FacebookTwitterLinkedIn

Massive Info Stealer Campaign Targets Gamers, Streamers, And Crypto Investors

Karolis Liucveikis Written by on

According to a recently published report by Recorded Future's Insikt Group, security researchers uncovered a massive info stealer malware operation encompassing approximately 30 campaigns.

The targets include a broad spectrum of demographics, including prominent gamers and online streamers. The campaigns also targeted multiple system platforms.

Massive Info Stealer Campaign Targets Gamers, Streamers, And Crypto Investors

The attack campaigns have been attributed to a cybercriminal group named "Marko Polo." The threat actors use a variety of distribution channels, including malvertising, spear phishing, and brand impersonation in online gaming, cryptocurrency, and software, to spread over 50 different malware payloads.

As to the impact of these campaigns on victims and the wider public, Insikt Group stated,

Based on the widespread nature of the Marko Polo campaign, Insikt Group suspects that likely tens of thousands of devices have been compromised globally — exposing sensitive personal and corporate data. This poses significant risks to both consumer privacy and business continuity. Almost certainly generating millions of dollars in illicit revenue, this operation also highlights the negative economic effects of such cybercriminal activities. Insikt Group also notes that the primary targets of the scams identified in this report — online gaming personalities, cryptocurrency influencers, and technology professionals — are usually considered to be more technologically savvy, with better cybersecurity hygiene, than the average internet user. Despite this, these users are still susceptible to Marko Polo scams — indicating both the maturity of such scams and the broader effectiveness of social engineering as an attack vector. Individuals and enterprises may face direct financial losses, increased insurance costs, and reputational damage from breaches attributed to Marko Polo scams.

While the 30 scam campaigns were driven by social media-powered scams, which targeted influencers and well-known cryptocurrency investors, they were supplemented by abusing popular software packages. Researchers discovered over 20 compromised Zoom meeting software builds, software cracks, and malicious torrent downloads containing malware.

These campaigns still pose a significant risk to businesses and individuals as, at the time of writing the report, Insikt Group noted that many of the campaigns were still active in the wild.

Marko Polo relies heavily on spear phishing via direct messages on social media to reach high-value targets. Targets of interest were found in the following sectors: cryptocurrency influencers, gamers, software developers, and others deemed to have access to high-value data.

Phishing messages were crafted to deceive receivers into thinking legitimate job opportunities or collaborations were sent when, in fact, they contained malicious links designed to drop various malware payloads.

Brands impersonated in the campaigns included Fortnite, Party Icon, RuneScape, Rise Online World, Zoom, and PeerMe. However, Marko Polo also used completely made-up brands along with supporting social media accounts and websites to trick victims.

These included Vortax/Vorion and VDeck (meeting software), Wasper and PDFUnity (collaboration platforms), SpectraRoom (crypto communications), and NightVerse (web3 game).

Windows and Mac Targeted

Security researchers also discovered that Marko Polo has a fairly diversified toolkit, allowing the threat group to attack Windows and Mac users. This suggests that the group is more than capable of carrying out multi-platform and multi-vector attacks. For instance, when a Windows machine is targeted, HijackLoader is used as a delivery method for other malware payloads.

HijackLoader has seen increasing use by multiple threat actors in the previous months. One reason for this is the malware's use of sophisticated evasion techniques.

Crowd Strike stated,

The primary evasion techniques employed by HijackLoader include hook bypass methods such as Heaven’s Gate and unhooking by remapping system DLLs monitored by security products. Additionally, the malware implements variations of process hollowing and an injection technique that leverages transacted hollowing, which combines the transacted section and process doppelgänging techniques with DLL hollowing.

Once HijackLoader has been successfully deployed, threat actors will drop Stealc, a lightweight info stealer designed to collect data from browsers and crypto wallet apps. Further, Marko Polo threat actors have been seen to also drop Rhadamanthys, a more specialized stealer that targets a broad range of applications and data types.

Later versions of the malware, which are available for purchase on underground hacker forums, included:

  • A new Clipper plugin modifies clipboard data to divert crypto payments to the attacker.
  • Telegram notification options to exfiltrate the wallet crack and seed in the exfiltrated ZIP.
  • Ability to recover deleted Google Account cookies.
  • Ability to evade Windows Defender, including cloud protection, by cleaning its stub.

When a Marko Polo threat actor targets a Mac machine, the Atomic info stealer, also tracked as AMOS, is the malware payload. Atomic is actively sold via Telegram and other channels; the malware is rented at 1000 USD per month to other threat actors. The malware was launched in 2023 and targets data stored in browsers.

Data targeted by the malware includes:

  • Desktop cryptocurrency wallets, including Electrum, Binance, Exodus, Atomic
  • Cryptocurrency wallet extensions: In total, 50 extensions are targeted, including Trust Wallet, Exodus Web3 Wallet, Jaxx Liberty, Coinbase, Guarda, TronLink, Trezor Password Manager, Metamask, Yoroi, and BinanceChain.
  • Web browser data include auto-fills, passwords, cookies, and credit cards from Google Chrome, Mozilla Firefox, Microsoft Edge, Yandex, Opera, and Vivaldi.
  • System information, including Model name, hardware UUID, RAM size, core count, serial number, and others.

Atomic can also brute-force MetaMask seeds and steal Apple Keychain passwords to access WiFi passwords, saved logins, credit card data, and other encrypted information stored on macOS.

This year has seen a significant uptick in information-stealing activity. This is possibly due to threat actors deeming that the information stolen could be used to compromise corporate networks, where even more valuable data is stored.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog