Cardano Wallet Users Beware: Carefully Disguised Phishing Attacks Surface

Source: Cryptonews Original Title: Cardano wallets under threat? suspicious phishing campaign surfaces Original Link: https://crypto.news/cardano-wallets-under-threat-phishing-campaign/

Malicious Installer Contains Remote Access Trojan

Cardano users are becoming targets of a phishing campaign where attackers promote the fraudulent Eternl Desktop application download through fake emails.

The attack leverages professionally crafted email messages referencing NIGHT and ATMA token rewards and the Diffusion Staking Basket program to establish credibility. Threat hunter Anurag discovered a malicious installer distributed via newly registered domains.

The 23.3MB Eternl.msi file contains a hidden remote management tool that establishes unauthorized access to the victim’s system without their knowledge.

The malicious MSI installer carries and executes a file named unattended-updater.exe. When run, this executable creates a folder structure under the system’s Program Files directory.

The installer writes multiple configuration files, including unattended.json, logger.json, mandatory.json, and pc.json. The unattended.json configuration enables remote access features without user interaction.

Network analysis shows the malware connecting to remote management infrastructure. The executable uses hardcoded API credentials to transmit system event information in JSON format to a remote server.

Security researchers classify this behavior as a critical threat. The remote management tool provides threat actors with persistent access, remote command execution, and credential theft capabilities.

Activities Targeting Cardano Users

Phishing emails maintain a sophisticated, professional tone, with correct grammar and no spelling errors. The fraudulent announcement creates a nearly identical copy of the official Eternl Desktop release, including messages about hardware wallet compatibility, local key management, and advanced delegation controls.

Attackers exploit cryptocurrency governance narratives and ecosystem-specific references to distribute covert access tools. References to NIGHT and ATMA token rewards add false legitimacy to the malicious activity.

Cardano users seeking to participate in staking or governance functions face high risks from social engineering tactics that mimic legitimate ecosystem developments.

The installer is distributed via newly registered domains without official verification or digital signature validation.

Security Recommendations

Users should verify the authenticity of wallet applications only through official channels before downloading.

Anurag’s malware analysis reveals supply chain abuse attempts aimed at establishing persistent unauthorized access. The remote management tool gives attackers remote control capabilities, jeopardizing wallet security and private key access.

Users should avoid downloading wallet applications from unverified sources or newly registered domains, regardless of how polished or professional the email appearance may be.