The Great Convergence: When Traditional Malware Becomes a Crypto-Hunting Machine
Ddos 
Compliance‑themed dashboard displaying address entries, risk categories, and an investigation panel
A new report from LevelBlue SpiderLabs’ Cyber Threat Intelligence Team details a “progressive convergence” where traditional malware infrastructures are being repurposed to hunt for digital assets. This shift marks a major evolution in the threat landscape, as high-end asset theft moves from niche hacker groups into the mainstream of the commodity malware economy.
Historically, the digital underworld was siloed. One group stole browser credentials, another managed botnets, and entirely different actors focused on fake trading portals or rogue wallet extensions. According to the report, that separation has effectively eroded over the past two years.
The researchers explain the new reality: “Infrastructure once dedicated for credential theft is now routinely repurposed to host wallet-phishing content, while actors traditionally associated with commodity malware operations have begun incorporating drainer tooling as an additional revenue stream.”
At the heart of this trend is the rapid maturation of crypto drainers. Once simple JavaScript payloads, these tools have evolved into polished, multi-network automation engines. LevelBlue highlights two distinct but equally dangerous examples of this new breed:
- StepDrainer: An automated system that uses “polished web and AI-themed lures” to steal assets across multiple blockchain networks simultaneously.
- EtherRAT: A traditional Windows-based implant that has begun incorporating “blockchain-aware functionality” into its standard toolkit.
Perhaps the most significant finding in the report is how threat actors have stopped viewing the blockchain solely as a target for theft. Instead, they are beginning to use it as a core part of their own infrastructure.
Attackers are now using on-chain components for:
- Configuration: Storing malicious settings in smart contracts.
- Routing: Using blockchain data to direct traffic to command-and-control (C2) servers.
- Asset Interaction: Automating the movement of stolen goods directly through decentralized protocols.
As the report puts it, blockchains are becoming “part of the operational toolkit rather than just the target.”
Even if your organization doesn’t have a “corporate crypto footprint,” you are no longer safe from these actors. Because these tools are now bundled with traditional infostealers, any compromised workstation or browser extension can serve as a foothold for broader intrusion.
The LevelBlue team warns that the industry must shift its mindset: “Crypto drainers are therefore no longer a niche Web3 problem. They represent a broad threat category with meaningful implications for enterprise security, requiring visibility and controls similar to those used against traditional credential-stealing malware.”
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
