The attackers mimic real software startups, crafting company profiles on platforms like X (formerly Twitter), Medium, GitHub, Notion, and even Gitbook. These profiles showcase everything from fake employee bios and product roadmaps to whitepapers and investor lists. Some even register fake company details with legitimate business registries such as Companies House in the UK.

One fake company, Eternal Decay, even doctored photos of an Italian exhibition to fake a conference appearance and falsely promote their nonexistent blockchain-powered game.

The campaign often begins on X, Telegram, or Discord, where fake company “employees” contact victims, offering crypto payments to test their software. The victims are then guided to download the malware from the company’s polished-looking website using a provided registration code.

For Windows, victims receive a malicious Electron application. For macOS, they are handed a DMG file containing the infamous Atomic Stealer malware.

Once the Electron app is launched, it presents a Cloudflare verification screen and then quietly downloads a payload—often signed with stolen code signing certificates from real companies like Jiangyin Fengyuan Electronics Co., Ltd. and Paperbucketmdb ApS (the latter revoked in June 2025).

“The malware begins by profiling the system… If verification is successful, an executable or MSI file is downloaded and executed quietly.”

Python is then installed in a temporary directory and controlled remotely via command-and-control (C2) infrastructure, executing commands that typically steal sensitive data and crypto credentials.

On macOS, victims download a DMG containing a bash script and a multiarch binary. The script uses AppleScript to move and execute the hidden .SwoxApp binary in /tmp/. This binary is the Atomic Stealer, a well-known macOS info stealer that targets:

The stolen data is compressed into out.zip and exfiltrated via POST request to 45[.]94[.]47[.]167/contact. Persistence is achieved via a LaunchAgent plist configuration, ensuring the malware runs at every login.

Darktrace also links the tactics to “traffer” groups—cybercriminal operations that generate traffic to malware using SEO, YouTube ads, and fake software. A notable group, CrazyEvil, has been linked to similar schemes targeting crypto users, influencers, and gaming communities.

“While it is unclear if the campaigns described in this blog can be attributed to CrazyEvil… the techniques described are similar in nature.”

Darktrace has flagged dozens of fake entities. Among them:

Each entity shares suspicious overlaps in design, source code, and social media activity, pointing to a central orchestrator behind the scheme.

“This campaign highlights the efforts that threat actors will go to make these fake companies look legitimate in order to steal cryptocurrency from victims,” Darktrace concludes.