Quickly understand the history and background of various well-known coins

New Malware Campaign Targets Crypto Wallets, Browser Credentials

Coin WorldWednesday, Apr 23, 2025 12:14 pm ET

1min read

A new malware campaign has been identified, utilizing fake PDF to DOCX converters as a means to infiltrate machines with malicious PowerShell commands. This tactic allows attackers to gain access to crypto wallets, hijack browser credentials, and steal sensitive information.

Following an alert from the FBI, the CloudSEK Security Research team conducted an investigation that revealed details about these attacks. The primary objective of the campaign is to deceive users into executing a PowerShell command, which installs the Arechclient2 malware. This variant of SectopRAT is known for its ability to harvest sensitive data from victims.

The malicious websites involved in this campaign mimic legitimate file converter PDFCandy. Instead of loading the actual software, these sites download malware onto the victim's machine. The sites feature loading bars and CAPTCHA verification to create a false sense of security, making it easier for users to fall for the deception.

After several redirects, the victim's machine downloads an "adobe.zip" file containing the payload. This exposes the device to the Remote Access Trojan, which has been active since 2019. As a result, users are vulnerable to data theft, including browser credentials and cryptocurrency wallet information.

The malware is capable of checking extension stores, lifting seed phrases, and tapping into Web3 APIs to drain assets post-approval. Stephen Ajayi, Dapp Audit Technical Lead at blockchain security firm Hacken, highlighted the severity of this threat, emphasizing the need for heightened security measures.

CloudSEK advises users to employ antivirus and antimalware software and to verify file types beyond just extensions, as malicious files often masquerade as legitimate document types. Additionally, users are encouraged to rely on trusted, reputable file conversion tools from official websites rather than searching for 'free online file converters.' Offline conversion tools that do not require uploading files to remote servers are also recommended.

Ajayi from Hacken advises crypto users to adopt a zero-trust mindset, assuming nothing is safe by default. He emphasizes the importance of keeping security stacks up to date, especially EDR and AV tools that can flag behavioral anomalies like rogue msbuild.exe activity. Regular training, situational awareness, and strong detection coverage are essential in defending against evolving threats.

Ajayi noted that attackers constantly evolve, and defenders must do the same. He advised staying skeptical, preparing for worst-case scenarios, and always having a tested response playbook ready to go. This proactive approach is crucial in mitigating the risks posed by sophisticated malware campaigns targeting crypto wallets.

Disclaimer: The news articles available on this platform are generated in whole or in part by artificial intelligence and may not have been reviewed or fact checked by human editors. While we make reasonable efforts to ensure the quality and accuracy of the content, we make no representations or warranties, express or implied, as to the truthfulness, reliability, completeness, or timeliness of any information provided. It is your sole responsibility to independently verify any facts, statements, or claims prior to acting upon them. Ainvest Fintech Inc expressly disclaims all liability for any loss, damage, or harm arising from the use of or reliance on AI-generated content, including but not limited to direct, indirect, incidental, or consequential damages.