Researchers expose phishing campaign targeting Cardano users

Cardano users are currently being targeted in a new wallet phishing campaign. According to reports, the sophisticated phishing campaign is currently circulating within the community, posing significant risks to users intending to download the newly announced Eternl Desktop application.

The hackers craft professional emails claiming to promote a legitimate wallet solution designed for secure Cardano staking and governance participation. The announcement uses terms related to users earning rewards, including NIGHT and ATMA token rewards through the current crypto giveaway program, to establish credibility and drive user engagement.

Hackers are targeting Cardano wallet users

According to reports, the hackers were able to create a replica of the official Eternl Desktop announcement, complementing it with a message about hardware wallet compatibility, local key management, and advanced delegation control.

The email shows a polished, professional tone with proper grammar and no visible spelling errors, making it very effective at deceiving Cardano community members. Meanwhile, it distributes malware to any system it enters.

Reports mentioned that the campaign uses a newly registered domain, download(dot)eternldesktop(dot)network, to distribute a malicious installer package without the need for an official verification or digital signature validation.

In the detailed technical analysis carried out by Anurag, an independent threat hunter and malware analyst, the legitimate Eternl.msi file contains a hidden LogMeIn Resolve remote management tool bundled within its installation package.

The discovery exposed a supply chain abuse attempt aimed at establishing persistent unauthorized access on victim systems. The malicious MSI installer, with a size of 23.3 megabytes and with hash 8fa4844e40669c1cb417d7cf923bf3e0, drops an executable called unattended updater.exe, which uses the original filename GoToResolveUnattendedUpdater.exe.

During runtime analysis, the executable creates an identified folder structure under the system’s Program Files.

Once it creates the Program Files, it creates a directory and writes multiple configurations, including unattended.json, logger.json, mandatory.json, and pc.json. The unattended.json configuration file enables remote access functionality without needing the user to interact.

The dropped executable attempts to establish connections to infrastructure associated with legitimate GoTo Resolve Services, including devices-iot.console.gotoresolve.com and dumpster.console.gotoresolve.com.

Malware provides hackers with remote access

According to network analysis, the malware sends information to the hackers in JSON format. It also uses remote servers to establish a communication channel for command execution and system monitoring.

Security researchers say this behavior is important because remote management tools allow hackers to carry out remote command execution and steal credentials once the malware is installed on a victim’s system.

The Cardano phishing campaign also shows how hackers use crypto and the branding of legitimate platforms to distribute tools that have been infected with malware. This means that users need to verify the authenticity of the software they use through official channels. In addition, they must also avoid downloading wallet applications from unverified sources or newly registered domains, irrespective of how good their distribution emails appear.

This Cardano phishing campaign is similar to the one that targeted customers using Meta for advertisements last year. Users are lured with emails that claim their ads have been temporarily suspended due to violations of advertising policies and EU regulations.

The scammers even go as far as making it appear legitimate by adding the official Instagram branding and official-sounding language about policy violations. However, closer inspection showed that the emails were from a different domain.

Researchers mentioned that upon clicking the link, users are redirected to a fake Meta Business page that looks convincing. The website mimics the real support site, opening up with a page that warns the user that their account faces termination if they do not take action immediately.

Users are tricked into inputting their Ad login into the spaces provided, with the customer support guiding them with a provided step-by-step instruction to restore their accounts.

Sharpen your strategy with mentorship + daily ideas - 30 days free access to our trading program