3 Minutes
Phishing campaign impersonates Eternl Desktop
A polished phishing campaign is actively targeting Cardano users by distributing a fake Eternl Desktop installer through a newly registered domain. Threat hunter Anurag discovered the malicious package hosted at download.eternldesktop.network that purports to deliver official wallet software and staking rewards tied to NIGHT and ATMA tokens via the Diffusion Staking Basket program.
How the scam gains trust
The emails use professional language, flawless grammar, and ecosystem-specific messaging about governance and staking to appear legitimate. They mimic official Eternl announcements, referencing hardware wallet compatibility, local key control, and advanced delegation features to convince recipients to download the installer.
Technical analysis: malicious MSI and remote access tool
Analysis shows the download is a 23.3 MB file named Eternl.msi. Inside the MSI is an executable dropped as unattended-updater.exe that establishes persistence under the Program Files directory. The installer writes multiple configuration files—unattended.json, logger.json, mandatory.json, and pc.json—and the unattended.json file is configured to allow remote access without user interaction.
LogMeIn / GoTo Resolve abused as RAT
Researchers found that the bundled component leverages LogMeIn Resolve (GoTo Resolve) infrastructure. The malware connects to remote management servers using hardcoded API credentials and transmits system event data in JSON format. Once in place, this remote access capability enables long-term persistence, remote command execution, credential harvesting, and potential exfiltration of wallet data and private keys.
Supply-chain abuse and security implications
Security teams classify this behavior as critical. By packaging a remote management tool inside what appears to be a trusted wallet installer, attackers execute a supply-chain abuse vector that directly threatens crypto wallet security. Cardano holders who install software from unverified sources risk exposing private keys and losing custody of funds.
Indicators and technical details
- Malicious domain: download.eternldesktop.network (newly registered)
- File: Eternl.msi (23.3 MB)
- Dropped executable: unattended-updater.exe
- Configuration files: unattended.json, logger.json, mandatory.json, pc.json
- Remote management: LogMeIn Resolve / GoTo Resolve
Mitigation: how Cardano users and developers should respond
Users should only download wallet software from official channels: the project website, verified GitHub releases, or trusted app stores. Check digital signatures and release notes, and avoid installers hosted on newly created domains. Hardware wallets and local key management remain the safest options for protecting private keys. If you received a suspicious email, do not click links or run downloaded installers; instead, verify via the official Eternl channels and report the message to security teams.
Final recommendations
Given the campaign's use of social engineering—referencing NIGHT and ATMA token rewards—Cardano community members must maintain skepticism toward unsolicited staking or governance offers. Organizations should audit endpoint management tools, monitor for unexpected connections to GoTo Resolve infrastructure, and educate users on phishing risks and supply-chain attack vectors.
Source: crypto
Leave a Comment