Fake Gaming and AI Companies Target Windows and macOS Users with Drainer Malware Attacks

The cybersecurity company Darktrace has uncovered a persistent, intricate social engineering campaign that targets bitcoin users, building on earlier findings by Cado Security Labs in December 2024.

Threat actors are fabricating elaborate startup companies themed around AI, gaming, video conferencing, Web3, and social media to lure victims into downloading malware disguised as legitimate software.

These operations, reminiscent of the Meeten campaign, involve compromising verified X (formerly Twitter) accounts to enhance credibility, alongside utilizing platforms like Notion, Medium, and GitHub for whitepapers, roadmaps, and employee profiles.

By mimicking real software firms complete with professional websites, fake conference photos, altered gameplay images from existing titles like “Zombie Within,” and even sham merchandise stores attackers create a convincing facade to maximize infection rates.

Campaigns often initiate via direct messages on X, Telegram, or Discord, offering cryptocurrency payments for testing purported beta software, leading victims to download platform-specific binaries after entering provided registration codes.

Evasion Techniques Across Platforms

For Windows users, the malware arrives as an Electron-based application, an open-source framework that packages JavaScript apps into desktop executables.

Upon launch, it presents a Cloudflare verification screen while covertly profiling the system collecting details such as username, CPU cores, RAM, OS version, MAC address, graphics card, and UUID.

A CAPTCHA token is extracted and sent to command-and-control (C2) servers alongside this data for validation.

Successful verification triggers the silent download and execution of an executable or MSI file, often signed with stolen certificates from entities like Jiangyin Fengyuan Electronics Co., Ltd. and the now-revoked Paperbucketmdb ApS, aiding in defense evasion.

Python is fetched and stored in temporary directories, with C2-orchestrated commands facilitating the deployment of information stealers that target crypto wallets, browser data, and credentials.

Anti-analysis measures, including obfuscation and anti-sandboxing, further complicate detection.

On macOS, victims receive a DMG file containing an obfuscated Bash script employing junk code, Base64 encoding, and XOR obfuscation that leverages AppleScript to mount and execute a hidden binary, akin to tactics seen in Atomic Stealer malware.

This binary conducts anti-virtualization checks for environments like QEMU, VMware, and Docker-OSX before exfiltrating sensitive data, including crypto wallets, cookies, and documents, compressed into a ZIP file and posted to C2 endpoints such as 45.94.47.167/contact.

Additional scripts like install.sh and install_dynamic.sh are retrieved from servers (e.g., https://mrajhhosdoahjsd.com), establishing persistence via LaunchAgents with RunAtLoad and KeepAlive configurations to ensure automatic execution at login.

The InstallerHelper binary, written in Objective-C/Swift, logs user interactions, active applications, and window data, transmitting metrics to remote servers for ongoing surveillance.

Links to Trafficker Groups

These tactics align closely with operations attributed to traffer groups like CrazyEvil, as detailed by Recorded Future in early 2025.

Active since 2021, CrazyEvil specializes in social engineering against crypto influencers, DeFi professionals, and gamers, generating millions in illicit revenue through affiliates who drive traffic via SEO, ads, and fake downloads.

While direct attribution remains unclear, the shared methodologies fake companies, social media exploitation, and cross-platform info-stealers underscore an evolving threat landscape.

According to the Report, Darktrace’s research highlights over a dozen identified fake entities, including Pollens AI, Buzzu, Swox, and Eternal Decay, each with associated domains, X handles, and malware hashes.

This campaign exemplifies the lengths cybercriminals go to blend legitimacy with deception, urging users to verify sources rigorously before downloading software, especially in high-stakes crypto environments.

Indicators of Compromise (IoCs)

Stay Updated on Daily Cybersecurity News. Follow us on Google News, LinkedIn, and X.