Threat actors operating under pseudonyms Marco Polo It turns out he is the man behind a massive cross-platform scam that targets digital currency users on social media with information-stealing malware to steal cryptocurrency.
According to analysis published this week by Recorded Future’s Insikt Group, the attack chain involves the use of virtual conferencing software called Vortax (as well as 23 other apps) as a conduit to deliver Rhadamanthys, StealC and Atomic macOS Stealer (AMOS).
“This campaign, primarily targeting cryptocurrency users, marks a significant increase in security threats for macOS and reveals an extensive network of malicious applications,” the cybersecurity firm noted, describing Marco Polo as “agile, adaptive and versatile.”
Evidence indicates that the Vortax campaign is linked to previous activity leveraging trap phishing techniques targeting macOS and Windows users via Web3 gaming lures.
A key aspect of this malicious activity has been attempts to legitimize Vortax on social media and across the internet, with the attackers maintaining a dedicated Medium blog with alleged AI-generated articles, as well as a verified account with a gold tick on X (formerly Twitter).
To download the booby-trapped application, victims must provide a RoomID, a unique identifier in a meeting invite that is propagated through replies to Vortax accounts, direct messages, and cryptocurrency-related Discord and Telegram channels.
Once users enter the required room ID on Vortax’s website, they are redirected to an external website that hosts a Dropbox link or a software installer, ultimately leading to the deployment of the theft malware.
“The threat actor running this campaign has been identified as markopolo, and leverages shared hosting and C2 infrastructure for all of its builds,” Recorded Future said.
“This suggests that threat actors are relying on convenience to enable agile campaigns, and either abandoning scams as soon as they are detected, or pivoting to new bait once revenue dwindles.”
The findings show that the pervasive threat of infostealer malware cannot be overlooked, especially in light of the recent campaign targeting Snowflake.
The development comes after Enea revealed that SMS scammers were abusing cloud storage services such as Amazon S3, Google Cloud Storage, Backblaze B2 and IBM Cloud Object Storage to trick users into clicking on fake links that take them to phishing landing pages that steal customer data.
“Cybercriminals have found a way to abuse the functionality offered by cloud storage to host static websites (usually .HTML files) that contain spam URLs embedded in the source code,” said security researcher Manoj Kumar.
“URLs linking to cloud storage are distributed in text messages, but appear genuine and are able to circumvent firewall restrictions. When mobile users click on these links, which contain well-known cloud platform domains, they are directed to static websites stored in storage buckets.”
In the final stage, the website automatically redirects users to embedded spam URLs or URLs dynamically generated using JavaScript to trick them into providing personal or financial information.
“The main domain of the URL contains, for example, genuine Google Cloud Storage URLs/domains, making it difficult to detect through regular URL scanning,” Kumar said. “Detecting and blocking these types of URLs has been an ongoing challenge as they are associated with legitimate domains of reputable and well-known businesses.”
