A phishing campaign targeting Cardano (ADA) users has been circulating since late December, distributing malware disguised as the Eternl wallet's desktop application.
Security researchers identified the attack after analyzing professionally crafted emails titled "Eternl Desktop Is Live - Secure Execution for Atrium & Diffusion Participants."
The fraudulent messages reference legitimate Cardano ecosystem terms including NIGHT and ATMA token rewards through the Diffusion Staking Basket program.
Attackers use the unverified domain download.eternldesktop.network to distribute the malicious installer.
What Happened
Independent threat hunter Anurag analyzed the 23.3-megabyte Eternl.msi file and discovered it contains LogMeIn GoTo Resolve remote management software.
The installer drops an executable called unattended-updater.exe that creates configuration files enabling remote access without user interaction.
The malware establishes connections to legitimate GoTo Resolve infrastructure, allowing attackers to execute commands and monitor victim systems.
Network analysis showed the software sends information to attackers in JSON format through remote servers.
The emails contain no spelling errors and use polished professional language, making them difficult to distinguish from legitimate communications.
No digital signature or checksum verification accompanies the installer, preventing users from validating authenticity before installation.
Read also: Crypto Phishing Losses Fall 83% To $84 Million In 2025 Despite Active Drainer Ecosystem
Why It Matters
The campaign represents a supply chain abuse attempt aimed at establishing persistent unauthorized access to Cardano users' systems.
Remote management tools allow attackers to drain cryptocurrency wallets and steal credentials once installed on victim machines.
The attack demonstrates how threat actors exploit legitimate administrative software to bypass antivirus detection.
Security researchers emphasized that users should only download wallet applications from official Eternl communication channels.
The newly registered domain and lack of official announcements from Eternl served as key warning signs that went unnoticed by some users.
Similar phishing campaigns have previously targeted cryptocurrency users through fake software updates and fraudulent wallet applications.
Read also: Bitcoin Dips Below $90K As Trump Claims Maduro Captured In Venezuela Strike
