Threats Tagged 'blockchain'

A sophisticated fake recruitment campaign named 'graphalgo' has been active since May 2025, targeting JavaScript and Python developers in the cryptocurrency sector. Attackers approach victims through LinkedIn, Facebook, and Reddit with fabricated job opportunities from fake blockchain companies like Veltrix Capital. The campaign uses malicious dependencies hidden in npm and PyPI packages, delivered through coding test repositories on GitHub. Notable is the bigmathutils package that accumulated over 10,000 downloads before its malicious version was released. The operation deploys a remote access trojan (RAT) with token-protected C2 communication, file manipulation capabilities, and functionality to detect the Metamask browser extension, indicating focus on cryptocurrency theft. The modular campaign design allows threat actors to maintain backend infrastructure while easily replacing compromised frontend elements.

GlassWorm is a sophisticated malware targeting developers through compromised code repositories and package managers. It executes in stages, starting with a stealthy infection that fingerprints the machine and fetches further payloads via the Solana blockchain. The malware steals sensitive data, including cryptocurrency wallets and development credentials, installs a Remote Access Trojan (RAT), and deploys a fake Chrome extension for extensive surveillance. It uses distributed hash tables and blockchain for resilient command and control. While initially focused on developers with potential cryptocurrency assets, the stolen information could enable wider supply chain attacks. Prevention strategies include careful package management, regular extension audits, and up-to-date anti-malware solutions.

MediumMalwareUnited StatesChinaIndia+7#developers#supply chain attack#infostealer

A North Korea-linked threat actor known as KONNI has been observed conducting a phishing campaign targeting software developers and engineering teams, particularly those with blockchain expertise. The campaign uses AI-generated PowerShell backdoors and targets a broader range of countries in the APAC region. The infection chain begins with a Discord-hosted link downloading a ZIP archive containing a PDF lure and a malicious LNK file. The LNK file deploys additional components, including the AI-generated PowerShell backdoor. The backdoor employs various anti-analysis techniques and establishes persistence through scheduled tasks. This campaign demonstrates KONNI's evolution in tactics and tooling, including the adoption of AI-assisted malware development.

MediumCampaignGermanyUnited KingdomNetherlands+2#blockchain#ai-generated#software developers

GlassWorm is a groundbreaking self-propagating worm targeting VS Code extensions on OpenVSX marketplace. It employs invisible Unicode characters to conceal malicious code and utilizes a blockchain-based command and control infrastructure on Solana. The worm compromised seven OpenVSX extensions with 35,800 downloads, harvesting NPM, GitHub, and Git credentials, targeting cryptocurrency wallets, deploying SOCKS proxy servers, and installing hidden VNC servers. It spreads exponentially through the developer ecosystem using stolen credentials. The worm employs a triple-layer C2 setup involving Solana blockchain, direct IP connection, and Google Calendar. A new infected extension was also detected in Microsoft's VSCode marketplace. The campaign remains active, necessitating immediate security measures and audits of installed extensions.

MediumMalwareFranceGermanyUnited Kingdom+5#self-propagating#vscode#extension

UNC5142, a financially motivated threat actor, has been tracked since late 2023 for abusing blockchain technology to distribute infostealers. The group exploits vulnerable WordPress sites and employs the 'EtherHiding' technique to obscure malicious code on the BNB Smart Chain. Their infection chain involves a multistage JavaScript downloader called CLEARSHORT, compromised WordPress sites, and smart contracts. UNC5142 has evolved its tactics, using a three-level smart contract system for dynamic payload delivery and abusing legitimate services like Cloudflare Pages. The group has distributed various infostealers, including ATOMIC, VIDAR, LUMMAC.V2, and RADTHIEF. Their operations have impacted multiple industries and geographic regions, with approximately 14,000 compromised web pages identified as of June 2025.

MediumMalwareGermanyUnited KingdomFrance+7#smart contracts#blockchain#cloudflare pages

North Korean threat actor UNC5342 employs a novel malware delivery technique called 'EtherHiding,' embedding malicious code within smart contracts on public blockchains to create resilient command-and-control infrastructure. The attack chain begins with social engineering, targeting cryptocurrency and technology sector developers via fake recruitment schemes. Loader scripts are injected to fetch payloads from multiple blockchains and API services, complicating detection and mitigation. The malware suite includes JADESNOW, BEAVERTAIL, and INVISIBLEFERRET, which enable data theft and remote control of infected systems. This approach leverages the decentralized and immutable nature of blockchains to evade takedown efforts. The campaign primarily facilitates cryptocurrency theft and espionage. Exploitation does not require prior authentication but relies on user interaction through social engineering. The threat is medium severity but poses significant challenges due to its innovative use of blockchain technology for malware command and control.

MediumMalwareGermanyFranceNetherlands+3#invisibleferret#smart contracts#blockchain

A blockchain developer in Russia lost $500,000 in crypto assets due to a malicious Solidity Language extension for Cursor AI IDE. The fake extension, downloaded 54,000 times, appeared higher in search results than the legitimate one due to ranking algorithms. It installed malware that allowed remote access and data theft. The attackers used ScreenConnect for remote control and deployed various scripts to steal wallet passphrases. A new malicious package was published shortly after the first was removed, with an inflated download count of 2 million. Similar attacks were found targeting blockchain developers through other extensions and npm packages. The incident highlights the ongoing threat of malicious open-source packages in the crypto industry.

MediumCampaignGermanyUnited KingdomNetherlands+2#open-source#cursor ai#screenconnect

In May 2025, Cisco Talos identified a Python-based remote access trojan (RAT) called 'PylangGhost', used by a North Korean-aligned threat actor. PylangGhost shares similarities with the previously documented GolangGhost RAT. The threat actor, Famous Chollima, has been targeting employees with experience in cryptocurrency and blockchain technologies through fake job interview sites. The attacks primarily affect users in India. The malware is deployed through a two-stage process involving fake skill-testing pages and malicious command execution. PylangGhost consists of six Python modules and offers functionalities similar to its Golang counterpart, including system information collection, file manipulation, and browser data theft from over 80 extensions.

MediumCampaignGermanyUnited KingdomFrance+3#blockchain#cryptocurrency#browser data theft