{
	"id": "72191a1c-17f6-42d0-b322-20193898c1c7",
	"created_at": "2026-04-06T00:15:29.139676Z",
	"updated_at": "2026-04-10T13:13:09.853421Z",
	"deleted_at": null,
	"sha1_hash": "64dbadc11ad09f69cfda9acdaf942f414885245c",
	"title": "LARVA-208’s New Campaign Targets Web3 Developers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2409161,
	"plain_text": "LARVA-208’s New Campaign Targets Web3 Developers\r\nArchived: 2026-04-05 23:44:31 UTC\r\nExecutive Summary\r\n, known for its phishing attacks and social engineering tactics targeting English-speaking IT staff through phone\r\ncalls, has adopted a new technique in its operations. In recent months,\r\nused multiple domains to contact IT employees, gather their VPN credentials, and subsequently harvest usernames\r\nand passwords from victims. The group is now applying a similar method to Web3 developers by sending them\r\njob offers (\r\n) or requests for portfolio reviews, directing them to fake AI Company/Workspace applications. When victims\r\nclick on meeting links within these deceptive AI Workspace projects and access the platform using unique\r\ninvitation codes and emails, they encounter an error message falsely claiming their audio drivers are outdated or\r\nmissing. Clicking the link prompts victims to download and execute malicious software disguised as a genuine\r\nRealtek HD Audio Driver. This malware executes an embedded\r\ncommand (\r\n) to retrieve and execute the\r\nstealer from LARVA-208's Command and Control (C2) servers (\r\n). The stealer collects extensive information about the infected machine, including the device name, hardware\r\ndetails, operating system version and architecture, language settings, and geolocation data (such as IP address,\r\ncountry, and city). It also captures the username, lists installed programs, and details running processes,\r\ntransmitting all collected data back to the attacker's C2 server.\r\n acquires its C2 and phishing domains through 's bulletproof hosting (BPH) service. These domains are\r\npurchased alongside others that members also use. Consequently, the community directly attributes the\r\nmajority of these varied phishing attacks carried out by to the group.\r\nhttps://catalyst.prodaft.com/public/report/larva-208s-new-campaign-targets-web3-developers/overview#heading-1000\r\nPage 1 of 7\n\nNew Campaign\r\nIn the new campaign,\r\nhas expanded its targeting to Web3 developers by leveraging a sophisticated phishing scheme centered on a fake\r\nservice called \"Norlax AI,\" hosted on the domain\r\n(\r\n). This domain closely mirrors the legitimate AI workspace platform \"Teampilot\" (teampilot.ai), creating a\r\nconvincing replica of the service to deceive victims.\r\nhttps://catalyst.prodaft.com/public/report/larva-208s-new-campaign-targets-web3-developers/overview#heading-1000\r\nPage 2 of 7\n\nBased on the observed attack scenarios, two distinct cases have been identified that lead to the victim’s infection.\r\nCase 1 – The threat actor shares meeting links belonging to the fake Norlax AI service with developers\r\nwho actively follow Web3 and blockchain-related content on social media platforms like X (ex-Twitter)\r\nand . These links are framed as part of a job interview or portfolio discussion.\r\nCase 2 – The threat actor sends meeting links to individuals who previously applied for Crypto Analyst\r\npositions posted by the actor on the remote job platform Remote3 (remote3.co). However, unlike what\r\nmight be expected, the link is not shared directly through the platform. Since Remote3 warns job seekers to\r\nonly click on legitimate Google Meet or Zoom links and avoid downloading any files, based on previous\r\nsocial engineering incidents, adjusts its tactics. During an initial conversation via Google Meet, the actor\r\ntells the applicant that the interview will continue on the Norlax AI platform and then shares the malicious\r\nmeeting link in the chat.\r\nhttps://catalyst.prodaft.com/public/report/larva-208s-new-campaign-targets-web3-developers/overview#heading-1000\r\nPage 3 of 7\n\nWhen a victim clicks the meeting link, they don’t land directly on a call. Instead, they’re asked to enter an email\r\nand invitation code (victim's username), both generated by the attacker specifically for that person. In some cases,\r\nturns on their microphone to make it look like a real job interview. Even though the victim joins the call through\r\nthe Norlax AI platform, their microphone doesn't work. A few seconds later, a fake warning pops up saying their\r\naudio drivers are missing or outdated. If the victim clicks this message, their browser connects to the attacker's\r\nserver (\r\n→ /getfile.php ) and downloads a malicious Realtek HD Audio Driver (\r\n). When the victim runs the file, a fake installer window appears. In the background, it runs a\r\ncommand hidden in setup.dll (\r\n), which connects to the attacker's C2 server (\r\n) to download and execute the\r\nmalware (\r\n).\r\nhttps://catalyst.prodaft.com/public/report/larva-208s-new-campaign-targets-web3-developers/overview#heading-1000\r\nPage 4 of 7\n\nThe threat actor, who recently developed this new execution method, previously used a different technique in\r\nearlier interviews. In those cases, they tricked victims into downloading a .LNK file. This shortcut appeared to\r\ncall manage-bde.wsf (a legitimate Windows Script File used for managing BitLocker), but in reality, it used the\r\nampersand (\u0026) operator to append and execute a hidden\r\ncommand. That command connected to the actor’s C2 server and downloaded the\r\nmalware, then ran it on the victim’s machine. The use of a seemingly legitimate file path helped the attacker avoid\r\nsuspicion while executing malicious code.\r\nInstead, these files are now being uploaded to\r\n, a file upload service (\r\n), so they can keep their own records. At the same time, as seen in the code, the actor still sends key details about\r\nthe victim (OS, username, IP address, country, region, city, and antivirus info) to a notify.php file on its C2\r\nserver (\r\nhttps://catalyst.prodaft.com/public/report/larva-208s-new-campaign-targets-web3-developers/overview#heading-1000\r\nPage 5 of 7\n\n).\r\nIn most cases, however, the information collected from victim devices is uploaded directly to the C2 servers used\r\nby the actor, which they have named SilentPrism, allowing the actor to monitor the victim data.\r\nConclusion\r\nLARVA-208 has executed a highly targeted campaign against Web3 developers, exploiting their trust in AI\r\ndevelopment tools and meeting platforms. The threat actors distribute infostealers like Fickle through fake AI\r\napplications, successfully harvesting cryptocurrency wallets, development credentials, and sensitive project data.\r\nhttps://catalyst.prodaft.com/public/report/larva-208s-new-campaign-targets-web3-developers/overview#heading-1000\r\nPage 6 of 7\n\nThis attack demonstrates how cybercriminals now weaponize emerging technology trends to bypass traditional\r\nsecurity measures. Web3 developers face unique risks due to their high-value digital assets and development\r\nenvironments. Notably, the threat actors’ arsenal has remained largely unchanged, continuing to rely on\r\nestablished toolkits such as Fickle. While the group’s primary motivation in the last campaign was ransomware\r\ndeployment, this latest operation suggests a shift toward alternative monetization strategies, including the\r\nexfiltration of valuable data and credentials for potential resale or exploitation in illicit markets.\r\nSource: https://catalyst.prodaft.com/public/report/larva-208s-new-campaign-targets-web3-developers/overview#heading-1000\r\nhttps://catalyst.prodaft.com/public/report/larva-208s-new-campaign-targets-web3-developers/overview#heading-1000\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://catalyst.prodaft.com/public/report/larva-208s-new-campaign-targets-web3-developers/overview#heading-1000"
	],
	"report_names": [
		"overview#heading-1000"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "af10aec6-36a8-4bdb-ba47-8f75b6a4aa4b",
			"created_at": "2025-03-07T02:00:03.797427Z",
			"updated_at": "2026-04-10T02:00:03.821929Z",
			"deleted_at": null,
			"main_name": "Larva-208",
			"aliases": [
				"EncryptHub"
			],
			"source_name": "MISPGALAXY:Larva-208",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434529,
	"ts_updated_at": 1775826789,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/64dbadc11ad09f69cfda9acdaf942f414885245c.pdf",
		"text": "https://archive.orkl.eu/64dbadc11ad09f69cfda9acdaf942f414885245c.txt",
		"img": "https://archive.orkl.eu/64dbadc11ad09f69cfda9acdaf942f414885245c.jpg"
	}
}