A recent investigation has uncovered a sophisticated cyber campaign that leverages fake reviews, AI-generated content, and manipulated online reputations to distribute cryptocurrency-stealing malware. This operation targets users seeking quick profits through cryptocurrency trading tools and gambling predictors.
The attackers employ a multi-faceted strategy to build credibility and lure victims. They create dedicated phishing pages on platforms like WordPress, and establish repositories on GitHub and SourceForge, all promoted by fake accounts. These platforms host malicious software disguised as legitimate tools, such as Solana and Pump.fun sniper bots, as well as crash-game predictors.
To enhance the perceived legitimacy of their offerings, the threat actors utilize AI-generated tutorial videos on YouTube channels boasting over 91,000 subscribers. These videos feature synthetic narrators and are accompanied by positive comments, further reinforcing trustworthiness. Additionally, the campaign includes press releases distributed through services like EIN Presswire, which are then syndicated across various news websites, including those within the USA TODAY Network.
A particularly concerning aspect of this campaign is the manipulation of reputation-driven platforms like VirusTotal. The attackers use coordinated upvotes and favorable comments to misclassify their malicious files as safe, reducing suspicion among potential victims. This tactic extends to GitHub, where multiple accounts cross-promote and distribute the malware, with some repositories showing inflated metrics, such as 146 stars and 62 forks.
The malware itself is a Rust-based clipboard hijacker designed to operate on both Windows and macOS systems. It continuously monitors the clipboard for cryptocurrency wallet addresses and, upon detection, replaces them with addresses controlled by the attackers. This method effectively reroutes digital assets to the cybercriminals without the user’s knowledge.
Notably, the SourceForge download counter for the malicious software reached 44,485, with an unusual 37,460 downloads purportedly originating from Android devices, despite the software being available only for Windows and macOS. This discrepancy suggests the use of automated systems to artificially inflate download counts, further deceiving users about the software’s popularity and legitimacy.
This campaign underscores the evolving tactics of cybercriminals who now exploit trust-building mechanisms across multiple platforms to distribute malware. Users are advised to exercise caution when downloading software, especially from unfamiliar sources, and to verify the authenticity of online reviews and tutorials. Relying solely on platform metrics or user comments may no longer be sufficient to ensure safety, as these can be manipulated to serve malicious purposes.
