Threat actors are using a well-crafted Pokemon NFT card game website to distribute the NetSupport remote access tool and take control over victims’ devices.
The website “pokemon-go[.]io,” which is still online at the time of writing, claims to be home to a new NFT card game built around the Pokemon franchise, offering users strategic fun together with NFT investment profits.
Considering the popularity of both Pokemon and NFTs, it shouldn’t be hard for the operators of the malicious portal to draw an audience to the site through malspam, social media posts, etc.
Those who click on the “Play on PC” button download an executable that looks like a legitimate game installer but, in reality, installs the NetSupport remote access tool (RAT) on the victim’s system.
The operation was uncovered by analysts at ASEC, who reports there was also a second site used in the campaign, at “beta-pokemoncards[.]io,” but it has since been taken offline.
This campaign’s first signs of activity appeared in December 2022, while earlier samples retrieved from VirusTotal showed that the same operators pushed a fake Visual Studio file instead of the Pokemon game.