Meeten Malware Campaign Reportedly Undermines Web3 Security Using AI-Legitimized Branding

Cado Security Labs identified a sophisticated scam campaign active for approximately four months that uses AI-generated content to create fake companies and websites distributing the Realst info stealer malware. The threat actors created fake companies under various names including Meetio, Clusee, Cuesee, Meeten, Meetone, and others, using AI to generate website content, blogs, and social media accounts to appear legitimate. The scammers targeted Web3 workers by impersonating known contacts on Telegram and directing victims to download malicious video conferencing software from fake company websites. The malware has both macOS and Windows variants and steals sensitive information including Telegram credentials, banking card details, browser data, and cryptocurrency wallet information from Ledger, Trezor, Phantom, and Binance wallets. The websites also contain JavaScript that steals cryptocurrency stored in web browsers before any malware installation. Once installed, the malware creates folders to store stolen data, compresses it into zip files, and exfiltrates the information to remote servers at IP addresses 139.162.179.170:8080 and 172.104.133.212. The campaign demonstrates how AI enables threat actors to quickly create realistic content that adds legitimacy to scams and makes suspicious websites more difficult to detect.