{ "id": "f98082d5-ed57-45d4-9300-576e64ed3a9b", "created_at": "2026-04-06T01:29:00.626949Z", "updated_at": "2026-04-10T13:12:18.871452Z", "deleted_at": null, "sha1_hash": "52e62ec5bc97a9724f24343602474a8c5b5e4fff", "title": "CoinLurker: The Stealer Powering the Next Generation of Fake Updates", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2508693, "plain_text": "CoinLurker: The Stealer Powering the Next Generation of Fake\r\nUpdates\r\nBy Nadav Lorber\r\nArchived: 2026-04-06 00:54:17 UTC\r\nThe evolution of fake update campaigns has advanced significantly with the emergence of CoinLurker, a\r\nsophisticated stealer designed to exfiltrate data while evading detection. Written in Go, CoinLurker employs\r\ncutting-edge obfuscation and anti-analysis techniques, making it a highly effective tool in modern cyberattacks. \r\nIntroduction \r\nBuilding on the deceptive strategies of SocGolish, ClearFake, ClickFix and FakeCAPTCHA, attackers now\r\ncombine highly convincing fake update prompts with stealthy payloads like CoinLurker. These campaigns\r\nleverage innovative methods, such as EtherHiding and in-memory execution, to bypass traditional security\r\ndefenses and obscure the malware’s origin. \r\nIn this blog, we examine the evolution of fake update campaigns, the techniques enabling CoinLurker’s success,\r\nand actionable strategies for defending against this next-generation threat.  \r\nDelivery Tactics and Techniques \r\nFake update campaigns initiate infections through various deceptive entry points that exploit user trust in common\r\nactions like: \r\nFake Software Update Notifications\r\nMalicious websites prompt users to download fake updates, disguised as essential software patches. This vector is\r\noften observed on compromised WordPress sites, where attackers exploit vulnerabilities to deliver fake update\r\nprompts. \r\nMalvertising Redirects \r\nCompromised ads on legitimate sites redirect users to malicious pages, prompting fake updates or CAPTCHA\r\nverifications. \r\nPhishing Emails \r\nEmails link to spoofed update or CAPTCHA pages, tricking users into downloading malware disguised as security\r\nupdates. \r\nFake CAPTCHA Prompts \r\nhttps://blog.morphisec.com/coinlurker-the-stealer-powering-the-next-generation-of-fake-updates\r\nPage 1 of 15\n\nFakeCAPTCHA introduces malicious CAPTCHA prompts that deliver malware instead of verifying users. \r\nDirect Downloads from Fake or Compromised Sites \r\nMalicious actors host fake updates on compromised or deceptive download sites, luring users into installing\r\nmalware. \r\nSocial Media and Messaging Links \r\nLinks shared on social platforms lead to malicious sites disguised as update or verification pages. \r\nEach of these vectors effectively disguises malware as routine actions, initiating the infection chain with minimal\r\nuser suspicion. \r\nLeveraging Microsoft Edge Webview2 as a Stager \r\nMicrosoft Edge Webview2 is utilized by the stager to execute the malware, presenting a GUI that mimics\r\nlegitimate browser update tools. Any interaction with the GUI—clicking buttons or even closing the window—\r\ntriggers the payload execution. \r\nFigure 1: Fake Browser Update Webview2 GUI\r\nhttps://blog.morphisec.com/coinlurker-the-stealer-powering-the-next-generation-of-fake-updates\r\nPage 2 of 15\n\nFigure 2: Chrome fake update Webview2 GUI\r\nWebview2’s dependency on pre-installed components and user interaction complicates dynamic and sandbox\r\nanalysis. Sandboxes often lack Webview2 or fail to replicate user actions, allowing the malware to evade\r\nautomated detection. \r\nFigure 3: Screenshot of Webview2 installation within Sandbox\r\nThe Obfuscation Chain: Smart Contracts to Trusted Platforms \r\nBinance Smart Contract → Actor-controlled C2 → Bitbucket Repository \r\nFake update campaigns like those deploying CoinLurker have adopted advanced techniques to evade detection,\r\nincluding EtherHiding, which leverages Web3 infrastructure to conceal malicious payloads. This campaign\r\nemploys a multi-stage chain to deliver its payload seamlessly while remaining under the radar. \r\nhttps://blog.morphisec.com/coinlurker-the-stealer-powering-the-next-generation-of-fake-updates\r\nPage 3 of 15\n\n1. Binance Smart Contract:\r\nThis process begins with encoded data embedded within a Binance Smart Contract. By leveraging the\r\ndecentralized and immutable properties of blockchain, attackers store payload instructions that are resistant\r\nto tampering or removal. \r\n2. Actor-controlled Command-and-Control (C2) Server:\r\nThe encoded data directs the malware to an actor-controlled C2 server, which serves as a pivot point in the\r\nchain. Here, the server dynamically fetches further instructions or payload links, ensuring the malware does\r\nnot carry any static indicators that could trigger detection. \r\n3. Bitbucket Repository\r\nThe final stage involves a Bitbucket repository that initially hosts a benign executable. Once downloaded\r\nand deemed safe by security scans, this executable is later replaced by a malicious version. This tactic\r\ncapitalizes on Bitbucket’s reputation as a trusted platform while reducing the chances of immediate\r\ndetection. The use of a clean file in the initial stage ensures the campaign avoids raising alarms during\r\nearly stages of distribution. \r\nFigure 4: Screenshot of repositories used by the actor with high downloads count\r\nTimeline of Filenames (August to October 2024) \r\nCoinLurker’s evolution includes a notable timeline of filenames used in the Bitbucket repository, often\r\nmasquerading as legitimate tools to enhance deception. From August to October 2024, the filenames observed\r\ninclude: \r\nBrowserUpdateTool.exeBrowserTool.exeBrowserUpdater.exe\r\nUpdateNow.exeUpdateMe.exeUpdater.exe\r\nUpdaterSetup.exeUpdating.exeSecurityPatch.exe\r\nhttps://blog.morphisec.com/coinlurker-the-stealer-powering-the-next-generation-of-fake-updates\r\nPage 4 of 15\n\nEach filename aligns with the fake update theme, designed to appear as genuine system utilities or browser update\r\ntools. Additionally, those executables are signed with a legitimate Extended Validation (EV) certificate, adding\r\nanother layer of credibility. While the origin of the certificate cannot be confirmed, it is likely stolen, enabling the\r\nattackers to bypass security warnings and enhance the perceived legitimacy of the malicious files. \r\nFigure 5: EV Certificate parsed in VirusTotal\r\nLayered Injection Tactics to Evade Detection \r\nCoinLurker utilizes a sophisticated multi-layered injector to stealthily deploy malicious payloads into multiple\r\ninstances of legitimate msedge.exe processes. This approach ensures that the malware evades detection, blends\r\nseamlessly into legitimate system activity, and bypasses network security rules that rely on process behavior for\r\nfiltering. Below are the key obfuscation techniques observed during analysis. \r\nInfection Validation Through Registry Checks \r\nCoinLurker employs a heavily obfuscated function to determine if the system has already been infected. This\r\nmethod dynamically constructs a unique registry key, such as SOFTWARE\\\u003cGUID\u003e-\u003cID\u003e , using system-specific data\r\nlike the machine’s GUID and custom input strings. \r\nThe malware then attempts to access the key using the Windows OpenKey API. If the key exists and contains the\r\nexpected values, CoinLurker identifies the system as already infected and terminates its execution. If the key is\r\nmissing or does not match the expected values, the malware proceeds with its infection routine. \r\nWhile this technique serves as a mutex to prevent multiple infections, the obfuscation within the function—such\r\nas dynamic API resolution and a layered execution flow—makes it challenging for analysts to reverse-engineer\r\nthe logic or identify the key construction process. \r\nhttps://blog.morphisec.com/coinlurker-the-stealer-powering-the-next-generation-of-fake-updates\r\nPage 5 of 15\n\nFigure 6: .gif – Runtime Validation Obfuscated Function\r\nRuntime String Decoding and Injection \r\nCoinLurker employs a sophisticated injection process that relies on dynamic string decoding and obfuscation to\r\nconceal its activities. The malware targets msedge.exe, launching each instance with unique, obfuscated\r\ncommand-line arguments. Examples include: \r\nWSCOGJJEZZWL \r\nNTOCBJPKZPNT \r\nXXEZGQVPKJGS \r\nPEQDTHUEORHX \r\nRLZXCUVFFESG \r\nThese arguments are dynamically generated and transformed at runtime, passing through layered transformations\r\nlike Base64 decoding, UTF-16 conversion, and dynamic resource mapping. The final values only emerge during\r\nexecution, leaving minimal static traces. The payload itself is decrypted in memory using obfuscated routines,\r\nhttps://blog.morphisec.com/coinlurker-the-stealer-powering-the-next-generation-of-fake-updates\r\nPage 6 of 15\n\nensuring traditional detection methods are bypassed. \r\nFigure 7: Main Loader Function\r\nThe injection logic incorporates heavily obfuscated control flow, including nested state machines and conditional\r\nchecks that obscure the actual execution path. Redundant resource assignments and iterative memory\r\nmanipulations further complicate analysis, keeping critical data hidden until runtime. \r\nhttps://blog.morphisec.com/coinlurker-the-stealer-powering-the-next-generation-of-fake-updates\r\nPage 7 of 15\n\nSocket-Based Communication for C2 Operations \r\nCoinLurker communicates with its C2 servers using a socket-based framework. It employs functions\r\nlike GetAddrInfoW for DNS resolution, WSASocketW for socket creation, and ConnectEx for establishing\r\nconnections. Data exchange is handled via WSASend and WSARecv, with asynchronous operations\r\nusing  CreateIoCompletionPort to enhance efficiency. \r\nDomains dynamically resolved by CoinLurker include: \r\nzovik[.]info \r\nanalfucker[.]lol \r\npaveldurov[.]sbs \r\nFile Enumeration Targeting Cryptocurrency Wallets \r\nCoinLurker demonstrates a highly targeted approach to data collection, focusing on directories associated with\r\ncryptocurrency wallets and financial applications. Through systematic enumeration, it attempts to access a variety\r\nof locations that are commonly used for storing sensitive user data.\r\nKey targets include:\r\nMajor Cryptocurrency Wallets: \r\nBitcoin\\wallets \r\nEthereum\\keystore \r\nLedger Live\\Local Storage\\leveldb \r\nExodus\\exodus.wallet \r\nAlternative Cryptocurrencies and Lesser-Known Wallets: \r\nhttps://blog.morphisec.com/coinlurker-the-stealer-powering-the-next-generation-of-fake-updates\r\nPage 8 of 15\n\nExamples include BBQCoin, Lucky7Coin, MemoryCoin, and many others, showcasing its effort to cover a\r\nwide range of cryptocurrencies. \r\nRelated Applications: \r\nDirectories such as Telegram Desktop\\tdata, Discord\\Local Storage\\leveldb, and FileZilla \r\nThis comprehensive scanning underscores CoinLurker’s primary goal of harvesting valuable cryptocurrency-related data and user credentials. Its targeting of both mainstream and obscure wallets demonstrates its versatility\r\nand adaptability, making it a significant threat to users in the cryptocurrency ecosystem. \r\nHow Morphisec Can Help \r\nMorphisec’s pioneering Automated Moving Target Defense (AMTD) technology stops sophisticated attacks at the\r\nearliest stage without relying on outdated signature or behavioral-based detection methods. By preemptively\r\nblocking memory and application-based attacks, Morphisec eliminates threats before they can take hold and\r\nbecome business impacting. \r\nSchedule a demo today to see how Morphisec stops fake update campaigns like CoinLurker and other new and\r\nemerging threats.\r\nIOCs \r\nFake Installers SHA256\r\n324e1bf24f13d5a8f45cc5ee25d3dfe330a7e755b19901549976f2db02ca4fa4 \r\nc8adb9bf6997a9fa2738a09600a60abc4fb6334aa54b24166cf042afdc5a1064 \r\n1f4624c44288f77327ec2e8d260399559b81c7cae442c31311736c2a2ec5f399 \r\na7eca930c2aa851cae3475cb4f5d599058816d51e1cc55a82ae976a030794aac \r\nbe5e250168d37e7a9a4999d41a77cde19a6ac376a391f602b3496ace307ad0e8 \r\n93cc9759d86f8b087b71583f577a5534e975ce9ac19ec3ec140efa6bbfad6bd0 \r\n44521e1af289aa3473d7445d097766f1c3f3d8721d14b14ed6d5404994a03eb2 \r\n2198912e1a1f4a5b5f0dfe237b75d264c9be0b5b6f98f83a999117dd194e842c \r\nf79c62b820420bda78252197db842eabe63261a4e80fbdcec8d671ce3d0a43ef \r\n8119a59487c6ffe5382c03e3de8c70b2c2e26899b51dcc4794066a8e1f358bcb \r\n9a036f20d758107d9434bd3bed682ff7d81393dc9d49fd6fe70d4b549045eaa2 \r\nhttps://blog.morphisec.com/coinlurker-the-stealer-powering-the-next-generation-of-fake-updates\r\nPage 9 of 15\n\na12809c76461d00760bef767c98baf5909a4aed48f2256d3c42eb1ca62835c14 \r\n487156ae20cc6d8e7d922cebe35b197c28ae43134f7e04c5f6bd0f3e164a7120 \r\n9116c7878f51e6d8173d41a5a0e63ca16105dac954afedeaf1d5e06594cc4d41 \r\ncc2f65faf61154815b4fa151d9a27c01a160d7d46398c7e44169949a61c63c2b \r\n7eede0e13ed9990afb465c2f612d85bc10c946dd2419323528a58707cef62899 \r\n2c8f611b0f2c157f010c20379d4fcd725a8c462a8d226ae0095e3e0fb110ddbe \r\n6976c3e0ffbbbbb310995e70f24bf9501d017279d865ac4536aee25b316a92de \r\n269c3b26b215d397f012a20e241c54b2c693667d4f64243ebf8dba1a5872c02d \r\n397a0f6515a81f307b5289ff3e939a0e01a6c1a0f0515be9844ddc9c6031ad97 \r\n82cc0f3f4aa70a8215b62db7ee9deac1c3d4dd27cde25cf56ec2f82ca7d146a9 \r\n2181c60e8727d5cfe7e713aa9731018168660ad2c96f31b08a729d1503dfc19a \r\n0b5fe211d558daa7d54207d2869f53d0a91ae16397343fd2605fd3a0f292dd21 \r\n9c0c9945f81977269542f941c10fa28dbefe91078b6df68e97d61b58318cac9a \r\nb761e91e77b67661db51d6b498ea39ccb6f143e51eeee18925a2dc4aab20adfa \r\na612bca9b5cbda864f4b808992de3d616c67b9120d8b24cbfa8a836ccdde9142 \r\na3c7b289054635f5239d453fb4be718298037ea6c1f4bf16954af1e9da2a53e2 \r\n9ea70e081c13c4b0e30b43dd68a6a0e0cfb6926c990bbe8ddedd8d9693c953d6 \r\n0b420a565e5e6f6899ebcb1da2fc162b05f5a8b7bfe0f56f52a085f17abb253d \r\n80b2950f1249d439105eac421660ddd15caab6de6afce3511f945deef1c0dd21 \r\nc643c087c68e51dfe422ddb48614675ab8e6aaecbe5704759c9978ac22b15f83 \r\n3048030c0e3ff5e6e45bbb37e75d6e55fde8d77a928958dc34497177e077b69a \r\n18f882b6c16641be3899f4e5123d10bb5c448ac7b7dafe7adb6144176acae304 \r\n15be79b09fa5efe3ca3440a94e436124d97232436af91f64917b7095b559a210 \r\n162e4277a4cb2e3703df74529d83d47b66a5b46b0a93b3ac902b56da3e588fe9 \r\n8d61f5b56f05daeef394dbc434abb96c1388aca8406e02445a72db1a65b9da3d \r\n9374e1561a87a23b12ec586859661241b2eb5da822c0b4b874cdf9eda480363f \r\nFff7637514c6238443100fbc4d1fef626cebf043eef1aefa3a0f5ab6d0103bf6 \r\nStager URLs\r\nmd928zs[.]shop/endpoint \r\nsmolcatkgi[.]shop/endpoint \r\ndais7nsa[.]shop/endpoint \r\najsdiaolke[.]shop/endpoint \r\npeskpdfgif[.]shop/endpoint \r\nndas8m92[.]shop/endpoint \r\ntest-1627838[.]shop/endpoint \r\nsmkn1leuwimunding[.]com/Updating.zip \r\nbitbucket[.]org/browsertools/tools/downloads/ \r\nbitbucket[.]org/targetfile/download/downloads/UpdateRequest.exe \r\nbitbucket[.]org/browserupdater/download/downloads/BrowserUpdater.exe \r\nbitbucket[.]org/cleopatrall/upds/downloads/updater.exe \r\nbitbucket[.]org/stoptrackme/updatings/downloads/UpdateMe.exe \r\nhttps://blog.morphisec.com/coinlurker-the-stealer-powering-the-next-generation-of-fake-updates\r\nPage 10 of 15\n\nbitbucket[.]org/napoleon_bonaparte/browtool/downloads/BrowserUpdateTool.exe \r\nC2 Domains\r\npaveldurov[.]sbs \r\nzovik[.]info \r\nanalfucker[.]lol \r\nSensitive Data Discovery Paths\r\nc:\\users\\\u003cusername\u003e\\appdata\\local\\google \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\mozilla\\firefox \r\nc:\\users\\\u003cusername\u003e\\appdata\\local\\microsoft\\edge \r\nc:\\users\\\u003cusername\u003e\\appdata\\local\\bravesoftware\\brave-browser \r\nc:\\users\\\u003cusername\u003e\\appdata\\local\\360chrome \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\opera software \r\nc:\\users\\\u003cusername\u003e\\appdata\\local\\vivaldi \r\nc:\\users\\\u003cusername\u003e\\appdata\\local\\coccoc \r\nc:\\users\\\u003cusername\u003e\\appdata\\local\\yandex \r\nc:\\users\\\u003cusername\u003e\\appdata\\local\\chromium \r\nc:\\users\\\u003cusername\u003e\\appdata\\local\\tencent \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\jupitercoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\memorycoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\ledger live\\local storage\\leveldb \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\bbqcoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\bitbar \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\crimecoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\globalcoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\grain \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\lucky7coin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\maples \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\ethereum\\keystore \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\bits \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\colossuscoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\frankocoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\freecoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\zccoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\zcash \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\bountycoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\earthcoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\androidstokens \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\peoplecoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\redcoin \r\nhttps://blog.morphisec.com/coinlurker-the-stealer-powering-the-next-generation-of-fake-updates\r\nPage 11 of 15\n\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\florincoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\sexcoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\lebowskis \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\skycoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\ezcoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\joulecoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\last coin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\dogecoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\megacoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\unobtanium \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\extremecoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\grandcoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\richcoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\infinitecoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\uscoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\exodus\\exodus.wallet \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\avingcoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\goldcoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\atomic_qt \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\bitcoin\\wallets \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\namecoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\primecoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\luckycoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\onecoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\quarkcoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\asiccoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\cosmoscoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\ticketscoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\cloudcoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\mavro \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\secondscoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\supercoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\tagcoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\armory \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\beaocoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\freicoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\nanotokens \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\orbitcoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\royalcoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\worldcoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\alphacoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\ferretcoin \r\nhttps://blog.morphisec.com/coinlurker-the-stealer-powering-the-next-generation-of-fake-updates\r\nPage 12 of 15\n\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\galaxycoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\unitedscryptcoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\ybcoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\local\\coinomi\\coinomi\\wallets \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\bottlecaps \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\neocoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\protosharescoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\novacoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\terracoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\com.liberty.jaxx\\indexeddb\\file__0.indexeddb.leveldb \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\americancoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\gamecoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\kingcoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\securecoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\franko \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\nxtcoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\walletwasabi\\client\\wallets \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\fastcoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\nuggets \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\sifcoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\argentum \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\philosopherstone \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\xencoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\devcoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\elephantcoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\hobonickels \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\protoshares \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\zetacoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\atomic\\local storage\\leveldb \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\craftcoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\cryptogenicbullion \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\krugercoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\guarda \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\valuecoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\bytecoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\diamond \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\feathercoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\pennies \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\realcoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\electrum\\wallets \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\ixcoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\naanayam \r\nhttps://blog.morphisec.com/coinlurker-the-stealer-powering-the-next-generation-of-fake-updates\r\nPage 13 of 15\n\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\zenithcoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\bitgem \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\digitalcoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\ppcoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\mincoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\peercoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\shitcoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\liquidcoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\mastercoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\memecoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\tekcoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\tumcoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\yacoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\netcoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\paycoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\spots \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\chncoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\dollarpounds \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\playtoken \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\cryptogenicbullionc \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\eaglecoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\opensourcecoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\phenixcoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\sauron rings \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\bitcoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\anoncoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\copper bars \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\growthcoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\italycoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\42coin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\blakecoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\casinocoin \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\ghisler \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\psi+\\profiles\\default \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\telegram desktop\\tdata \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\discord\\local storage\\leveldb \r\nc:\\users\\\u003cusername\u003e\\appdata\\roaming\\filezilla \r\nAbout the author\r\nhttps://blog.morphisec.com/coinlurker-the-stealer-powering-the-next-generation-of-fake-updates\r\nPage 14 of 15\n\nNadav Lorber\r\nSecurity Research Tech Lead\r\nNadav Lorber is a leader on Morphisec’s cutting-edge threat research team. He began his career in threat\r\nintelligence in 2013, where he was a SOC Specialist for the Israeli government’s military intelligence department.\r\nSince joining Morphisec, Nadav has helped uncover key insights on topics like Jupyter Infostealer, Log4j, and the\r\nSnip3 crypter.\r\nSource: https://blog.morphisec.com/coinlurker-the-stealer-powering-the-next-generation-of-fake-updates\r\nhttps://blog.morphisec.com/coinlurker-the-stealer-powering-the-next-generation-of-fake-updates\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.morphisec.com/coinlurker-the-stealer-powering-the-next-generation-of-fake-updates" ], "report_names": [ "coinlurker-the-stealer-powering-the-next-generation-of-fake-updates" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "c1ac2a5e-0225-47a4-8ac5-5fa898c96bde", "created_at": "2023-01-06T13:46:38.472883Z", "updated_at": "2026-04-10T02:00:02.989134Z", "deleted_at": null, "main_name": "ProjectSauron", "aliases": [ "Sauron", "Project Sauron", "G0041" ], "source_name": "MISPGALAXY:ProjectSauron", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775438940, "ts_updated_at": 1775826738, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/52e62ec5bc97a9724f24343602474a8c5b5e4fff.pdf", "text": "https://archive.orkl.eu/52e62ec5bc97a9724f24343602474a8c5b5e4fff.txt", "img": "https://archive.orkl.eu/52e62ec5bc97a9724f24343602474a8c5b5e4fff.jpg" } }