New Cardano Phishing Scam Uses Fake Wallet to Spread Malware

TLDR

• Hackers are targeting Cardano users by impersonating the Eternl Desktop wallet team through phishing emails.
• The phishing emails promote a fake wallet download that claims to offer crypto rewards like NIGHT and ATMA tokens.
• Victims are redirected to a newly registered domain that delivers a malicious MSI installer package.
• The installer secretly includes a remote access tool called LogMeIn Resolve, which enables full system control.
• Once installed, the malware creates system directories and configuration files that allow remote access without user permission.

Cardano users face a new security threat as cybercriminals impersonate the Eternl Desktop wallet team, distributing malware via phishing emails, creating urgency using fake crypto rewards, and deploying remote access tools to gain full system control through a fake installer package.

Fake Eternl Wallet Website Spreads Malware Through Polished Emails

Attackers are impersonating the Eternl team by sending emails promoting a fake desktop wallet. These messages claim to support Cardano staking and governance.

The emails highlight false benefits, such as NIGHT and ATMA token rewards, to attract attention and encourage clicks. Users are redirected to a malicious domain: download(dot)eternldesktop(dot)network.

According to threat researcher Anurag, the attackers copied the original Eternl Desktop announcement. They added fake features such as local key management and hardware wallet compatibility.

Each email uses professional language without spelling mistakes, making the scam appear genuine. The emails include a fake download link to a harmful MSI installer.

Once installed, the file deploys malware designed to allow hackers remote access. The file bypasses standard verification and lacks digital signature validation.

Malicious Installer Contains Hidden Remote Access Tool

The installer, named Eternl.msi, has a file hash of 8fa4844e40669c1cb417d7cf923bf3e0. It contains a bundled LogMeIn Resolve tool.

When executed, it drops an executable titled unattended updater.exe. The original filename is GoToResolveUnattendedUpdater.exe.

The executable builds a folder structure in Program Files. It then writes multiple configuration files, such as unattended.json and pc.json.

The unattended.json file activates remote access without the user’s consent. It enables full system control without requiring interaction.

Network analysis confirms the executable connects to known GoTo Resolve domains. These include devices-iot.console.gotoresolve.com and dumpster.console.gotoresolve.com.

The malware sends system data in JSON format. It establishes a remote connection to accept hacker commands.

Fake Crypto Campaign Mimics Past Meta Ad Scam

This Cardano phishing attack mirrors an earlier scam targeting Meta business users. Victims received emails about ad account violations.

The attackers claimed the accounts were suspended due to EU regulation breaches. They used Instagram branding and official language.

Clicking the link took users to a fake Meta Business page. The page warned of account termination if no action was taken.

Users were prompted to input credentials. A fake support chat walked them through restoring their accounts.

Researchers urge users to verify wallet downloads from trusted sources only. Newly registered domains pose a high risk.

Security experts warn that even polished emails can contain hidden threats. Official websites remain the safest option for wallet software.

The post New Cardano Phishing Scam Uses Fake Wallet to Spread Malware appeared first on CoinCentral.