Keypoints
- Operators set up imitation Web3 gaming projects with slight name/branding variations and fake social media to appear legitimate and host malicious downloads.
- Downloaded installers deliver various infostealer families (Atomic macOS Stealer/AMOS, Stealc, Rhadamanthys, RisePro) targeting both Windows and macOS, including Intel and Apple M1 Macs.
- Primary objective is theft of cryptocurrency wallets and credentials, achieved via data collection and exfiltration mechanisms embedded in the stealers.
- Campaign uses a resilient, fast-redeployable infrastructure (many newly registered domains, web hosts, and IPs) enabling rapid rebranding after takedowns.
- Recorded artifacts in site HTML point to a probable Russian-language origin for the operators, though exact attribution is uncertain.
- Appendices provide extensive Indicators of Compromise (domains, IP addresses, file hashes) and mapped MITRE ATT&CK techniques used by the threat actors.
MITRE Techniques
- [T1583.001] Acquire Infrastructure: Domains ā Actors registered many imitation Web3 domains to host payloads and landing pages (āimitation Web3 gaming projects with slight name and branding modificationsā).
- [T1585.001] Establish Accounts: Social Media Accounts ā Threat actors created fake social accounts to lend credibility to fraudulent projects (āfake social media accounts to bolster their authenticityā).
- [T1566] Phishing ā Malicious lures and download links on fraudulent pages drove victims to execute installers (āmain webpages of these projects offer downloads that, once installed, infect devicesā).
- [T1204.002] User Execution: Malicious File ā Successful compromise relied on victim execution of downloaded installers that delivered infostealers (ādownloads that, once installed, infect devices with various types of āinfostealerā malwareā).
- [T1027] Obfuscated Files or Information ā Malware families employed obfuscation to evade detection (Appendix lists T1027 and notes obfuscation techniques in delivered payloads).'(āā¦various types of āinfostealerāā¦ā)
- [T1005] Data from Local System ā Stealers collect local files and credentials, including crypto wallet data (ātheft of cryptocurrency walletsā and collection of credentials).
- [T1539] Steal Web Session Cookie ā Infostealers target web session data to capture account access (Appendix lists session cookie theft as a technique used).'(āā¦steal web session cookieā¦ā)
- [T1041] Exfiltration Over C2 Channel ā Collected data is exfiltrated to operator-controlled infrastructure (domains and IPs listed in appendices provide exfiltration endpoints).'(āā¦exfiltration over C2 channelā¦ā)
- [T1497] Virtualization/Sandbox Evasion ā Malware includes checks to avoid analysis and sandboxes (Appendix includes virtualization/sandbox evasion among mapped techniques).'(āā¦Virtualization/Sandbox Evasionā¦ā)
- [T1053] Scheduled Task/Job ā Persistent execution mechanisms such as scheduled tasks or jobs are used to maintain access (Appendix lists Scheduled Task/Job as a technique).'(āā¦Scheduled Task/Jobā¦ā)
Indicators of Compromise
- [Domains] fraudulent Web3 landing pages and download hosts ā argongame[.]com, astration[.]io, and 20+ other domains listed in Appendix A (e.g., playcrypterium[.]com, dustfighter[.]io).
- [IP Addresses] hosting and server infrastructure ā 5.42.66[.]22, 5.42.65[.]102, and other IPs used by multiple domains (see Appendix C correlations).
- [File Hashes] malware binaries and installers ā 073d524d8fc005acā¦, 0d9877eefd26756eā¦, and 20+ additional hashes associated with delivered payloads.
Recorded Futureās technical analysis shows the campaign sets up convincing fake Web3 gaming sites and social accounts to host and distribute installer files. Victims are directed to download installers from these domains; executing those files delivers infostealer familiesāAtomic macOS Stealer (AMOS), Stealc, Rhadamanthys, and RiseProāconfigured to harvest local data, web session cookies, and credentials and to exfiltrate them to operator-controlled domains and IPs. The stealers include obfuscation and anti-analysis checks to hinder detection and are capable of infecting both Windows and macOS platforms, explicitly including Intel and Apple M1 Macs.
Operators maintain a resilient infrastructure with dozens of short-lived domains, multiple hosting providers, and IP addresses mapped in Appendix C to rapidly switch sites or rebrand after takedowns. The report documents specific indicators (domains, IPs, file hashes) and maps attacker behaviors to MITRE ATT&CK techniquesācovering acquisition of infrastructure, user execution vectors, data collection (local files and browser session data), scheduled persistence, C2 exfiltration, and anti-analysis measuresāproviding actionable artifacts for detection and blocking.
For defenders, the technical recommendations are: block identified domains/IPs and hashes at the network and endpoint layers, enforce strict download policies and application allowlists, monitor for credential and wallet exfiltration patterns, and educate Web3 users to avoid unverified downloads. Continuous monitoring for newly registered imitation game domains and rapid takedown coordination are also advised to reduce the campaignās ability to re-establish its infrastructure.