Cardano users are facing a sophisticated new security threat from a phishing campaign that impersonates the Eternl Desktop wallet team. Cybercriminals are sending professionally crafted emails that promote a fake wallet download, claiming it supports Cardano staking, governance, and offers crypto rewards including NIGHT and ATMA tokens.
The emails, which contain no spelling errors and use polished language to appear genuine, redirect users to a newly registered malicious domain: download.eternldesktop.network. This site distributes a harmful MSI installer package named 'Eternl.msi' (file hash: 8fa4844e40669c1cb417d7cf923bf3e0). The installer, which bypasses standard verification and lacks digital signature validation, secretly bundles a remote access tool called LogMeIn Resolve.
According to detailed technical analysis by independent threat researcher Anurag, once executed, the installer drops an executable titled 'unattended updater.exe' (original filename: GoToResolveUnattendedUpdater.exe). This malware creates a folder structure in the system's Program Files and writes configuration files such as unattended.json, logger.json, mandatory.json, and pc.json. The unattended.json file specifically enables remote access functionality without user consent, granting hackers full system control.
Network analysis confirms the malware connects to known GoTo Resolve domains, including devices-iot.console.gotoresolve.com and dumpster.console.gotoresolve.com. It sends system data in JSON format to these servers, establishing a communication channel that allows for remote command execution, system monitoring, and potential credential theft.
Security researchers note this campaign mirrors a previous scam that targeted Meta business users with fake emails about ad account violations. They urge all users to verify wallet downloads exclusively from official, trusted sources and to be highly cautious of newly registered domains, regardless of how professional the associated emails may appear.
