New Web3 Phishing Scam Uses Fake AI Platforms to Steal Credentials

The threat actor group LARVA-208, notorious for phishing attacks and social engineering against English-speaking IT staff, has pivoted to targeting Web3 developers.

Employing spearphishing links (T1566.002), the group lures victims with fabricated job offers or portfolio review requests, directing them to counterfeit AI workspace platforms.

These deceptive sites, such as the domain norlax.ai (T1583.001), mimic legitimate services like Teampilot.ai to build credibility.

Phishing Targets Web3 Developers

Once engaged, victims receive unique invitation codes and emails, leading to simulated meeting environments where audio issues prompt the download of malware disguised as a Realtek HD Audio Driver (T1036.005).

Execution of this malicious file triggers an embedded PowerShell command (T1059.001) that connects to command-and-control (C2) servers (T1583.004), retrieving and deploying the Fickle infostealer.

This malware systematically exfiltrates sensitive data, including device names, hardware specifications, OS versions, geolocation via IP ...