Needle: Inside a Modular Crypto-Stealing C2 That Left Its Keys in the Malware
Needle is a modular Malware-as-a-Service platform targeting cryptocurrency wallets via a browser extension spoofer and a Rust-based desktop agent impersonating popular wallet applications. It compromised 1,932 victims, with the Rust agent embedding its command-and-control API key in the malware, allowing attackers to enumerate victims and withdrawal configurations across six blockchains. The malware operator moved approximately $148 in ETH to cold storage. The control panel uses client-side authentication, potentially enabling credential reuse to redirect future withdrawals. The infrastructure is hosted on a known bulletproof hosting provider in Amsterdam.
AI Analysis
Technical Summary
Needle is a modular crypto-stealing malware platform delivered through two primary vectors: a browser extension spoofer targeting MetaMask, Phantom, and Trust Wallet, and a Rust-based desktop agent impersonating Exodus, Trezor, and Ledger wallets. The Rust agent contains an unprotected embedded C2 API key, which allows attackers to fully enumerate infected victims and their withdrawal settings across six blockchains. The malware campaign has compromised 1,932 victims, including 111 browser extension users and 1,821 desktop sessions. The operator's Ethereum hot wallet moved about $148 to cold storage. The control panel is a React single-page application that performs authentication entirely on the client side, which may allow attackers to reuse credentials from infected machines to redirect auto-withdrawals. The malware's infrastructure is hosted on ASN 202412, a bulletproof hosting provider based in Amsterdam.
Potential Impact
The malware compromises cryptocurrency wallets by stealing credentials and withdrawal configurations, potentially enabling theft of cryptocurrency assets. The embedded unprotected C2 API key exposes the full victim list and withdrawal settings to attackers. Although the operator moved only a small amount of ETH ($148) to cold storage, the compromise of nearly 2,000 victims indicates a significant threat to cryptocurrency users. The client-side authentication mechanism in the control panel may allow attackers to hijack future auto-withdrawals, increasing the risk of ongoing theft.
Mitigation Recommendations
No official patch or remediation is available as this is malware rather than a software vulnerability. Defenders should focus on detecting and removing the Needle malware from affected systems and educating users to avoid installing suspicious browser extensions or desktop wallet applications. Monitoring for indicators such as the provided IP address (130.12.180.135) and file hash (0d681bd160db1b1df5db321a6d2dd9ae81b2609b) can aid in detection. Users should verify the authenticity of wallet software and extensions and consider using hardware wallets or other secure methods for managing cryptocurrency assets. Since the malware uses bulletproof hosting, takedown efforts may be challenging.
Indicators of Compromise
- ip: 130.12.180.135
- hash: 0d681bd160db1b1df5db321a6d2dd9ae81b2609b
Needle: Inside a Modular Crypto-Stealing C2 That Left Its Keys in the Malware
Description
Needle is a modular Malware-as-a-Service platform targeting cryptocurrency wallets via a browser extension spoofer and a Rust-based desktop agent impersonating popular wallet applications. It compromised 1,932 victims, with the Rust agent embedding its command-and-control API key in the malware, allowing attackers to enumerate victims and withdrawal configurations across six blockchains. The malware operator moved approximately $148 in ETH to cold storage. The control panel uses client-side authentication, potentially enabling credential reuse to redirect future withdrawals. The infrastructure is hosted on a known bulletproof hosting provider in Amsterdam.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Needle is a modular crypto-stealing malware platform delivered through two primary vectors: a browser extension spoofer targeting MetaMask, Phantom, and Trust Wallet, and a Rust-based desktop agent impersonating Exodus, Trezor, and Ledger wallets. The Rust agent contains an unprotected embedded C2 API key, which allows attackers to fully enumerate infected victims and their withdrawal settings across six blockchains. The malware campaign has compromised 1,932 victims, including 111 browser extension users and 1,821 desktop sessions. The operator's Ethereum hot wallet moved about $148 to cold storage. The control panel is a React single-page application that performs authentication entirely on the client side, which may allow attackers to reuse credentials from infected machines to redirect auto-withdrawals. The malware's infrastructure is hosted on ASN 202412, a bulletproof hosting provider based in Amsterdam.
Potential Impact
The malware compromises cryptocurrency wallets by stealing credentials and withdrawal configurations, potentially enabling theft of cryptocurrency assets. The embedded unprotected C2 API key exposes the full victim list and withdrawal settings to attackers. Although the operator moved only a small amount of ETH ($148) to cold storage, the compromise of nearly 2,000 victims indicates a significant threat to cryptocurrency users. The client-side authentication mechanism in the control panel may allow attackers to hijack future auto-withdrawals, increasing the risk of ongoing theft.
Mitigation Recommendations
No official patch or remediation is available as this is malware rather than a software vulnerability. Defenders should focus on detecting and removing the Needle malware from affected systems and educating users to avoid installing suspicious browser extensions or desktop wallet applications. Monitoring for indicators such as the provided IP address (130.12.180.135) and file hash (0d681bd160db1b1df5db321a6d2dd9ae81b2609b) can aid in detection. Users should verify the authenticity of wallet software and extensions and consider using hardware wallets or other secure methods for managing cryptocurrency assets. Since the malware uses bulletproof hosting, takedown efforts may be challenging.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://beelzebub.ai/blog/needle-c2-crypto-stealer-analysis/"]
- Adversary
- null
- Pulse Id
- 6a0198399994be750fe044cd
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip130.12.180.135 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash0d681bd160db1b1df5db321a6d2dd9ae81b2609b | — |
Threat ID: 6a01aa1fcbff5d8610f2b5ac
Added to database: 5/11/2026, 10:06:23 AM
Last enriched: 5/11/2026, 10:22:42 AM
Last updated: 5/11/2026, 5:19:10 PM
Views: 22
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.