A new malware campaign is targeting cryptocurrency enthusiasts on Reddit by distributing fake “cracked” versions of the TradingView platform. The attackers are leveraging two types of malicious data stealers: AMOS for macOS and Lumma Stealer for Windows. These malware variants are shared through seemingly helpful posts on cryptocurrency trading subreddits, offering free lifetime access to premium TradingView features. The malicious links lead to a compromised website masquerading as a legitimate source, not a common file-sharing platform.
The threat actors are using social engineering tactics to trick users.
They engage with the Reddit community by responding to questions and offering advice to bypass security warnings. To avoid detection, the malware is distributed in password-protected zip files with the password “github,” a tactic intended to bypass security scanners. Once downloaded, the files unleash malware on the victim’s system, stealing sensitive data and credentials, and compromising cryptocurrency wallets.
The macOS version of the malware, AMOS (Atomic Stealer), features anti-VM detection capabilities, making it harder to analyze.
It detects virtual machine environments and can exit the process if such environments are found. For Windows users, the malware is distributed as an obfuscated batch file, which runs an AutoIt script to install Lumma Stealer. The Lumma variant communicates with a recently registered domain attributed to Russia, making it harder to trace and shut down.
Victims of these attacks have reported emptying cryptocurrency wallets and subsequent account takeovers. Attackers impersonate victims to spread phishing links to their contacts, resulting in a chain of further compromises. Researchers warn cryptocurrency traders to be highly cautious when downloading trading tools from unofficial sources or when offered free premium software, especially if security measures are advised to be bypassed.