Meeten Malware: AI-Powered Cyber Campaign Targets Web3 Professionals
Cado Security Labs has uncovered a highly sophisticated cyber campaign targeting professionals in the Web3 space. At the heart of this campaign lies the Meeten malware, a cross-platform information stealer designed to compromise macOS and Windows devices. The threat actors behind this operation employ advanced techniques, including AI-generated content, to add a layer of legitimacy to their schemes.
The campaign is driven by fake companies that have cycled through various names, such as Clusee, Cuesee, and Meetio. These entities create convincing websites with AI-generated blog content and maintain active social media profiles to establish credibility. As Cado Security Labs reports, “The company reaches out to targets to set up a video call, prompting the user to download the meeting application from the website, which is Realst info stealer.”
Victims are often approached via Telegram, sometimes even by accounts impersonating people they know. In one case, a target received an investment presentation from their own company, signaling the threat actors’ deep reconnaissance capabilities. Once contact is established, victims are directed to download the Meeten application, which initiates the malware’s deployment.
Downloads page on Meeten | Source: Cado Security Labs
The macOS variant of Meeten masquerades as a legitimate package installer. Written in Rust, the malware utilizes osascript to prompt users for their system password—a tactic commonly employed in macOS attacks. Upon execution, it exfiltrates sensitive information such as:
- Telegram credentials
- Keychain passwords
- Banking card details
- Browser cookies and autofill data from popular browsers like Chrome and Edge
- Credentials from crypto wallets, including Ledger and Trezor
The stolen data is compressed into a ZIP file and sent to remote servers for further exploitation. Notably, the macOS variant employs multi-architecture binaries, demonstrating the malware’s versatility.
The Windows counterpart, identified as MeetenApp.exe, is packaged using the Nullsoft Scriptable Installer System (NSIS) and carries a stolen digital signature from “Brys Software.” The malware is deployed as an Electron application, leveraging JavaScript compiled into V8 bytecode to evade detection. Key functionalities include:
- Exfiltrating browser credentials and crypto wallet data
- Persisting on systems via Windows Registry keys
- Gathering system metrics such as hardware IDs and geolocation
The Windows variant also downloads additional malicious payloads, enhancing its data-theft capabilities.
The attackers’ use of AI is not limited to malware development. They generate convincing website content and impersonate legitimate businesses to lure victims. This strategic use of AI underscores a broader trend in cybercrime, where advanced technologies are employed for social engineering.
As highlighted in the report, “Using AI enables threat actors to quickly create realistic website content that adds legitimacy to their scams, and makes it more difficult to detect suspicious websites.”
To protect against similar attacks, users should:
- Verify the authenticity of contacts, especially on platforms like Telegram.
- Avoid downloading software from unfamiliar or unverified websites.
- Regularly monitor financial accounts and crypto wallets for unauthorized activity.
Cado Security Labs stresses the importance of vigilance: “Even if the contact appears to be an existing contact, it is important to verify the account and always be diligent when opening links.”
Related Posts:
- Sophisticated Linux Malware Campaign Targets Misconfigured Cloud Services
- GuLoader Campaign Targets European Industrial Sector with Evolving Evasion Techniques
- Cloudflare WARP Abused to Hijack Cloud Services, Cado Security Report Reveals
- Unveiling a Novel Malware Campaign: Attackers Targeting Vulnerable Docker Services
- Exploit Kits, Cryptominers, Proxyjackers: The New Face of Selenium Grid Abuse
