Researchers have identified a blockchain-encoded malware campaign that embeds the Omnistealer into blockchain transactions, enabling it to harvest cryptocurrency wallets and other credential stores. The malware path travels through TRON or Aptos blockchains—public ledgers used for cryptocurrency transfers—before loading a pointer to the Binance Smart Chain, where the final payload resides. The Omnistealer reportedly works across more than 60 cryptocurrency wallet extensions, over a dozen password managers, more than 10 browsers, and cloud storage services, allowing it to harvest cryptocurrency and credentials from multiple sources. Investigators tie the activity to North Korean actors, with IPs linked to Vladivostok and wallets connected to Lazarus Group, suggesting a broadened campaign to pilfer millions of dollars’ worth of cryptocurrency.
The attackers are said to recruit contractors or freelance developers via platforms like LinkedIn and Upwork, infecting them through GitHub repositories to deploy the malware. By embedding malicious payloads in blockchain transactions, the campaign creates a durable foothold that is difficult to eradicate, and researchers warn that the threat could spread further as more transactions occur—and as AI-assisted coding makes replication easier. The FBI has acknowledged DPRK social engineering targeting blockchain developers, highlighting ongoing investigations into this evolving cybercrime in the Web3 space. As more blockchain activity occurs, Omnistealer’s reach could expand across Web3 ecosystems, challenging defenders to harden wallets, credential stores, and development workflows.
Leave a Reply