SeaFlower is a highly sophisticated intrusion set that targets web3 wallets by delivering backdoored iOS/Android apps, injecting covert code to exfiltrate seed phrases and balances. It uses provisioning-based sideloading, dylib injections, React Native bundle tampering, cloned wallet sites, and search-engine driven drive-by downloads to reach victims, with attacker domains such as trx.lnfura.org involved in exfiltration. #SeaFlower #LazarusGroup #Web3Wallets #CoinbaseWallet #MetaMask #TokenPocket #imToken
Keypoints
- SeaFlower is a cluster identified in 2022 and described as one of the most technically sophisticated threats targeting web3 users, after Lazarus Group.
- It targets specific wallets (Coinbase Wallet, MetaMask, TokenPocket, imToken) and advertises backdoored variants that URL-ferry seed phrases to attackers.
- Attack chains include iOS provisioning-based distribution, dylib injections (libmetaDylib.dylib and companions), and React Native bundle manipulation via startupload() and dataWithContentsOfFile.
- Backdoor activity is hidden inside legitimate wallet apps and clone sites, with exfiltration traffic sent to attacker domains (e.g., trx.lnfura.org).
- SeaFlower leverages Chinese-language tooling, provisioning infrastructure, and cloned sites hosted in Chinese IP ranges, with Baidu and other Chinese search engines used for initial user redirection.
- The campaign includes extensive reverse-engineering work (iOS/Android) and multiple variants across wallets, including MetaMask, Coinbase Wallet, imToken, and TokenPocket.
- Best-practice warnings emphasize downloading from official stores and avoiding unsolicited provisioning profiles to protect users.
MITRE Techniques
- [T1036] Masquerading – The backdoored wallets pretend to be legitimate wallet apps; “SeaFlower distributes a backdoored version of these wallets by modifying the original ones.”
- [T1055.001] Dynamic-link Library Injection – dylibs are injected to alter runtime behavior; “libmetaDylib.dylib contains references to 3 known modding/hooking frameworks: Cycript, Cydia Susbtrate, and the Reveal Framework.”
- [T1027] Obfuscated/Compressed Files and Information – seed phrases are encrypted within runtime configuration data; “the seed phrase encrypted amongst other runtime configuration data.”
- [T1041] Exfiltration Over C2 Channel – seed data is sent to attackers; “the seed phrase, the wallet address, and the balance are sent out to the attacker” and “startupload()… sends a POST request to the trx.lnfura.org domain with the seed phrase information.”
- [T1189] Drive-by Compromise – distribution via compromised/noisy web delivery; “Drive-by download pages” and “Baidu search engine results are one of the initial vectors for these attacks.”
Indicators of Compromise
- [Domain] – Attacker-controlled domains used for exfiltration and drive-by downloads – trx.lnfura.org, metanask.cc, appim.xyz, som-coinbase.com, colnbase.homes (Drive-by/Phishing/Exfil)
- [File hash] – SHA-256 hashes of analyzed backdoored apps – 9003d11f9ccfe17527ed6b35f5fe33d28e76d97e2906c2dbef11d368de2a75f8, 2334e9fc13b6fe12f86… (example), 83dec763560049965b524932dabc6bd6252c7ca2ce9016f47c397293c6cd17a5, 1e232c74082e4d72c86e44f1399643ffb6f7836805c9ba4b4235fedbeeb8bdca, 46002ac5a0caaa2617371bddbdbc7eca74cd9cb48878da0d3218a78d5be7a53a
- [File name] – Injected dylibs and related components – libWalletDylib.dylib, libmetaDylib.dylib, mn.dylib, libimtokenhookDylib.dylib, libpocketDylib.dylib, persist-root (path)
- [Username] – MacOS/Developer usernames leaked in code/comments – “Zhang Haike” and “lanyu”
- [URL] – Cloned wallet sites/paths revealed in the doc – appim.xyz (cloned MetaMask site), som-coinbase.com, cloned Coinbase Wallet hosted at: https://74871011.huliqianbao.com/download.html, colnbase.homes/u/sms/ (base64-decode shows this URL)