{
	"id": "c43c46a0-0e65-47bc-96bc-afde253237fa",
	"created_at": "2026-04-06T00:09:14.296638Z",
	"updated_at": "2026-04-10T03:28:15.75822Z",
	"deleted_at": null,
	"sha1_hash": "7e69db280e9f30b1f37b2663d43b3f249c8bcb2a",
	"title": "'Vortax' Meeting Software Builds Elaborate Branding, Spreads Infostealers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1666085,
	"plain_text": "'Vortax' Meeting Software Builds Elaborate Branding, Spreads\r\nInfostealers\r\nBy Elizabeth Montalbano\r\nPublished: 2024-06-20 · Archived: 2026-04-05 16:19:37 UTC\r\nSource: Klaus Ohlenschlaeger via Alamy Stock Photo\r\nA widespread campaign aimed at stealing cryptocurrency is spreading a wave of infostealers through fake virtual\r\nmeeting software for both macOS and Windows platforms, particularly targeting the former with the dangerous\r\nAtomic stealer.\r\nDiscovered by Recorded Future's Insikt Group, the campaign attributed to a threat actor dubbed \"Markopolo\" is\r\nresponsible for an elaborate Web and social media presence for a fake app called Vortax, according to a report\r\n(PDF) published this week.\r\nVortax is purported to be virtual meeting software for various platforms but actually is a delivery mechanism for\r\nthree infostealers: Rhadamanthys, Stealc, and Atomic, the researchers found. Attackers target cryptocurrency users\r\nin the campaign through social media and Telegram channels for the purpose of stealing credentials, so they can in\r\nturn steal crypto from them, according to Insikt.\r\nThe campaign is connected to a previously reported attack by Markopolo, identified then only as a Russian-speaking threat group, that previously targeted the Web3 gaming community. The group is known for using shared\r\nhttps://www.darkreading.com/remote-workforce/vortax-meeting-software-branding-spreads-infostealers\r\nPage 1 of 3\n\nhosting and command-and-control (C2) infrastructure in order to be able to pivot agilely to new scams when\r\ndetected, according to Insikt.\r\n\"The campaign indicates a widespread credential-harvesting operation, potentially positioning Markopolo as an\r\ninitial access broker or 'log vendor' on Dark Web shops like Russian Market or 2easy Shop,\" Insikt Group wrote in\r\na blog post associated with the report.\r\nThe activity also demonstrates an uptick in infostealers that target macOS, which traditionally have been less\r\nprevalent than their Windows counterparts, Insikt Group noted in its report. Reports of Atomic stealer in particular\r\nhave been on the rise based on recent research.\r\n\"The high volume of [Atomic] activity observed in this campaign builds on previous Insikt Group reporting,\r\nwhich found that mentions of macOS malware and exploit kits increased by 79% year-on-year from 2022 to\r\n2023,\" according to the report. This \"may indicate\" a link between the overall number of references to macOS\r\nmalware and the increased frequency of Atomic stealer campaigns observed in the wild, the researchers noted.\r\nVortax: Threats Hiding Behind a Convincing Brand\r\nThe foundation of the campaign is in Vortax, a fake \"self-proclaimed\" virtual meeting software marketed as cross-platform and AI-enhanced for which attackers built a convincing online brand. All major search engines index\r\nVortax, which has a presence (@VortaxSpace) on social media platforms and even maintains a Medium blog using\r\nwhat are likely AI-generated articles.\r\nThe company behind the software claims to operate out of an address in Toronto that is actually an apartment\r\nbuilding, and even boasts online about bogus awards from respected publications such as Forbes. However, closer\r\ninspection revealed that Vortax is a fraud, particularly shown by related website domains, vortax.io and\r\nvortax.space — the latter of which has since been suspended — that are rife with spelling and grammatical errors,\r\naccording to Insikt.\r\nVortax advertises applications for Windows, Linux, macOS, iOS, and Android on its sites, though users cannot\r\nactually download the applications without a “Room ID,\" which functions as a meeting invitation.\r\nAccounts associated with Vortax have four primary methods for sharing Room IDs — the most common of which\r\nare R12307012, R39264552, R87103129, and R71231209. These methods include: replies to the Vortax account\r\non social media; direct messages on social media; posting in cryptocurrency-related Telegram channels; and\r\nposting in cryptocurrency-themed Discord channels.\r\nThese IDs ultimately lead to an installer for downloading Vortax, which as described just a front for delivering\r\ninfostealing malware. On Windows platforms, the fake software delivers Rhadamanthys and Stealc, while it loads\r\nthe Atomic stealer on macOS platforms.\r\nTo the user, it appears that Vortax is never actually installed, with the installation process \"claiming that it\r\nencounters critical errors that impede it from running,\" while the software is actually \"running many malicious\r\nprocesses\" in the background, according to the report.\r\nMitigation Against Malware-Hiding Software\r\nhttps://www.darkreading.com/remote-workforce/vortax-meeting-software-branding-spreads-infostealers\r\nPage 2 of 3\n\nInsikt made a number of suggestions for mitigating the campaign, particularly across the macOS platform —\r\nwhich increasingly is being targeted and thus demands new vigilance and \"robust defense strategies,\" according to\r\nthe report.\r\nIndeed, the distribution of Atomic stealer, previously distributed via fake software updates, demonstrates a pivot\r\nby by infostealing threat actors to macOS. One mitigation for the campaign, then, is to ensure that detection\r\nsystems for Atomic infostealer are regularly updated to prevent infections, according to Insikt.\r\nOrganizations also should educate users on the risks of downloading unapproved software, especially from social\r\nmedia or search engines, and implement strict security controls to prevent employees from doing so. They also\r\nshould encourage corporate network users to report suspicious activities encountered on social media and other\r\nplatforms.\r\nAccording to Insikt Group, using intelligence and monitoring platforms that scan for malicious domains and IP\r\naddresses associated with Atomic stealer and other macOS malware also can help prevent infection.\r\nAbout the Author\r\nContributing Writer\r\nElizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of\r\nprofessional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously\r\nlived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a\r\nvillage on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling,\r\nplaying music, yoga, and cooking.\r\nSource: https://www.darkreading.com/remote-workforce/vortax-meeting-software-branding-spreads-infostealers\r\nhttps://www.darkreading.com/remote-workforce/vortax-meeting-software-branding-spreads-infostealers\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.darkreading.com/remote-workforce/vortax-meeting-software-branding-spreads-infostealers"
	],
	"report_names": [
		"vortax-meeting-software-branding-spreads-infostealers"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "4fad0171-9089-4bc8-83c5-727ee455f6fe",
			"created_at": "2024-06-25T02:00:05.035985Z",
			"updated_at": "2026-04-10T02:00:03.657798Z",
			"deleted_at": null,
			"main_name": "Markopolo",
			"aliases": [],
			"source_name": "MISPGALAXY:Markopolo",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434154,
	"ts_updated_at": 1775791695,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7e69db280e9f30b1f37b2663d43b3f249c8bcb2a.pdf",
		"text": "https://archive.orkl.eu/7e69db280e9f30b1f37b2663d43b3f249c8bcb2a.txt",
		"img": "https://archive.orkl.eu/7e69db280e9f30b1f37b2663d43b3f249c8bcb2a.jpg"
	}
}