
By compromising CRM systems and bulk email providers, attackers gain access to sensitive data that can be weaponized for further attacks.
The use of phishing emails originating from legitimate but compromised accounts adds credibility to the scam, increasing its success rate.
Organizations should remain vigilant against such threats by implementing multi-factor authentication (MFA), monitoring unusual API activity, and leveraging threat intelligence feeds to block known malicious domains and IPs.
PoisonSeed represents a sophisticated evolution in phishing campaigns by combining supply chain infiltration with cryptocurrency-targeted scams.
Its ability to exploit trusted platforms highlights the importance of securing third-party services.
Silent Push continues to monitor this threat and encourages organizations to share intelligence to mitigate its impact effectively.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
