Beware: Fake Gaming and AI Firms Spread Malware to Crypto Users on Telegram

Ongoing Social Engineering Campaign Targets Cryptocurrency Users with Malware
Introduction to the Threat
Cryptocurrency enthusiasts are currently facing a sophisticated social engineering scheme that exploits fake startup companies to lure users into downloading malware capable of draining their digital assets on both Windows and macOS platforms.
The Mechanics of the Scam
According to Tara Gould, a researcher at Darktrace, these deceptive operations mimic legitimate AI, gaming, and Web3 enterprises by utilizing counterfeit social media profiles and project documentation hosted on credible platforms like Notion and GitHub. This elaborate scam has been evolving, with earlier versions surfacing in December 2024, where attackers used fake videoconferencing tools to entice victims into meetings under the guise of discussing investment opportunities via messaging apps like Telegram.
Victims who downloaded the supposed meeting software were unknowingly infected with information-stealing malware, such as Realst. This operation, dubbed “Meeten” by Cado Security (recently acquired by Darktrace), refers to one of the fraudulent videoconferencing services involved.
Historical Context and Continuation of the Campaign
Evidence suggests that this malicious activity may have been active since at least March 2024, when Jamf Threat Labs reported the use of a domain named “meethub[.]gg” to distribute Realst malware. Darktrace’s recent findings indicate that the campaign remains a significant threat, expanding its themes to include artificial intelligence, gaming, Web3, and social media.
Tactics Employed by Attackers
The attackers have been observed using compromised accounts on platforms like X (formerly Twitter) associated with verified companies and employees to approach potential victims, thereby enhancing the perceived legitimacy of their fake enterprises. Gould noted that they utilize frequently visited sites associated with software firms, creating professional-looking websites that feature employee profiles, product blogs, whitepapers, and roadmaps.
One notable fictitious company is Eternal Decay (@metaversedecay), which claims to be a blockchain-based gaming platform. They have manipulated images to suggest participation in various conferences, aiming to establish a credible online presence that increases the likelihood of victim infection.
List of Identified Fake Companies
Some of the fraudulent companies identified in this campaign include:
- BeeSync (X accounts: @BeeSyncAI, @AIBeeSync)
- Buzzu (X accounts: @BuzzuApp, @AI_Buzzu, @AppBuzzu)
- Cloudsign (X account: @cloudsignapp)
- Dexis (X account: @DexisApp)
- KlastAI (X account: Links to Pollens AI’s X account)
- Lunelior
- NexLoop (X account: @nexloopspace)
- NexoraCore
- NexVoo (X account: @Nexvoospace)
- Pollens AI (X accounts: @pollensapp, @Pollens_app)
- Slax (X accounts: @SlaxApp, @Slax_app)
- Solune (X account: @soluneapp)
- Swox (X accounts: @SwoxApp, @Swox_AI)
- Wasper (X accounts: @wasperAI, @WasperSpace)
- YondaAI (X account: @yondaspace)
The Attack Process
The attack typically begins when one of these compromised accounts sends a message to a potential victim via X, Telegram, or Discord, inviting them to test their software in exchange for cryptocurrency. If the target agrees, they are directed to a fake website where they are prompted to enter a registration code provided by the attacker to download either a Windows Electron application or an Apple disk image (DMG) file, depending on their operating system.
Windows Systems
For Windows users, launching the malicious application presents a Cloudflare verification screen while it secretly profiles the machine and downloads an MSI installer. Although the specific nature of the payload remains unclear, it is believed to activate an information-stealing program at this stage.
macOS Systems
In contrast, the macOS version of the attack deploys the Atomic macOS Stealer (AMOS), a known infostealer that can extract documents and data from web browsers and cryptocurrency wallets, sending this information to an external server. The DMG file is also designed to fetch a shell script that establishes persistence on the system via a Launch Agent, ensuring the application runs automatically upon user login. This script retrieves and executes an Objective-C/Swift binary that logs application usage and user interaction timestamps, transmitting this data to a remote server.
Conclusion: The Evolving Landscape of Cybercrime
Darktrace has noted that this campaign shares tactical similarities with operations conducted by a group known as Crazy Evil, which is notorious for tricking victims into installing malware like StealC, AMOS, and Angel Drainer. While it remains uncertain whether this campaign can be directly linked to Crazy Evil or its subgroups, the techniques employed are strikingly similar. This ongoing threat underscores the lengths to which cybercriminals will go to create the illusion of legitimacy for their fake companies, ultimately aiming to steal cryptocurrency from unsuspecting victims while utilizing increasingly sophisticated and evasive malware variants.