Cardano users targeted in a new wallet phishing campaign are facing growing risks across the ecosystem.
Security researchers warn that attackers are exploiting interest in the new Eternal Desktop application to spread malware.
The campaign relies on convincing emails that closely resemble official wallet announcements. These messages encourage users to download malicious software from unverified sources.
Hackers exploit the eternal desktop launch
The phishing emails promote a supposed Eternal Desktop wallet for Cardano staking and governance. They promise rewards tied to NIGHT and ATMA tokens to attract attention.
Attackers copied the language and structure of a legitimate Eternal announcement. The message highlights hardware wallet support, local key storage, and advanced delegation tools.
Researchers note the emails contain no obvious spelling or grammar errors. This professional appearance increases the chance that recipients trust the message.
Victims are directed to a newly registered domain that hosts a malicious installer. The site distributes the file without proper verification or digital signatures.
Once installed, the software infects the system and enables unauthorized access. Users often remain unaware that malware is running in the background.
Malware enables persistent remote access
An independent malware analyst identified the installer as a modified MSI package. The file size is 23.3 megabytes and carries a known hash.
The installer drops an executable disguised as an unattended updater. This file matches the name of a legitimate GoTo Resolve component.
During execution, the malware creates folders inside the Program Files directory. It writes configuration files that control logging and remote access behavior.
One configuration enables unattended access without user approval. This feature allows attackers to connect to infected systems at any time.
Network analysis shows the malware contacts the infrastructure linked to GoTo Resolve services. These connections establish command channels for monitoring and execution.
Broader pattern of crypto-themed phishing
Researchers say the Cardano phishing campaign reflects a wider trend. Criminals increasingly use trusted crypto brands to distribute malware.
Remote management tools are especially dangerous when abused. They allow attackers to steal credentials and move laterally across systems.
Experts urge users to download wallet software only from official sources. Newly registered domains should be treated with caution.
The campaign mirrors past phishing efforts that targeted Meta advertisers. In those cases, users received emails claiming policy violations.
Those messages redirected victims to fake support pages. Users were pressured to act quickly and enter their login details.
The Cardano campaign shows similar psychological tactics. Urgency, rewards, and familiar branding are used to lower skepticism.
Security teams advise users to verify announcements through official channels. Caution remains essential as phishing methods continue to evolve.
