A phishing campaign is targeting Cardano users with fake emails promoting downloads of the fraudulent Eternl Desktop application.
The attack utilizes professionally crafted messages referencing NIGHT and ATMA token rewards through the Diffusion Stake Basket program to build trust.
Threat hunter Anurag identified a malicious installer distributed through a newly registered domain, download.eternldesktop.network.
The 23.3 megabyte Eternl.msi file contains a hidden LogMeIn Resolve remote administration tool that establishes unauthorized access to the victim system without user knowledge.
The fake installer bundles a remote access Trojan.
The malicious MSI installer delivers certain files and deletes an executable named unattended-updater.exe with the original file name. During runtime, the executable creates a folder structure under the System’s Program Files directory.
The installer creates several configuration files, including unattended.json, logger.json, required.json, and pc.json.
The unattended.json configuration allows remote access functionality without user interaction.
Network analysis revealed that the malware was connected to the GoTo Resolve infrastructure. The executable uses hardcoded API credentials to send system event information in JSON format to a remote server.
Security researchers classify the behavior as severe. Once installed on victim systems, remote administration tools provide threat actors with long-term persistence, remote command execution, and credential harvesting capabilities.
Phishing emails maintain a polished, professional tone with proper grammar and no spelling errors.
The fraudulent announcement creates a near-identical clone of the official Eternl Desktop release, with messages about hardware wallet compatibility, local key management, and advanced delegation controls.
The campaign targets Cardano users.
Attackers weaponize cryptocurrency governance descriptions and ecosystem-specific references to deploy covert access tools.
Mention of NIGHT and ATMA token rewards through the Diffusion Stake Basket program gives false legitimacy to the malicious campaign.
Cardano users seeking to participate in staking or governance functions face high risk due to social engineering tactics that mimic legitimate ecosystem development.
Newly registered domains deploy installers without formal verification or digital signature verification.
Before downloading any wallet application, users should check the software authenticity only through official channels.
Anurag’s malware analysis revealed supply chain abuse attempts targeting persistent unauthorized access.
The GoTo Resolve tool provides attackers with remote control capabilities to compromise wallet security and private key access.
Users should avoid downloading wallet applications from unverified sources or newly registered domains, regardless of their email sophistication or professional appearance.