Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

Nortex (Scam Campaign) – Malware

March 1, 2025
Reading Time: 3 mins read
in Malware
Nortex (Scam Campaign) – Malware

Nortex

Type of Malware

Scam

Date of Initial Activity

2024

Addittional Names

NightVerse

Associated Groups

Marko Polo

Motivation

Financial Gain

Attack Vectors

Phishing
Web Browsing

Targeted Systems

Windows

Overview

The Nortex MP4 campaign, attributed to the cybercriminal group Marko Polo (MP4), is an emerging and sophisticated operation that exploits social engineering tactics to distribute malicious software under the guise of a legitimate Web3 application. Claiming to be an all-in-one decentralized platform designed for Web3 enthusiasts, Nortex is marketed as a messaging service, productivity software, and social network. In reality, the application serves as a front for malware distribution, with no real functionality to back its promises. Instead, it aims to deceive users into downloading harmful software that compromises their systems. At the heart of the Nortex scam lies a carefully orchestrated process that begins with fake advertisements on various platforms, including social media, enticing victims to download the Nortex client. Once the victim installs the software, it downloads and executes different forms of malware, depending on the victim’s operating system. Windows OS users receive HijackLoader and Stealc, malware that is designed to steal sensitive information such as login credentials and cryptocurrency wallets. macOS users are targeted with AMOS, another piece of malware linked to previous operations by Marko Polo. These malware variants give cybercriminals remote access to infected machines, allowing them to exfiltrate data and further their malicious activities.

Targets

Individuals Information

How they operate

The first step in the Nortex campaign involves the social engineering aspect, where the attackers use fake advertisements and fraudulent job offers to lure victims to their malicious website, nortexapp.xyz. Once a victim visits the site, they are prompted to download the Nortex client, which masquerades as a legitimate Web3 application. The Windows OS version of the client is delivered through Dropbox and downloads the Nortex.exe file, which contains the HijackLoader and Stealc malware. HijackLoader facilitates the injection of additional payloads, while Stealc is designed to steal sensitive information, including credentials, banking information, and cryptocurrency wallets. For macOS users, the installation process is similarly deceptive. When visiting the Nortex website, they are prompted to download a file named NortexApp.dmg, which contains the AMOS malware. This malware allows remote access to the infected machine, enabling attackers to exfiltrate data and maintain persistence within the compromised system. The AMOS malware also communicates with a Marko Polo command-and-control (C2) server, allowing the attackers to issue commands and control the infected machines remotely. The Nortex campaign’s use of cloud-based hosting services, such as Dropbox for Windows OS malware delivery and Cloudflare for domain hosting, is a key component of its success. These services are commonly used for legitimate purposes, which makes the malicious activity harder to detect. Additionally, the malware configuration files are fetched from different domains associated with Marko Polo, including showpiecekennelmating.com for the Windows client and allieat.com for the macOS version. The use of Cloudflare’s infrastructure ensures that the campaign can scale easily and avoid detection by traditional cybersecurity tools. The constantly changing IP addresses and domains used by the attackers further complicate efforts to shut down the operation. Moreover, the Marko Polo group has shown remarkable adaptability by shifting infrastructure when their previous domains or IP addresses are flagged. For example, the macOS version of Nortex has moved between several domains, such as ask-ashika.com, punitrai.com, and rafaelsuarezlopez.com. This active infrastructure pivoting is indicative of the group’s commitment to avoiding long-term tracking and detection. The use of multi-part encoding in C2 communication and the presence of build IDs, such as night20, suggest that the attackers are continuously refining their operations to make the malware more resilient and harder to trace. Overall, the technical operation of the Nortex MP4 campaign showcases the increasing sophistication of modern cybercriminal groups. By exploiting the trustworthiness of cloud-based services, employing advanced social engineering tactics, and utilizing flexible infrastructure, Marko Polo is able to deliver malware to unsuspecting users while evading detection. Understanding these technical intricacies is essential for defending against this and similar threats, as the landscape of cybercrime continues to evolve with greater complexity.  
References:
  • “Marko Polo” Navigates Uncharted Waters With Infostealer Empire
Tags: AMOSAttackersHijackLoaderMalwareMarko PoloNightVerseNortexScamsSocial EngineeringStealcWeb3
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

Mozilla Urgent Firefox Patch Fixes RCE Flaws

ModiLoader Malware Targets Windows Users

Glibc Flaw Gives Linux Root Access Risk

Fileless Remcos RAT Delivery Via LNK Files

FBI Warns of AI Voice Phishing Scams

APT28 RoundPress Webmail Hack Steals Emails

Subscribe to our newsletter

    Latest Incidents

    Massive DDoS Hits Poland’s Civic Platform

    Arla Plant Cyberattack Halts Operations

    Georgia’s Harbin Clinic Hit by Data Breach

    Hackers Target Swiss Reserve Power Plant

    Coinbase Insider Attack Exposed User Data

    Cyberattack Hits J Batista Group

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial