Security researchers at Malwarebytes have discovered a new scam targeting cryptocurrency traders. Scammers are using Reddit to promote a "cracked" version of TradingView Premium, embedding it with malicious software such as Lumma Stealer and Atomic Stealer (AMOS).
According to reports, scam posts appear in popular cryptocurrency subreddits, offering links to downloads for Windows and macOS. By promising free access to TradingView’s premium features, scammers lure users into downloading malware that steals personal data and crypto wallet credentials.
The attackers actively engage in discussions in the comments [1, 2], encouraging potential victims to install the "cracked" software. The malicious files are hosted on a compromised server in Dubai, which is disguised as the website of a cleaning company.
Key Indicators of Malware:
- Files are packed in a double ZIP archive and protected with a password.
- Installation requires disabling antivirus software — a major red flag.
- Files are distributed through suspicious websites rather than official sources.
How the Malware Works on Different Platforms
On macOS, an updated version of AMOS is installed. It first checks whether it is running in a virtual environment (VM). If it detects a VM, it terminates with error code 42, preventing detection by security researchers.
On Windows, a malicious BAT file (Costs.tiff.bat) is executed, triggering an encrypted AutoIt script (Sad.com). This malware steals user data and sends it to a server in the Seychelles (45.140.13.244).
The command and control (C2) domain cousidporke[.]icu was recently registered and has been linked to Russia.
What data is stolen:
- Login credentials and passwords.
- Clipboard contents (which could contain private keys or seed phrases).
- Files stored on the victim’s computer.
- Access to cryptocurrency wallets.
Victims reported that after installing the fake TradingView software, their crypto wallets were drained. Moreover, scammers used compromised accounts to spread phishing links to their contacts, further expanding the attack.
How to protect yourself:
- Never disable your antivirus if an installation requires it.
- Do not download files from unknown websites.
- Avoid software that comes in password-protected archives.
- Only trust official sources for software downloads.
Microsoft: New StilachiRAT Trojan Targets Crypto Wallets
Crypto-related scams are becoming increasingly sophisticated. Previously, Microsoft warned about a new Trojan called StilachiRAT, which infects Google Chrome and steals data from:
- MetaMask.
- Coinbase Wallet.
- Trust Wallet.
- OKX Wallet.
- Bitget Wallet.
- Phantom, and other cryptocurrency browser extensions.
Security experts emphasize that scammers are aggressively targeting traders. To stay safe, always follow cybersecurity best practices and only download software from verified sources.
This post is for informational purposes only and is not an ad or investment advice. Please do your own research making any decisions.
