Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

AngelX (Infostealer) – Malware

February 26, 2025
Reading Time: 5 mins read
in Malware
AngelX (Infostealer) – Malware

AngelX

Type of Malware

Infostealer

Date of Initial Activity

2024

Associated Malware

Angel Drainer

Motivation

Data Theft
Financial Gain

Attack Vectors

Phishing

Type of Information Stolen

Cryptocurrencies

Overview

AngelX is a newly discovered variant of the notorious Angel Drainer malware, which has been designed to exploit vulnerabilities in the rapidly growing Web3 ecosystem. First detected by Blockaid’s Threat Intelligence team during routine proactive scans on August 29, 2024, AngelX marks a significant evolution in cybercriminal tactics. The malware, still in its testing phase, was identified within a test decentralized application (dApp) that was likely never intended for public eyes. However, its discovery allowed Blockaid’s team to investigate and neutralize its impact before it could be widely deployed in the wild. What sets AngelX apart from its predecessors is its enhanced functionality and ability to target previously unsupported blockchain networks, including the TON and TRON chains. With new features such as a sophisticated command-and-control (CNC) dashboard and improved cloaking mechanisms, AngelX makes it easier for attackers to execute and conceal their malicious activities. Notably, the malware also includes a seed-phrase-theft flow, a crucial element for gaining access to users’ crypto wallets. This combination of technical advancements ensures that AngelX is more evasive and effective than earlier iterations of the Angel Drainer toolkit.

Targets

Finance and Insurance Individuals

How they operate

At its core, AngelX is a type of “drainer” malware, which is primarily used by cybercriminals to steal cryptocurrency and other sensitive information from users. The malware operates through decentralized applications (dApps), which are often used in the Web3 space to enable decentralized finance (DeFi) transactions and other blockchain-based operations. AngelX’s primary function is to drain funds from crypto wallets by tricking users into interacting with malicious dApps that appear legitimate but are secretly designed to capture private keys, seed phrases, and other critical information. One of the most notable improvements in AngelX is its ability to target new, previously unsupported blockchain platforms. While older variants of Angel Drainer primarily focused on Ethereum-based networks, AngelX extends its reach to platforms such as TON (The Open Network) and TRON. This expansion significantly increases the number of potential targets, as it now includes a broader range of users and dApp ecosystems. The malware accomplishes this by leveraging custom smart contracts that integrate seamlessly with the targeted blockchains, allowing the attackers to drain funds from users without their knowledge. AngelX employs a sophisticated command-and-control (CNC) dashboard, which acts as the central hub for managing and controlling infected dApps. This dashboard is accessible to the threat actors behind AngelX, giving them a high level of control over how the malware operates. The CNC panel allows the attackers to configure and deploy various aspects of the drainer, including selecting the target blockchain, defining the malicious flow of interactions, and monitoring the stolen data in real-time. The CNC system also provides analytics on the success rate of each scam, enabling attackers to optimize their strategies over time. Another critical feature of AngelX is its enhanced cloaking mechanism. Traditional drainer malware often struggles to evade detection by security vendors, but AngelX includes advanced techniques that make it more difficult to identify. The malware can modify its behavior depending on the environment in which it operates, such as hiding its malicious activity within legitimate blockchain transactions or obscuring its presence by using decentralized hosting services. Additionally, AngelX incorporates anti-analysis measures, such as obfuscating its code and using encryption, which further complicates efforts to detect it using traditional security tools. One of the most concerning aspects of AngelX is its ability to steal seed phrases from users, a critical component for accessing and controlling cryptocurrency wallets. The malware is designed to deceive users into inputting their private seed phrases into fake interfaces that mimic the legitimate wallet access screens. Once the seed phrase is captured, the attackers can gain full control over the user’s wallet, allowing them to transfer funds at will. This flow has been made more efficient in AngelX, making it harder for users to detect and interrupt the process before the seed phrase is compromised. The malware’s evolution also includes support for a more streamlined deployment process, allowing scammers to launch new attacks more rapidly. By simplifying the steps necessary to create and distribute malicious dApps, AngelX makes it easier for even less technical attackers to take advantage of its capabilities. This lowers the barrier to entry for cybercriminals, making it more likely that the malware will be widely distributed and used. In response to these technical advancements, security teams have been working to develop countermeasures and detection logic to protect users from AngelX. Early detection is crucial in preventing the widespread adoption of this malware, as it allows for the implementation of defenses before the malware gains traction among cybercriminals. By identifying new variants like AngelX during their testing phases, threat intelligence teams can stay ahead of attackers and reduce the risk posed by such advanced threats. In conclusion, AngelX represents a significant step forward in the evolution of drainer malware. Its ability to target multiple blockchains, improve its evasion techniques, and steal critical user data makes it a formidable threat to the Web3 ecosystem. As cybercriminals continue to refine their tactics and tools, it becomes increasingly important for security teams to stay proactive in monitoring for emerging threats and implementing effective defenses.

MITRE Tactics and Techniques

Initial Access
Phishing (T1566): AngelX may begin its attack through phishing campaigns, tricking users into interacting with malicious decentralized applications (dApps) that appear legitimate. Exploitation of Public-Facing Application (T1190): AngelX exploits vulnerabilities in public-facing dApps or blockchain-based applications to gain access to victims’ systems or crypto wallets.
Execution
User Execution (T1203): Once the victim interacts with the malicious dApp, AngelX is executed on their device, typically by tricking the user into performing actions such as inputting their seed phrase or private keys.
Persistence
Valid Accounts (T1078): AngelX can achieve persistence by stealing private credentials, such as seed phrases, which provide access to users’ crypto wallets for continued exploitation.
Privilege Escalation
Exploitation of Vulnerability (T1203): While AngelX primarily focuses on financial gain through draining wallets, there may be an indirect avenue for privilege escalation if the malware exploits vulnerabilities within blockchain wallets or dApps to escalate access.
Credential Access
Input Capture (T1056): The malware captures sensitive information like seed phrases and private keys entered by the victim during the malicious dApp interaction. Brute Force (T1110): Although AngelX’s primary attack vector involves seed phrase theft, it may also employ brute-force techniques to guess weak passwords or seed phrases associated with wallets.
Collection
Data from Information Repositories (T1213): AngelX collects user credentials, seed phrases, and other sensitive data, which are stored in a command-and-control (CNC) system for later exploitation.
Command and Control (C2)
C2 Communication (T1071): AngelX communicates with its CNC server to receive commands, transmit stolen data, and allow attackers to manage and monitor ongoing scams. Application Layer Protocol (T1071.001): The malware might use common web protocols like HTTP/S to communicate with the CNC, which helps it blend in with normal web traffic and evade detection.
Exfiltration
Exfiltration Over Command and Control Channel (T1041): Stolen seed phrases, private keys, and other sensitive data are exfiltrated from the victim’s system to the attacker’s control panel through the established C2 communication.
Impact
Data Manipulation (T1565): While AngelX primarily focuses on draining funds from victims, the manipulation of transaction data in blockchain applications could be part of the attack’s impact. Inhibit System Recovery (T1490): If the malware allows the attackers to take control of cryptocurrency wallets, it may inhibit recovery by locking users out of their accounts through stolen credentials.  
References
  • Threat Report: AngelX
 
Tags: Angel DrainerAngelXBlockaidCryptocurrenciesCybercriminalsDecentralized FinanceDeFiDrainersInfostealersMalwarePhishingVulnerabilities
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

Mozilla Urgent Firefox Patch Fixes RCE Flaws

ModiLoader Malware Targets Windows Users

Glibc Flaw Gives Linux Root Access Risk

Fileless Remcos RAT Delivery Via LNK Files

FBI Warns of AI Voice Phishing Scams

APT28 RoundPress Webmail Hack Steals Emails

Subscribe to our newsletter

    Latest Incidents

    Massive DDoS Hits Poland’s Civic Platform

    Arla Plant Cyberattack Halts Operations

    Georgia’s Harbin Clinic Hit by Data Breach

    Hackers Target Swiss Reserve Power Plant

    Coinbase Insider Attack Exposed User Data

    Cyberattack Hits J Batista Group

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial