Cryptocurrency Users Targeted by Malware Campaign on Reddit
2min read Cryptocurrency users are currently under threat from a sophisticated malware campaign spreading through reddit. The malware, known as AMOS and Lumma Stealer, is designed to steal cryptocurrency and financial data from unsuspecting users. The scammers are actively engaging with Reddit users, posting links to both Windows and Mac versions of the compromised software and responding to questions to build trust.
The malware is distributed through posts on cryptocurrency-related subreddits, where attackers offer what appears to be a fully unlocked version of TradingView. These posts include download links to the software, which are actually laced with information-stealing malware. The files are hosted on a website belonging to a Dubai-based cleaning company, rather than a conventional file-sharing service, suggesting that the attackers have direct control over the server. This allows them to update and modify the payloads as needed.
The compromised site exposes its outdated PHP version, which is vulnerable to exploits, making it an easy target for attackers. The malware files are delivered in a double-zipped format, with the final archive being password-protected—a common evasion tactic used to bypass security scans. On macOS, the installer is a new variant of AMOS (Atomic Stealer), which includes an anti-analysis feature that checks for the presence of virtual machines and halts execution if one is detected. If the malware runs successfully, it exfiltrates user data via a POST request to a server located in the Seychelles.
On Windows, the infection begins with an obfuscated BAT file, which executes a malicious AutoIt script. The script links together multiple file fragments before executing its payload. The Windows variant communicates with a command-and-control (C2) server registered just a week ago by an individual in Russia. Victims who have unknowingly installed the malware have reported stolen cryptocurrency wallets and subsequent impersonation attempts by attackers, who use the compromised accounts to spread further phishing links.
This malware campaign highlights the dynamic nature of crypto-related cyberattacks. By providing free access to premium trading services, the scammer leverages the trust and interest of crypto traders to install highly advanced malware. The simultaneous attack on Windows and Mac operating systems proves that cybercriminals are becoming more adaptable in their attack strategies. As the adoption of cryptocurrency increases, users need to be careful, not download cracked versions of programs, and make use of proper channels for market analysis tools and trading.
To protect against this threat, users should remain highly cautious of free software offers, especially those promoted in online forums. It is crucial to never disable security software when installing programs, even if an installer suggests it. Users should also be wary of password-protected files, as this is a common trick to evade antivirus detection. Ultimately, it is best to avoid downloading files from unknown or suspicious websites, especially when they are unrelated to the software being offered.
