New campaign distributes *Needle Stealer*, a Golang-based modular infostealer targeting crypto wallets, browser data, and Telegram sessions via fake AI trading tool lures.

In brief - Threat actors are using a fraudulent *TradingClaw* website to deliver *Needle Stealer*, a Golang infostealer with modular capabilities including clipboard hijacking, form grabbing, and malicious browser extensions. The malware selectively targets victims, exfiltrating cryptocurrency wallet credentials (MetaMask, Ledger, Trezor, Exodus) and browser data while evading detection through process hollowing and DLL hijacking.

Technically - The infection chain starts with a ZIP file containing *iviewers.dll*, which leverages DLL hijacking to execute a second-stage DLL. This injects *Needle Stealer* into *RegAsm.exe* via process hollowing. The malware, written in Golang, unpacks hidden ZIPs (*base.zip*, *meta.zip*) to deploy malicious extensions into %LOCALAPPDATA%\Packages\Extensions. These extensions communicate with C2 endpoints (/backup-domains/active, /upload, /extension, /scripts) on domains like *coretest[.]digital* and *reisen[.]work*, enabling traffic redirection, script injection, and data exfiltration. Core functionality resides in the 'ext' package, supporting modular components like a wallet spoofer and clipboard hijacker.

Source: https://www.malwarebytes.com/blog/threat-intel/2026/04/malicious-trading-website-drop-malware-that-hands-over-your-browser-to-attackers

#Cybersecurity #ThreatIntel