Last updated:
Journalist
Hassan Shittu
Journalist
Hassan Shittu
Share
Why Trust Cryptonews
Ad Disclosure
We believe in full transparency with our readers. Some of our content includes affiliate links, and we may earn a commission through these partnerships.
Web3 workers are being targeted by a sophisticated phishing scam that uses fake meeting apps to steal sensitive information and crypto.
According to a report by Cado Security Labs, the attackers employ AI to craft convincing websites, blogs, and social media profiles for fictitious companies.
These platforms are then used to lure victims into downloading malware-infected applications under the guise of legitimate business opportunities.
The malware, known as the Realst info-stealer, operates on macOS and Windows systems and steals credentials, financial details, and crypto wallet information.
Web3 Workers at Risk: How Are They Being Targeted?
The attackers behind this campaign have created an elaborate façade of legitimacy by establishing fake companies with names like “Meeten” and “Meetio.”
These entities change their branding frequently, cycling through domains such as “Clusee.com” and “Meeten.us.”
The scammers use AI to generate detailed websites filled with blog posts, product descriptions, and social media accounts to appear credible. These platforms mimic the professionalism of real businesses, making it challenging for victims to distinguish between legitimate and malicious actors. Once a target is identified, the attackers initiate contact through various methods, including direct messages on Telegram.
In many cases, they impersonate individuals known to the victim, using stolen personal details to bolster their claims.
For instance, some victims reported receiving messages from what appeared to be colleagues or professional acquaintances, only to discover later that the accounts were fake.
In one notable case, a victim was shown an investment presentation from their own company, which the attackers had stolen and repurposed to lend credibility to the scam.
After securing the victim’s trust, the scammers direct them to a well-designed website where they can download the purported meeting application. Unbeknownst to the victim, the software contains the Realst info-stealer, which immediately begins extracting sensitive information from the user’s device.
Even before the malware is installed, the fraudulent websites deploy malicious JavaScript to siphon crypto stored in web browsers.
How the Malware Steals Data
The Realst info-stealer is a sophisticated piece of malware that operates on both macOS and Windows systems, with versions tailored to each platform.
Once installed, it combs through the victim’s device to extract a wide range of data, including Telegram credentials, browser cookies, banking details, and cryptocurrency wallet information.
The malware targets popular browsers such as Google Chrome, Brave, and Microsoft Edge and wallet services like Ledger, Trezor, and Binance.
The malware disguises itself on macOS as a legitimate package file, often called CallCSSetup.pkg. When executed, it prompts the user for their system password under the pretence of resolving an error. It then uses this access to collect and exfiltrate sensitive data. The stolen information is compressed into a zip file and sent to remote servers controlled by the attackers.
The Windows variant, on the other hand, uses an Electron framework-based application called MeetenApp.exe. This version employs advanced obfuscation techniques, such as Bytenode-compiled JavaScript, to evade detection. Like its macOS counterpart, it collects system information and sensitive data before transmitting it to the attackers.
Both malware versions have high technical sophistication, with features designed to ensure persistence on the victim’s device and evade security tools checks.
Notably, a similar technical attack happened to the Solana ecosystem earlier this month.
A critical vulnerability was discovered in the Solana/web3.js library that can leak private keys through seemingly legitimate CloudFlare headers.
