A threat actor known as Markopolo has been identified as the mastermind behind a large-scale cross-platform Crypto Scam that utilizes information-stealing malware to target digital currency users on social media and steal cryptocurrency.

You might be interested in: What to do when you get a phishing email?

According to research published this week by Recorded Future’s Insikt Group, the attack chains use Vortax (and 23 other apps) as a conduit to distribute Rhadamanthys, StealC, and Atomic macOS Stealer (AMOS).

“This campaign, primarily targeting cryptocurrency users for Crypto Scam, marks a significant rise in macOS security threats and reveals an expansive network of malicious applications,” the cybersecurity company observed, describing Markopolo as “agile, adaptable, and versatile.”

Evidence links the Vortax effort to previous activities that used phishing techniques to target macOS and Windows users with Web3 gaming lures.

A key component of the operation is the actors’ attempt to legitimize Vortax on social media and the internet, including a dedicated Medium site filled with suspected AI-generated content and a verified account on X (formerly Twitter) bearing a gold checkmark.

To download the booby-trapped application, victims of this Crypto Scam must submit a RoomID, a unique identifier for a meeting invitation distributed via Vortax account replies, direct messages, and cryptocurrency-related Discord and Telegram channels.

When a user inputs the required RoomID on the Vortax website, they are routed to a Dropbox link or an external website that launches an installer for the software, resulting in the deployment of the stealer malware.

“The threat actor that operates this campaign, identified as Markopolo, leverages shared hosting and C2 infrastructure for all the builds,” stated Recorded Future.

“This suggests that the threat actor relies on convenience to enable an agile campaign, quickly abandoning Crypto Scam once they are detected or producing diminishing returns, and pivoting to new lures.”

The findings demonstrate that the persistent threat of infostealer malware should not be underestimated, particularly in light of the recent effort targeting Snowflake.

This news comes after Enea uncovered SMS fraudsters’ use of cloud storage services such as Amazon S3, Google Cloud Storage, Backblaze B2, and IBM Cloud Object Storage to deceive consumers into clicking on fake links that lead to phishing landing pages that steal client information.

“Cybercriminals have now found a way to exploit the facility provided by cloud storage to host static websites (typically .HTML files) containing embedded spam URLs in their source code,” stated Manoj Kumar, a security researcher.

“The URL linking to the cloud storage is sent via text messages that appear authentic and hence can circumvent firewall limitations. When mobile users click on these links, which include well-known cloud platform names, they are taken to the static webpage stored in the storage bucket.”

In the final stage, the website automatically leads viewers to embedded spam URLs or dynamically produced URLs using JavaScript, tricking them into disclosing personal and financial information.

“Since the main domain of the URL contains, for example, the genuine Google Cloud Storage URL/domain, it is challenging to catch it through normal URL scanning,” Kumar stated. “Detecting and blocking URLs of this nature presents an ongoing challenge due to their association with legitimate domains belonging to reputable or prominent companies.”