From Meetings to Malware: Vortax’s Elaborate Crypto-Stealing Scheme Uncovered

Recorded Future’s Insikt Group has exposed “Vortax,” a seemingly legitimate virtual meeting software, as a sophisticated front for a massive malware operation targeting cryptocurrency users. This elaborate scheme, primarily disseminated through social media phishing campaigns, has been linked to the notorious Atomic macOS Stealer (AMOS) and other infostealers.

Vortax account on social media; the checkmark icon indicates that Vortax is designated as a “Verified Organization” on the platform (Source: Recorded Future)

Vortax, masquerading as a cross-platform, AI-powered meeting solution, has successfully deceived users with its polished website and social media presence. However, Insikt Group’s analysis reveals a sinister reality. The software, once downloaded and installed, delivers a payload of infostealers designed to pilfer sensitive information, with a particular focus on cryptocurrency credentials.

Insikt Group’s research has linked the Vortax campaign to a threat actor known as “markopolo,” previously identified in a Web3 gaming-related infostealer operation. This connection suggests a broader, coordinated effort to target and exploit vulnerabilities across various platforms. Further investigation revealed 23 other malicious macOS applications masquerading as legitimate software, primarily targeting virtual meeting and cryptocurrency users. These applications are connected to the same threat actor, indicating a broad and sophisticated operation.

To combat this threat, organizations are advised to implement strict security controls to prevent the download of unapproved software, educate users about the risks associated with third-party applications, and regularly update detection signatures for AMOS. Additionally, leveraging threat intelligence solutions can help identify and mitigate threats from malicious domains and IP addresses associated with infostealers.