This malicious campaign involves attackers creating trojanized versions of the legitimate Syncro remote access tool (RAT) and distributing them through AI-generated fake websites built with the Lovable web builder. The attackers leverage AI to mass-produce convincing fake websites that resemble official sites of popular applications, often using URLs closely matching common search queries (e.g., {popular app name} + desktop.com). These fake sites employ scareware tactics, displaying fabricated security warnings to coerce users into downloading the malicious Syncro installer. The installer runs silently, installing a Syncro build hardcoded with the attacker’s CUSTOMER_ID, granting full remote control over the victim’s device. The campaign uses multiple infection vectors, including Google search results and phishing emails containing links to these fake sites. The legitimate Syncro tool’s capabilities—such as screen sharing, remote command execution, file transfer, and registry editing—are abused to steal cryptocurrency wallet keys and siphon funds. Detection is challenging because antivirus solutions often classify legitimate remote access tools as “Not-a-virus” to avoid false positives, and the fake sites are professionally designed, making them difficult to distinguish from genuine ones at a glance. Kaspersky’s security solutions detect these malicious Syncro builds heuristically as HEUR:Backdoor.OLE2.RA-Based.gen and recommend users pay close attention to antivirus warnings about remote access tools. The campaign targets users of crypto wallets, password managers, and antivirus software by mimicking their official websites. The use of AI to generate fake sites allows attackers to scale the operation rapidly, increasing the threat’s reach and effectiveness.

For European organizations, this threat poses significant risks, especially to those involved in cryptocurrency trading, financial services, and IT support environments where remote access tools like Syncro are commonly used. Compromise of endpoints through trojanized Syncro builds can lead to unauthorized remote control, data exfiltration, credential theft, and financial losses via stolen crypto assets. The use of legitimate software complicates detection and response, potentially allowing attackers to maintain persistence and move laterally within networks. The campaign’s reliance on phishing and search engine manipulation increases the likelihood of initial compromise, particularly among less security-aware users. Additionally, organizations using Syncro legitimately may face challenges distinguishing between authorized and malicious instances, increasing operational risk. The threat also undermines trust in remote administration tools and online services, potentially disrupting business continuity and causing reputational damage. Given the campaign’s targeting of crypto wallets and financial applications, organizations with employees or customers engaged in cryptocurrency activities are at heightened risk.

European organizations should implement a multi-layered defense strategy tailored to this threat. First, enforce strict policies to prevent downloading software from unverified or suspicious websites, especially for endpoints handling sensitive financial or crypto-related data. Educate users to verify URLs carefully, looking for subtle differences from legitimate sites, and to be wary of scareware tactics and unsolicited emails urging urgent action. Deploy advanced endpoint detection and response (EDR) solutions capable of heuristic detection of trojanized remote access tools, and configure antivirus products to alert on the presence of unauthorized remote administration software, even if classified as 'Not-a-virus.' Utilize network monitoring to detect unusual remote access tool activity, including connections to unknown or suspicious customer IDs. Implement application allowlisting to restrict execution of unauthorized software. For organizations using Syncro legitimately, maintain strict inventory and monitoring of authorized builds and customer IDs to quickly identify anomalies. Regularly update threat intelligence feeds and phishing detection tools to block known malicious domains and URLs generated by AI tools like Lovable. Finally, conduct phishing simulation exercises to improve user awareness and resilience against social engineering attacks.