A threat actor who goes by alias markopolo has been identified as behind a large-scale cross-platform scam that targets digital currency users on social media with information stealer malware and carries out cryptocurrency theft.
The attack chains involve the use of a purported virtual meeting software named Vortax (and 23 other apps) that are used as a conduit to deliver Rhadamanthys, StealC, and Atomic macOS Stealer (AMOS), Recorded Future’s Insikt Group said in an analysis published this week.
“This campaign, primarily targeting cryptocurrency users, marks a significant rise in macOS security threats and reveals an expansive network of malicious applications,” the cybersecurity company noted, describing markopolo as “agile, adaptable, and versatile.”
There is evidence connecting the Vortax campaign to prior activity that leveraged trap phishing techniques to target macOS and Windows users via Web3 gaming lures.
A crucial aspect of the malicious operation is its attempt to legitimize Vortax on social media and the internet, with the actors maintaining a dedicated Medium blog filled with suspected AI-generated articles as well as a verified account on X (formerly Twitter) carrying a gold checkmark.
Downloading the booby-trapped application requires victims to provide a RoomID, a unique identifier to a meeting invitation that’s propagated via replies to the Vortax account, direct messages, and cryptocurrency-related Discord and Telegram channels.
Once a user enters the necessary Room ID on the Vortax website, they are redirected to a Dropbox link or an external website that stages an installer for the software, which ultimately leads to the deployment of the stealer malware.
“The threat actor that operates this campaign, identified as markopolo, leverages shared hosting and C2 infrastructure for all of the builds,” Recorded Future said.
“This suggests that the threat actor relies on convenience to enable an agile campaign, quickly abandoning scams once they are detected or producing diminishing returns, and pivoting to new lures.”
The findings show that the pervasive threat of infostealer malware cannot be overlooked, especially in light of the recent campaign targeting Snowflake.
The development comes as Enea revealed SMS scammers’ abuse of cloud storage services like Amazon S3, Google Cloud Storage, Backblaze B2, and IBM Cloud Object Storage to trick users into clicking on bogus links that direct to phishing landing pages that siphon customer data.
“Cybercriminals have now found a way to exploit the facility provided by cloud storage to host static websites (typically .HTML files) containing embedded spam URLs in their source code,” security researcher Manoj Kumar said.
“The URL linking to the cloud storage is distributed via text messages, which appear to be authentic and can therefore bypass firewall restrictions. When mobile users click on these links, which contain well-known cloud platform domains, they are directed to the static website stored in the storage bucket.”
In the final stage, the website automatically redirects users to the embedded spam URLs or dynamically generated URLs using JavaScript and deceives them into parting with personal and financial information.
“Since the main domain of the URL contains, for example, the genuine Google Cloud Storage URL/domain, it is challenging to catch it through normal URL scanning,” Kumar said. “Detecting and blocking URLs of this nature presents an ongoing challenge due to their association with legitimate domains belonging to reputable or prominent companies.”
