A new and increasingly dangerous cyber threat is emerging, targeting Web3 developers through cleverly disguised AI platforms. A threat group known as EncryptHub—also identified by aliases such as LARVA-208 or Water Gamayun—is deploying malware called “Fickle Stealer” through social engineering tactics masked as job interviews or AI tool demos. This attack campaign represents a dangerous fusion of technical manipulation and psychological deception.
🧠 How the Attack Unfolds
1. Baiting with AI Platforms
Developers are contacted via social media or messaging platforms like Telegram. They are offered a job opportunity or invited to test a new AI tool. These tools, such as “Norlax AI,” mimic real companies in branding and functionality, creating a false sense of trust.
2. The Interview Trap
Initial conversations often begin through trusted video conferencing platforms like Google Meet to avoid suspicion. Midway, victims are directed to a fake AI website for a “technical demo” or “onboarding.”
3. Triggering the Download
Once on the fraudulent site, the target is prompted to download a file due to a fake error message—typically claiming missing audio drivers. The file is disguised as legitimate software (e.g., Realtek Audio Driver) but contains malware.
4. Silent Malware Installation
A PowerShell script embedded in the download executes in the background, installing Fickle Stealer. This malware gathers sensitive data, including cryptocurrency wallets, saved browser passwords, authentication tokens, and clipboard contents, then sends it to the attacker’s remote servers.
🎯 Why Web3 Developers Are Ideal Targets
- Valuable Assets: Many Web3 developers hold crypto assets or have access to decentralized finance systems.
- Freelance Culture: Developers often work independently, making them more susceptible to unofficial job or project requests.
- AI Buzz: The lure of contributing to AI projects adds credibility to the scam.
🔧 Broader Techniques in the Campaign
- Trojanized Installers: Malware has also been embedded into counterfeit versions of legitimate software, like Visual Studio or messaging apps, with fake digital certificates to pass security checks.
- Mass Deployment via Bots: Threat actors use Pay-Per-Install services via Telegram bots to distribute malware at scale.
- Multi-Stage Payloads: The campaign includes scripts that conduct reconnaissance, steal credentials, deploy remote access tools, and maintain persistence on infected systems.
- Exploiting Vulnerabilities: Known Windows vulnerabilities are being used to bypass user account controls and escalate privileges silently.
🔐 Why This Threat Is Alarming
| Threat Element | Description |
|---|---|
| Social Engineering | Carefully crafted messages and real-time interactions make scams more believable. |
| Tailored Targeting | The campaign focuses on a niche but lucrative group: Web3 developers. |
| Advanced Tooling | Utilizes stealthy scripts, custom malware, and modern distribution channels. |
❓ Frequently Asked Questions
Q: What is Fickle Stealer?
A lightweight but powerful PowerShell-based info-stealer designed to extract login data, session cookies, crypto wallet files, and more.
Q: How does the fake AI platform look so convincing?
Attackers replicate user interfaces, include fake company logos, even mimic known AI tools to reduce suspicion.
Q: What systems are at risk?
Primarily Windows systems, though the tactics used could be adapted to target macOS or Linux users.
Q: What red flags should developers watch for?
Unsolicited interview offers, requests to download external tools, error prompts about drivers, and lack of verifiable business details.
Q: How can Web3 developers protect themselves?
Use antivirus and endpoint detection, avoid unofficial platforms, sandbox downloads, and use MFA for all accounts. Consider browser isolation and password vaults that can detect phishing sites.
🧭 Final Thoughts
This campaign marks a troubling evolution in cybercrime—using the legitimacy of AI innovation to mask malicious intent. Developers in emerging tech sectors like Web3 must remain vigilant, as their digital assets and trust networks are becoming prime targets.
Sources The Hacker News
