The PoisonSeed campaign targets enterprise organizations and individuals, using compromised CRM tools and email providers to distribute spam. The spam messages contain cryptocurrency seed phrases designed to trick recipients into copying them into new wallets, allowing attackers to hijack digital funds. Major crypto companies like Coinbase and Ledger, as well as email providers such as Mailchimp, SendGrid, and Zoho, are specifically targeted. The attackers use phishing pages that mimic trusted services to steal login credentials and create persistent access via API keys, even if passwords are reset.
Once the attackers gain access to CRM accounts, they automate the process of exporting mailing lists. These lists are then used to send targeted spam emails to high-value victims, with embedded seed phrases for cryptocurrency wallets. The goal is to deceive recipients into setting up wallets using the provided seed phrase, which would then be used to transfer funds from compromised wallets. The campaign also leverages phishing kits and domains previously linked to threat groups like Scattered Spider and CryptoChameleon, though the techniques used in PoisonSeed are distinct from those of the other groups.
The use of compromised CRM tools allows PoisonSeed actors to gain further access to valuable targets. They employ sophisticated phishing techniques, such as creating fake login pages for well-known services to gather user credentials. The attackers ensure persistence by generating API keys, which would allow continued access even if the original credentials are changed.
Once they have access to email accounts, the threat actors send spam messages promoting fraudulent crypto wallets, ultimately leading to the theft of digital assets.
In a separate incident, a Russian-speaking group has been observed using phishing pages to distribute malware capable of remotely controlling Windows hosts. These pages are hosted on Cloudflare’s platforms, using DMCA takedown notice lures to convince victims to download malicious files. Once executed, the malware connects to a Telegram bot to transmit the victim’s IP address and then establishes control over the infected host through Pyramid C2, allowing the attacker to monitor and manipulate the system remotely.
