Fake emails target Cardano users with remote access malware

A phishing campaign is targeting Cardano users through fake emails promoting a fraudulent Eternl Desktop application download.

The attack leverages professionally crafted messages referencing NIGHT and ATMA token rewards through the Diffusion Staking Basket program to establish credibility.

Threat hunter Anurag identified a malicious installer distributed through a newly registered domain, download.eternldesktop.network.

The 23.3 megabyte Eternl.msi file contains a hidden LogMeIn Resolve remote management tool that establishes unauthorized access to victim systems without user awareness.

Fake installer bundles remote access trojan

The malicious MSI installer carries a specific and drops an executable called unattended-updater.exe with the original filename. During runtime, the executable creates a folder structure under the system’s Program Files directory.

The installer writes multiple configuration files including unattended.json, logger.json, mandatory.json, and pc.json.

The unattended.json configuration enables remote access functionality without requiring user interaction.

Network analysis reveals the malware connects to GoTo Resolve infrastructure. The executable transmits system event information in JSON format to remote servers using hardcoded API credentials.

Security researchers classify the behavior as critical. Remote management tools provide threat actors with capabilities for long-term persistence, remote command execution, and credential harvesting once installed on victim systems.

The phishing emails maintain a polished, professional tone with proper grammar and no spelling errors.

The fraudulent announcement creates a nearly identical replica of the official Eternl Desktop release, complete with messaging about hardware wallet compatibility, local key management, and advanced delegation controls.

Campaign targets Cardano users

The attackers weaponize cryptocurrency governance narratives and ecosystem-specific references to distribute covert access tools.

References to NIGHT and ATMA token rewards through the Diffusion Staking Basket program lend false legitimacy to the malicious campaign.

Cardano users seeking to participate in staking or governance features face high risk from social engineering tactics that mimic legitimate ecosystem developments.

The newly registered domain distributes the installer without official verification or digital signature validation.

Users should verify software authenticity exclusively through official channels before downloading wallet applications.

Anurag’s malware analysis revealed the supply-chain abuse attempt aimed at establishing persistent unauthorized access.

The GoTo Resolve tool provides attackers with remote control capabilities that compromise wallet security and private key access.

Users should avoid downloading wallet applications from unverified sources or newly registered domains regardless of email polish or professional appearance.