Threat Research

NFT Malware Gets New Evasion Abilities

Securonix

NFT-001 is a crypto/NFT malware campaign that evolved into a more evasive staged downloader delivering Remcos RAT, with phishing used to lure victims and a multi-stage payload chain designed to bypass defenses. The threat actor relies on private messages, DLL sideloading, PowerShell-based downloads, UAC bypass, and Defender exclusions to install and operate the malware, targeting NFT and crypto communities. #NFT001 #Remcos #BABADEDA #Dune #TandemEspionage

Keypoints

  • The NFT-001 campaign targets crypto and NFT communities on platforms like Discord with private phishing messages that link to fake websites and malicious installers.
  • The delivered malware unpacks a remote access trojan (Remcos RAT) to steal browsing data, install a keylogger, and perform surveillance.
  • Threat actors have shifted from the Babadeda crypter to a new staged downloader that brings enhanced defense evasion capabilities.
  • Defense evasion includes a UAC bypass, Windows Defender exclusion of the C: folder, and de-obfuscated PowerShell commands used to drop Remcos and other stealers.
  • DLL sideloading is used across multiple campaigns (e.g., IIS Express, TopoEdit, Mp3tag.exe), indicating a persistent delivery method and evolving infrastructure.
  • Infrastructure and C2 usage show continuity (e.g., same or similar IPs/addresses) even as the downloader evolves, with phishing content referencing Dune to lure users.

MITRE Techniques

  • [T1566.002] Phishing – Spearphishing Link – ‘The victim receives a private phishing message related to an NFT or financial opportunity. The message includes a link to a fake website and malicious app that promises an improved user experience’
  • [T1059.001] PowerShell – Command and Scripting Interpreter: PowerShell – ‘Powershell commands are de-obfuscated and executed’ and ‘powershell -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden …’
  • [T1548.002] UAC Bypass – ‘The execution starts by performing a User Account Control (UAC) bypass’
  • [T1562.001] Impair Defenses – ‘by excluding the C: folder from Windows Defender’ ( Defender exclusion )
  • [T1574.002] DLL Side-Loading – ‘DLL sideloading with IIS Express’ (as part of BABADEDA campaigns)
  • [T1027] Obfuscated/Compressed Files and Information – ‘the following Powershell commands are de-obfuscated’ (de-obfuscation used during execution)
  • [T1105] Ingress Tool Transfer – ‘PowerShell commands download and execute a Remcos RAT from a remote URL’ (download/execution of additional payloads)

Indicators of Compromise

  • [IP Address] C2/IPs – 144.91.79.86, 135.181.140.182, 135.181.140.153 (example C2/IPs used by downloader/Remcos variants)
  • [IP Address] Additional C2/IPs – 95.217.114.96, 37.48.89.8, 94.23.218.87, 65.21.127.164, 193.56.29.242, 65.108.9.124
  • [Domain] Decoy Websites – coinstats.top, app.perp.run, hawksight.space, mmfinance.fund, illuvium.run, abracadabra.run, dune-analytics.com
  • [Domain] Targeted Site References – wallet.polygon-bridge.com, yieldsguild.com, opptimism.com, app.opptimism.com, app.optimism.run, clipper.run
  • [File hash] Samples – 849B58523E4EB0006DA82410AD2792352A97BE92C528FC252B45F84C1F04986B, 97AA3C220BC95C83032A2A4597FD463EBA11508347D5D836CEEA4E82588E00D4
  • [File name] Downloaded payloads – dllservice.exe, exclusions.exe
  • [URL] Command-and-control/download URLs – http://rwwmefkauiaa[.]ru/bs8bo90akv.exe
  • [URL] Additional Indicators – (deployed via Microsoft/AddIns path as shown in commands) exclusions.exe

Read more: https://blog.morphisec.com/nft-malware-new-evasion-abilities