Threats Tagged 'cryptocurrency wallet theft'

A sophisticated 64-bit information-stealing malware named Remus has emerged as a direct evolution of the notorious Lumma Stealer. Following the doxxing of alleged Lumma core members between August and October 2025, developers created this advanced variant, with test builds appearing in September 2025 and live campaigns starting February 2026. Remus employs innovative techniques including injecting custom 51-byte shellcode into browser memory to extract protected master keys, bypassing Application-Bound Encryption in Chromium-based browsers. The malware utilizes EtherHiding through Ethereum smart contracts for command-and-control resolution, making infrastructure takedowns nearly impossible. It targets browser credentials, session cookies, and cryptocurrency wallets while implementing rigorous anti-analysis checks to evade security research environments.

A sophisticated ClickFix campaign targets both Windows and macOS users through fake CAPTCHA pages that trick victims into executing malicious commands. The macOS variant deploys an AppleScript-based infostealer that harvests sensitive data including keychain databases, credentials, and session cookies from 12 browsers, over 200 browser extensions, and 16 cryptocurrency wallets. The malware employs a persistent, non-closable dialog box mimicking legitimate system prompts to force victims into providing their system password. Stolen session cookies enable attackers to bypass multi-factor authentication by hijacking active sessions. The campaign uses client-side JavaScript to filter victims by user-agent, directing desktop users to OS-specific payloads while ignoring mobile devices. Latest macOS updates include native terminal security warnings designed to alert users against pasting potentially malicious commands.