Keypoints
- Malicious PyPI package “cryptoaitools” installs automatically and executes code via its __init__.py (run_base).
- Platform-specific helper scripts (basec_helper.py for Windows, base_helper.py for macOS) download and execute second-stage payloads from a fake website (coinsw.app).
- Multi-stage infection keeps initial package small, decodes base64 URLs and filenames, then fetches secondary modules such as MHTBot.py (Windows) or main.py (macOS).
- A deceptive GUI (“AI Bot Starter”) prompts users for a password and displays a fake setup to distract while background exfiltration runs.
- Extensive data collection targets cryptocurrency wallets, browser data (passwords, cookies), Telegram data, SSH keys, terminal history, and local files with crypto-related keywords.
- Exfiltration pipeline: collected files moved to a hidden .temp folder, renamed with a .minecraft extension, uploaded to gofile.io via API, and upload links sent to an attacker-controlled Telegram bot.
MITRE Techniques
- [T1003] Credential Dumping – Targets stored credentials and keys across applications to harvest passwords and keys (‘Targeting sensitive information such as passwords and keys from various applications.’)
- [T1041] Exfiltration Over C2 Channel – Uploads collected files to gofile.io then sends links to the attacker via Telegram (‘Exfiltrating data to external services (e.g., gofile.io) using a Telegram bot for communication.’)
- [T1027] Obfuscated Files or Information – Uses obfuscated scripts and a more heavily disguised macOS helper to evade detection (‘Using obfuscated scripts to hide malicious activities and evade detection.’)
- [T1071] Application Layer Protocol – Uses a fake website and Telegram for command-and-control and payload delivery (‘Utilizing a fake website and Telegram for command and control communications.’)
- [T1203] Exploitation for Client Execution (Social Engineering) – Presents a deceptive GUI that tricks users into entering passwords and observing a fake setup while malicious tasks run unseen (‘Employing a deceptive GUI to trick users into providing sensitive information.’)
Indicators of Compromise
- [Package] PyPI package name – cryptoaitools
- [Domain] Malicious hosting/command domain – coinsw.app, tryenom.com
- [URL/path] Secondary payload paths on malicious site – https://coinsw.app/basec/MHTBot.py, https://coinsw.app/basecw/main.py, and ~20 other paths listed on the site
- [Service API] Exfiltration/notification endpoint – http://gofile.io/ (used for uploads)
- [Telegram API] Attacker bot endpoint – https://api.telegram.org/bot7337910559:AAF3fBlgDrcT9R07QpnqUWQ7_eKmnD_1QMc/sendMessage
- [Repository] GitHub distribution – https://github.com/CryptoAiBots (and repository “Meme-Token-Hunter-Bot”)
Initial infection begins when the malicious cryptoaitools package is installed from PyPI; its __init__.py invokes run_base(), which detects the victim OS and launches platform-specific helper scripts. The helpers (less obfuscated Windows basec_helper.py and more obfuscated macOS base_helper.py) decode a base64-encoded URL and filename list, then download secondary payloads from a fake trading site (coinsw.app). These fetched modules expand capabilities immediately—examples include MHTBot.py on Windows and main.py on macOS—allowing the attacker to keep the initial package minimal and evade early detection.
Once second-stage components run, the malware spawns a deceptive “AI Bot Starter” GUI that prompts for a password and shows a fake setup/progress interface to distract the user. In the background, modular collectors harvest a wide set of artifacts: cryptocurrency wallet files (Bitcoin, Ethereum, Exodus, Atomic, Electrum, etc.), browser data (saved passwords, cookies, history), crypto-related browser extensions, Telegram configuration and message DBs, SSH keys and config files, terminal history, user documents and downloads matching crypto/credential keywords, and macOS Notes/Stickies where applicable.
Collected files are consolidated into a hidden .temp folder, each file renamed with a .minecraft extension and uploaded to gofile.io via its API; the returned download links are forwarded to the attacker through a Telegram bot, after which local copies are removed. Distribution is not limited to PyPI—attackers also hosted code on a GitHub repo (“Meme-Token-Hunter-Bot”/CryptoAiBots) and used the coinsw.app site plus Telegram channels to recruit and interact with victims, forming both the delivery and command-and-control infrastructure.
Read more: https://checkmarx.com/solutions/software-supply-chain-security/