[{"data":1,"prerenderedAt":134},["ShallowReactive",2],{"article-slug-needle-stealer-malware-distributed-via-fake-trading-tool-website":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":29,"sources":30,"events":41,"mitre_techniques":42,"mitre_mitigations":59,"d3fend_countermeasures":83,"iocs":89,"cyber_observables":105,"tags":121,"extract_datetime":124,"article_type":125,"impact_scope":126,"pub_date":34,"reading_time_minutes":133,"createdAt":124,"updatedAt":124},"f684a582-0d2d-45e8-89d7-4e1fae386392","needle-stealer-malware-distributed-via-fake-trading-tool-website","Fake 'TradingClaw' Website Spreads 'Needle Stealer' Malware","Fake 'TradingClaw' AI Trading Tool Website Used as Lure to Distribute 'Needle Stealer' Malware","A malware campaign is using a sophisticated lure—a fake website for an AI trading tool called 'TradingClaw'—to distribute 'Needle Stealer,' a potent info-stealing malware. The malware aims to harvest sensitive data from victims, including browser data, login sessions, and cryptocurrency wallets. The campaign uses DLL hijacking for evasion and a C2 panel with features planned for more advanced phishing, indicating an evolving threat to users in the financial trading and crypto spaces.","## Executive Summary\n\nResearchers from **[Malwarebytes](https://www.malwarebytes.com/)** have identified a malware campaign distributing an info-stealer known as **Needle Stealer**. The campaign uses a fake website, `tradingclaw[.]pro`, which promotes a non-existent AI-powered trading tool called \"TradingClaw.\" Victims interested in financial trading tools are lured into downloading a ZIP file that contains the malware. **Needle Stealer** is designed to exfiltrate a wide range of sensitive information, with a focus on browser data, active login sessions, and cryptocurrency wallets. The campaign employs techniques like DLL hijacking to evade detection and appears to be part of a broader operation, with the same stealer being distributed by other malware loaders like **Amadey** and **GCleaner**.\n\n## Threat Overview\n\nThe campaign targets individuals interested in cryptocurrency and financial trading, a demographic likely to have valuable digital assets. The `tradingclaw[.]pro` website acts as the initial lure, using social engineering to convince users to download and execute the malicious payload. The website exhibits evasive behavior, sometimes redirecting users to different sites to avoid analysis.\n\nOnce executed, **Needle Stealer** begins harvesting data from the infected device. Its primary targets are:\n\n*   **Browser Data**: Cookies, saved passwords, and browsing history from popular web browsers.\n*   **Login Sessions**: Hijacking active sessions to gain access to online accounts without needing credentials.\n*   **Cryptocurrency Wallets**: Searching for wallet files and browser extensions related to cryptocurrency.\n\nThe stolen data is exfiltrated to a command-and-control (C2) server. The C2 panel includes functionality to generate fake login pages, suggesting the attackers plan to use the stolen data for further, more targeted phishing attacks.\n\n## Technical Analysis\n\nThe infection chain demonstrates several evasion techniques:\n\n1.  **Social Engineering Lure**: A professionally designed website promoting a fake but plausible tool ([`T1204.001 - Malicious Link`](https://attack.mitre.org/techniques/T1204/001/)).\n2.  **Payload Delivery**: The malware is delivered as a ZIP file, a common method to bypass email gateways.\n3.  **DLL Hijacking**: The initial executable uses DLL hijacking ([`T1574.001 - DLL Search Order Hijacking`](https://attack.mitre.org/techniques/T1574/001/)) to load the malicious payload. This involves placing a malicious DLL in a location where a legitimate, trusted application will load and execute it, making the activity appear benign.\n4.  **Credential Theft**: The core functionality of the malware is to steal credentials from various sources, particularly web browsers and crypto wallets, mapping to [`T1555 - Credentials from Password Stores`](https://attack.mitre.org/techniques/T1555/) and [`T1552.001 - Credentials In Files`](https://attack.mitre.org/techniques/T1552/001/).\n5.  **Exfiltration**: Stolen data is sent to attacker-controlled C2 servers like `chrocustumapp[.]com` and `google-services[.]cc`.\n\n## Impact Assessment\n\nVictims of **Needle Stealer** face a high risk of significant financial loss and privacy invasion.\n\n*   **Financial Theft**: The theft of cryptocurrency wallet data can lead to the immediate and irreversible loss of funds.\n*   **Account Takeover**: Stolen browser sessions and saved passwords can allow attackers to take over email, social media, and financial accounts.\n*   **Identity Theft**: The combination of stolen data can be used to commit identity fraud.\n*   **Further Attacks**: The victim's compromised accounts can be used to launch attacks against their contacts.\n\n## IOCs — Directly from Articles\n\n| Type | Value | Description |\n| :--- | :--- | :--- |\n| Domain | `tradingclaw[.]pro` | Malicious website used as a lure. |\n| Domain | `chrocustumapp[.]com` | C2 domain. |\n| Domain | `chrocustomreversal[.]com` | C2 domain. |\n| Domain | `google-services[.]cc` | C2 domain. |\n| Domain | `coretest[.]digital` | C2 domain. |\n| Domain | `reisen[.]work` | C2 domain. |\n\n## Cyber Observables — Hunting Hints\n\nSecurity teams can hunt for signs of info-stealer activity:\n\n| Type | Value | Description |\n| :--- | :--- | :--- |\n| Network Traffic Pattern | Outbound connections to known malicious domains/IPs from the IOC list. | Blocking these at the firewall/proxy is a key defense. |\n| Process Activity | An unsigned process making network connections and reading files in browser profile directories. | Stealers need to access local files where browsers store data. |\n| File Monitoring | Creation of temporary ZIP or log files in `C:\\Users\\\u003Cuser>\\AppData\\Local\\Temp`. | Stealers often stage stolen data in a temporary archive before exfiltration. |\n\n## Detection & Response\n\n*   **Detection**: Use endpoint security solutions with behavioral detection to identify processes accessing sensitive browser files. Network monitoring with DNS filtering and web proxy logs can block and detect connections to known malicious C2 domains. D3FEND's [`D3-UA - URL Analysis`](https://d3fend.mitre.org/technique/d3f:URLAnalysis) can be used to block the initial lure website.\n*   **Response**: If an infection is detected, immediately isolate the machine from the network. The user must assume all credentials stored on or entered from that machine are compromised. All passwords should be changed from a clean device, and all active sessions for online accounts should be terminated. If cryptocurrency wallets were present, any remaining funds should be moved to a new, secure wallet immediately.\n\n## Mitigation\n\n1.  **User Education**: Train users to be skeptical of software advertised on social media or untrusted websites. Emphasize the danger of downloading and running executables from unknown sources.\n2.  **Endpoint Security**: Use a reputable endpoint security solution that can detect and block known malware and suspicious behaviors.\n3.  **Attack Surface Reduction**: Use browser settings or extensions to block malicious scripts and ads. Configure Windows to show file extensions by default, so users can distinguish a `.exe` file from a document.\n4.  **Credential Management**: Encourage the use of password managers, which can help mitigate the impact of stolen browser credentials. Use hardware wallets for storing significant amounts of cryptocurrency, as they are not vulnerable to this type of stealer malware.","A fake AI trading tool website, 'TradingClaw', is a trap! 🎣 It's distributing 'Needle Stealer' malware to swipe browser data, login sessions, and crypto wallets. #Malware #InfoStealer #Crypto #CyberSecurity","A malicious website for a fake AI trading tool called 'TradingClaw' is being used to distribute 'Needle Stealer,' an info-stealing malware targeting browser data and cryptocurrency wallets.",[13,14,15],"Malware","Phishing","Data Breach","medium",[18,21,23,25],{"name":19,"type":20},"Needle Stealer","malware",{"name":22,"type":20},"Amadey",{"name":24,"type":20},"GCleaner",{"name":26,"type":27,"url":28},"Malwarebytes","security_organization","https://www.malwarebytes.com/",[],[31,36],{"url":32,"title":33,"date":34,"friendly_name":26,"website":35},"https://www.malwarebytes.com/blog/threat-intelligence/2026/04/malicious-trading-website-drops-malware-that-hands-your-browser-to-attackers","Malicious trading website drops malware that hands your browser to attackers","2026-04-22","malwarebytes.com",{"url":37,"title":38,"date":34,"friendly_name":39,"website":40},"https://www.bleepingcomputer.com/news/security/fake-tradingclaw-site-pushes-needle-stealer-malware/","Fake TradingClaw site pushes Needle Stealer malware to swipe crypto wallets","BleepingComputer","bleepingcomputer.com",[],[43,47,51,55],{"id":44,"name":45,"tactic":46},"T1204.001","Malicious Link","Initial Access",{"id":48,"name":49,"tactic":50},"T1574.001","DLL Search Order Hijacking","Persistence",{"id":52,"name":53,"tactic":54},"T1555","Credentials from Password Stores","Credential Access",{"id":56,"name":57,"tactic":58},"T1041","Exfiltration Over C2 Channel","Exfiltration",[60,65,74],{"id":61,"name":62,"description":63,"domain":64},"M1017","User Training","Educate users about the risks of downloading software from untrusted websites and social media promotions.","enterprise",{"id":66,"name":67,"d3fend_techniques":68,"description":73,"domain":64},"M1049","Antivirus/Antimalware",[69],{"id":70,"name":71,"url":72},"D3-FCR","File Content Rules","https://d3fend.mitre.org/technique/d3f:FileContentRules","Use a modern endpoint security solution that can detect and block known info-stealers and their behaviors.",{"id":75,"name":76,"d3fend_techniques":77,"description":82,"domain":64},"M1037","Filter Network Traffic",[78],{"id":79,"name":80,"url":81},"D3-DNSDL","DNS Denylisting","https://d3fend.mitre.org/technique/d3f:DNSDenylisting","Use DNS filtering or a web proxy to block access to known malicious domains, including the C2 servers used by Needle Stealer.",[84,87],{"technique_id":79,"technique_name":80,"url":81,"recommendation":85,"mitre_mitigation_id":86},"A highly effective and scalable defense against campaigns like the one distributing Needle Stealer is DNS Denylisting, often implemented as DNS filtering. Security teams should subscribe to reputable threat intelligence feeds and ingest the list of known malicious domains (like `tradingclaw[.]pro` and the various C2 domains) into their DNS resolver or web proxy. When a user clicks the malicious link or the malware attempts to contact its C2 server, the DNS request is blocked at the network level, preventing the initial download or the subsequent data exfiltration. This network-based control protects all devices on the network without requiring software on each endpoint and is crucial for breaking the attack chain early.","M1021",{"technique_id":70,"technique_name":71,"url":72,"recommendation":88,"mitre_mitigation_id":66},"To detect the Needle Stealer payload itself, organizations should leverage endpoint security solutions capable of analyzing file content. This goes beyond simple hash-based detection. Security teams can create YARA rules that look for specific strings or code patterns characteristic of Needle Stealer and other info-stealers. For example, a rule could search for the combination of strings related to accessing Chrome's 'Login Data' database, functions for decrypting AES-encrypted credentials, and code for accessing cryptocurrency wallet browser extensions. When a file is downloaded or created, the endpoint agent scans it against these rules. A match would trigger a high-confidence alert and quarantine the file, preventing execution and stopping the threat before any data is stolen.",[90,94,97,99,101,103],{"type":91,"value":92,"description":93},"domain","tradingclaw[.]pro","Lure website",{"type":91,"value":95,"description":96},"chrocustumapp[.]com","C2 server",{"type":91,"value":98,"description":96},"chrocustomreversal[.]com",{"type":91,"value":100,"description":96},"google-services[.]cc",{"type":91,"value":102,"description":96},"coretest[.]digital",{"type":91,"value":104,"description":96},"reisen[.]work",[106,112,116],{"type":107,"value":108,"description":109,"context":110,"confidence":111},"file_path","%APPDATA%\\..\\Local\\Google\\Chrome\\User Data\\Default\\Login Data","Path to Chrome's credential database. Unauthorized process access to this file is a strong indicator of an info-stealer.","File Integrity Monitoring (FIM), EDR","high",{"type":107,"value":113,"description":114,"context":115,"confidence":16},"%APPDATA%\\..\\Local\\Temp","Stealer malware often stages stolen data as a ZIP file in the user's temporary directory before exfiltration.","EDR, File monitoring",{"type":117,"value":118,"description":119,"context":120,"confidence":16},"network_traffic_pattern","HTTP POST requests with ZIP file data","An outbound HTTP POST request containing a file upload, especially from an unrecognized or unsigned process, can be a sign of data exfiltration.","Network proxy logs, DLP systems",[13,122,19,123,14,26],"InfoStealer","Cryptocurrency","2026-04-22T15:00:00.000Z","NewsArticle",{"geographic_scope":127,"industries_affected":128,"other_affected":130},"global",[129],"Finance",[131,132],"Cryptocurrency users","Financial traders",5,1776923402327]