Dark Partner Hackers Leverage Fake AI, VPN, and Crypto Sites to Target macOS and Windows Users

A group dubbed “Dark Partners” by cybersecurity researchers has launched a sophisticated malware campaign targeting both macOS and Windows users through a network of deceptive websites impersonating well-known AI, VPN, and software brands.

This operation, which has been active for several months, employs meticulously crafted landing pages mimicking services such as Haiper, TradingView, Windscribe, and even cryptocurrency platforms like Ledger and AAVE.

Dual-Platform Attack

These sites lure unsuspecting users with a single download button, initiating a malicious payload delivery tailored to the user’s operating system, either deploying the Poseidon Stealer for macOS or the PayDay Loader for Windows, both designed for data theft and further malware propagation.

The Dark Partners campaign showcases a keen focus on exploiting the trust users place in popular brands, particularly in the AI content generation space.

Their websites, hosted on domains like haiper-black[.]little-mouse[.]net and swett-black[.]upscayl-ai[.]org, use custom frames to deliver malware after a bot-check and user data collection process.

Malware Campaign Exploits Trusted Brands

Upon clicking the download button, the site captures user information including UUID, language, browser, and OS type, then routes the download through API endpoints to serve either a DMG file for macOS (embedded with Poseidon Stealer) or an Electron-based executable for Windows (the PayDay Loader).

For macOS victims, Poseidon Stealer employs custom launchers with AppleScript to exfiltrate sensitive data like browser cookies, cryptocurrency wallet details, and personal files, sending them to hardcoded C2 servers.

On Windows, the PayDay Loader, built using the Nuxt.js framework, incorporates anti-sandbox mechanisms by scanning for debugging tools and virtual environments before fetching additional payloads like Lumma Stealer from C2 servers via Google Calendar links as dead drop resolvers a tactic to obscure command-and-control infrastructure.

Further investigation reveals Dark Partners’ infrastructure includes a “PayDay Panel” hosted on Cloudflare Workers at panel[.]dianecarson[.]workers[.]dev, suggesting a centralized platform for managing fake sites and processing stolen data.

The acquisition of Poseidon Stealer in July 2024 by an entity linked to the alias “ghost0x00” marks a significant escalation, integrating this potent macOS malware into their arsenal.

The campaign also abuses EV code-signing certificates from entities like K.MY TRADING TRANSPORT COMPANY LIMITED to bypass Windows security checks, though many certificates have been revoked post-discovery.

With a focus on cryptocurrency wallet exfiltration and credential theft via infostealers, Dark Partners aims to monetize stolen data through direct balance theft or resale in underground markets.

This dual-platform attack underscores the evolving sophistication of cyber threats, highlighting the urgent need for user vigilance and robust endpoint security to counter such impersonation-driven malware campaigns.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!