2 min read

Fake Solana Security Update NFTs Hide Password-Stealing Malware


October 10, 2022

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Fake Solana Security Update NFTs Hide Password-Stealing Malware

Solana asset owners recently received rogue NFTs masquerading as Phantom wallet security update alerts that led them to install password-stealing malware on their devices.

Threat actors launched the malicious campaign two weeks ago by airdropping “PHANTOMUPDATE.com” and “UPDATEPHANTOM.com” NFTs to several Solana wallets. Attackers tricked users into believing the NFTs were security warnings sent by Phantom developers.

Opening the NFTs displayed a warning that a new Phantom update had been released. The rogue notification urged users to update their wallets as soon as possible to avoid “loss of funds due to hackers exploiting the Solana network.”

The notification also included a couple of websites that, when accessed, triggered an automatic Windows batch (.BAT) file download from Dropbox. Launching the file initially performs a check for Administrator rights and, if not found, displays a User Access Control prompt asking for elevated permissions.

Granting the BAT permissions through the UAC dialog launches a PowerShell script that would eventually download another file named windll32.exe from GitHub and launch it from C:\Users\<username>\AppData\Local.

A Bleeping Computer analysis revealed that it was a strain of password-stealing malware that can extract various types of data from compromised systems, including cookies, passwords, SSH keys and browser information.

The campaign likely focused on crypto assets such as tokens and NFTs. However, password-stealing malware can wreak more havoc than just draining crypto wallets.

People who receive suspicious NFT airdrops should refrain from interacting with them and avoid visiting websites included in the assets’ description fields. To avoid inadvertently interacting with rogue NFTs, you can burn or hide them, depending on the wallet apps’ abilities.

If you have already accessed the URLs mentioned in the phony NFTs’ description field, scan your device for malware as soon as possible. Once the malware’s removed, you can secure your assets and change potentially compromised passwords. Changing passwords while you’re still infected could send your new password to the attackers, making it a futile effort.

Specialized tools like Bitdefender Ultimate Security can protect you against password-stealing malware and other types of cybernetic threats with its extensive range of features:

  • 24/7 real-time data protection against viruses, worms, Trojans, zero-day exploits, ransomware, rootkits, spyware, and other e-threats
  • Behavioral detection module that scans active apps and prevents infection upon detecting suspicious activity
  • Anti-phishing system that detects and blocks suspicious websites that pose as legitimate ones to steal your data
  • Anti-fraud module that notifies you whenever you land on websites that may try to scam you




Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.

View all posts

You might also like