In a complex phishing attack, users of Cardano are being targeted with a fake Eternl Desktop installer, which installs hidden malware, allowing attackers to control victims remotely.
A sophisticated phishing campaign is targeting Cardano cryptocurrency users. The attack redirects a fake Eternl Desktop wallet to users of Cardano through misleading emails. The software conceals remote-access functions.
The emails are well composed to appear authentic, using real ecosystem programs and referencing to Diffusion Staking Basket to leverage credibility.
Hidden Malware Grants Complete System Control
Threat hunter Anurag disemboweled the installer. According to CyberSecurityNews, the forged Eternl.msi file is 23.3 MB long, and it has the hidden LogMeIn Resolve remote-management module.
The installer leaves unattended-updater.exe, which creates folders under Program Files and writes config files such as unattended.json and logger.json.
The unattended.json file quietly opens remote-access channels. Network traces show traffic to GoTo Resolve servers, where systems send event data using hard-coded credentials.
You might also like:Ripple CTO David Schwartz Steps Down From Executive Role
Professional Deception Tactics Fool Experienced Users
Scammers write the phishing emails in a refined, professional tone with perfect grammar and include details about hardware wallet compatibility and delegation features.
The attackers opted to use the domain download.eternldesktop.network to serve the installer. The fake site is not officially certified or has any digital signatures, and is highly similar to genuine Eternl Desktop releases.
The scam capitalizes on a belief in cryptocurrency governance by reflecting actual ecosystem developments. Scammers are targeting users who seek staking opportunities on Cardano.
Obfuscated remote-management agents provide persistence. After installation, attackers are able to run commands, collect credentials, and completely compromise wallet keys and security.
Confirm software only in official circles. Do not download stuff on new domains. The appearance of a professional email does not mean security.