A phishing campaign targets Cardano users through fake emails promoting the fraudulent download of the Eternl Desktop application.
The attack leverages professionally crafted messages referencing NIGHT and ATMA token rewards through the Diffusion Stake Basket program to establish credibility.
Threat Hunter Anurag identified a malicious installer distributed through a newly registered domain, download.eternldesktop.network.
The 23.3 megabyte Eternl.msi file contains a hidden LogMeIn Resolve remote administration tool that establishes unauthorized access to victim systems without the user realizing it.
Fake installer includes remote access trojan
The malicious MSI installer carries a specific executable file named unattended-updater.exe with the original file name. At runtime, the executable creates a folder structure in the system’s Program Files directory.
The installer writes several configuration files, including unattended.json, logger.json, mandatory.json, and pc.json.
The unattended.json configuration allows remote access functionality without requiring user interaction.
Network analysis reveals that the malware connects to the GoTo Resolve infrastructure. The executable transmits system event information in JSON format to remote servers using encrypted API credentials.
Security researchers classify the behavior as critical. Remote administration tools provide threat actors with long-term persistence, remote command execution, and credential harvesting capabilities once installed on victim systems.
Phishing emails maintain a polished, professional tone with proper grammar and no spelling errors.
The scam ad creates a nearly identical replica of the official version of Eternl Desktop, complete with messages about hardware wallet compatibility, local key management, and advanced delegation controls.
The campaign targets Cardano users
Attackers use cryptocurrency governance narratives and ecosystem-specific references as weapons to distribute covert access tools.
References to NIGHT and ATMA token rewards through the Diffusion Stake Basket program lend false legitimacy to the malicious campaign.
Cardano Users seeking to participate in staking or governance functions face high risk due to social engineering tactics that mimic legitimate ecosystem developments.
The newly registered domain distributes the installer without official verification or digital signature validation.
Users should verify the authenticity of the software exclusively through official channels before downloading wallet applications.
Anurag’s malware analysis revealed attempted supply chain abuse aimed at establishing persistent unauthorized access.
The GoTo Resolve tool provides attackers with remote control capabilities that compromise wallet security and private key access.
Users should avoid downloading wallet apps from unverified sources or newly registered domains, regardless of email finish or professional appearance.
