{ "id": "d71432d8-92c9-4cea-9afb-13ea2158a5b0", "created_at": "2026-04-06T00:18:18.424095Z", "updated_at": "2026-04-10T03:37:09.211058Z", "deleted_at": null, "sha1_hash": "8f46e752a91b5d81ac11ae51f217987a7fed5d87", "title": "Enigma Stealer Targets Cryptocurrency Industry with Fake Jobs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1534773, "plain_text": "Enigma Stealer Targets Cryptocurrency Industry with Fake Jobs\r\nBy Aliakbar Zahravi, Peter Girnus ( words)\r\nPublished: 2023-02-09 · Archived: 2026-04-05 23:10:05 UTC\r\nWe recently found an active campaign that uses a fake employment pretext targeting Eastern Europeans in the\r\ncryptocurrency industry to install an information stealer. In this campaign, the suspected Russian threat actors use\r\nseveral highly obfuscated and under-development custom loaders to infect those involved in the cryptocurrency\r\nindustry with the Enigma Stealer (detected as TrojanSpy.MSIL.ENIGMASTEALER.YXDBC), a modified version\r\nof the Stealerium information stealer. In addition to these loaders, the attacker also exploits CVE-2015-2291, an\r\nIntel driver vulnerability, to load a malicious driver designed to reduce the token integrity of Microsoft Defender.\r\nStealerium, the original information stealer which serves as the base for Enigma Stealer, is an open-source project\r\nwritten in C# and markets itself as a stealer, clipper, and keylogger with logging capabilities using the Telegram\r\nAPI. Security teams and individual users are advised to continuously update the security solutions of their systems\r\nand remain vigilant against threat actors who perform social engineering via job opportunity or salary increase-related lures.\r\nAttack Chain\r\nUsing fake cryptocurrency interviews to lure victims\r\nThe infection chain starts with a malicious RAR archive — in this instance, contract.rar (SHA256:\r\n658725fb5e75ebbcb03bc46d44f048a0f145367eff66c8a1a9dc84eef777a9cc) — which is distributed to victims via\r\nphishing attempts or through social media. The archive contains the files, Interview questions.txt, and Interview\r\nconditions.word.exe.\r\nThese files set up the pretext for a fake cryptocurrency role or job opening. One file, Interview questions.txt\r\n(SHA256: 3a1eb6fabf45d18869de4ffd773ae82949ef80f89105e5f96505de810653ed73) contains sample interview\r\nquestions written in Cyrillic. This serves to further legitimize the package in the eyes of the victim and draw\r\nattention away from the malicious binary.\r\nThe other file Interview conditions.word.exe (SHA256:\r\n03b9d7296b01e8f3fb3d12c4d80fe8a1bb0ab2fd76f33c5ce11b40729b75fb23) contains the first stage Enigma\r\nloader. This file, which also masquerades as a legitimate word document, is designed to lure unsuspecting victims\r\ninto executing the loader. Once executed, the Enigma loader begins the registration and downloading of the\r\nsecond-stage payload.\r\nAnalysis of the Enigma infrastructure\r\nEnigma uses two servers in its operation. The first utilizes Telegram for delivering payloads, sending commands,\r\nand receiving the payload heartbeat. The second server 193[.]56[.]146[.]29 is used for DevOps and logging\r\npurposes. At each stage the payload sends its execution log to the logging server. Since this malware is under\r\nhttps://www.trendmicro.com/en_us/research/23/b/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs.html\r\nPage 1 of 17\n\ncontinuous development the attacker potentially uses the logging server to improve malware performance. We\r\nhave also identified the Amadey C2 panel on 193[.]56[.]146[.]29 which has only one sample\r\n(95b4de74daadf79f0e0eef7735ce80bc) communicating with it. \r\nAmadey is a popular botnet that is sold on Russian speaking forums, but its source code has been leaked online.\r\nAmadey offers threat actors polling and reconnaissance services.\r\nopen on a new tab\r\nFigure 5. The exposed info.php page of the threat actors’ command-and-control (C\u0026C)\r\ninfrastructure\r\nThis server has a unique Linux distribution only referenced in Russian Linux forums.\r\nThe default time zone on this server is set to Europe/Moscow. This server registers a newly infected host when\r\nInterview conditions.word.exe is executed by the victim.\r\nStage 1: EnigmaDownloader_s001\r\nMD5 1693D0A858B8FF3B83852C185880E459\r\nSHA-1 5F1536F573D9BFEF21A4E15273B5A9852D3D81F1\r\nSHA-256 03B9D7296B01E8F3FB3D12C4D80FE8A1BB0AB2FD76F33C5CE11B40729B75FB23\r\nFile size 367.00 KB (375808 bytes)\r\nThe initial stage of Enigma, Interview conditions.word.exe, is a downloader written in C++. Its primary objective\r\nis to download, deobfuscate, decompress, and launch the secondary stage payload. The malware incorporates\r\nhttps://www.trendmicro.com/en_us/research/23/b/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs.html\r\nPage 2 of 17\n\nmultiple tactics to avoid detection and complicate reverse engineering, such as API hashing, string encryption, and\r\nirrelevant code.\r\nBefore delving into the analysis of \"EnigmaDownloader_s001,\" let's first examine how the malware decrypts\r\nstrings and resolves hashed Windows APIs. By understanding this, we can implement an automated system to help\r\nus retrieve encrypted data and streamline the analysis process. Please be advised that to enhance code legibility,\r\nwe have substituted all hashes with the corresponding function names.\r\nAPI hashing is a technique employed by malware to conceal the utilization of potentially suspicious APIs\r\n(functions) from static detection. This technique helps the malware disguise its activities and evade detection.\r\nIt involves replacing the human-readable names of functions (such as \"CreateMutexW\") with a hash value, such\r\nas 0x0FD43765A. The hash value is then used in the code to call the corresponding API function, rather than\r\nusing the human-readable name. The purpose of this technique is to make the process of understanding the code\r\nmore time-consuming and difficult.\r\nFor API Hashing the EnigmaDownloader_s001 uses the following custom MurmurHash:\r\nThe malware employs dynamic API resolving to conceal its API imports and make static analysis more difficult.\r\nThis technique involves storing the names or hashes of the APIs needed, then importing them dynamically at\r\nruntime.\r\nThe Windows API offers LoadLibrary and GetProcAddress functions to facilitate this. LoadLibrary accepts the\r\nname of a DLL and returns a handle, which is then passed to GetProcAddress along with a function name to\r\nobtain a pointer to that function. To further evade detection, the malware author even implemented their own\r\ncustom version of GetProcAddress to retrieve the address of functions such as LoadLibrary and others. The use of\r\nstandard methods like GetProcAddress and LoadLibrary might raise a red flag, so the custom implementation\r\nhelps to avoid detection.\r\nThe following is a list of API hash values along with the names of functions that have been used in this sample\r\n(Please note that the hash value might be different in other variants since the malware author changed some of the\r\nconstant values in the hash generator function).\r\n0xE04A219 : kernel32_HeapCreate\r\n0xA1ADA36 : kernel32_lstrcpyA\r\n0x5097BB4 : kernel32_RegOpenKeyExA\r\n0x750EFAB : kernel32_GetLastError\r\n0x4CB039A : kernel32_RegQueryValueExA\r\n0xAAF4498 : kernel32_RegCloseKey\r\n0xFAD2A34 : kernel32_lstrcmpiA\r\n0x11A198F : combase_CoCreateGuid\r\n0xE94A809 : kernel32_RtlZeroMemory\r\n0x6A6A154 : kernel32_lstrcatA\r\n0x8150471 : ntdll_RtlAllocateHeap\r\n0x4CF4539 : user32_wvsprintfW\r\nhttps://www.trendmicro.com/en_us/research/23/b/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs.html\r\nPage 3 of 17\n\n0x663555F : kernel32_WideCharToMultiByte\r\n0x59CADCE : ntdll_RtlFreeHeap\r\n0x1CE543C : cabinet_CloseDecompressor\r\n0x11CF0A2 : wininet_InternetGetConnectedState\r\n0x675C7B2 : kernel32_Sleep\r\n0xDC75FF2 : wininet_InternetCheckConnectionA\r\n0x5CC35B1 : wininet_InternetSetOptionA\r\n0xF9E8859 : wininet_InternetOpenA\r\n0x6F05A9E : wininet_InternetConnectA\r\n0xBAEECD9 : wininet_HttpOpenRequestA\r\n0xAD9A77C : wininet_HttpSendRequestA\r\n0x835FA71 : wininet_HttpQueryInfoA\r\n0xBFA9532 : wininet_InternetReadFile\r\n0x99D029C : wininet_InternetCloseHandle\r\n0x8DABD38 : kernel32_GetFileAttributesW\r\n0x44E1C18 : kernel32_DeleteFileW\r\n0xAB69596 : kernel32_CreateFileW\r\n0x2CF38A1 : kernel32_WriteFile\r\n0x1CE43DE : kernel32_CloseHandle\r\n0x548C5A4 : Rpcrt4_RpcStringBindingComposeW\r\n0x7B0F79F : Rpcrt4_RpcBindingFromStringBindingW\r\n0x69A2B62 : Rpcrt4_RpcStringFreeW\r\n0xD2CD112 : advapi32_CreateWellKnownSid\r\n0xEFBC2E9 : kernel32_LocalFree\r\n0x60EDB01 : Rpcrt4_RpcBindingFree\r\n0x7A7DAA0 : Rpcrt4_RpcAsyncInitializeHandle\r\n0xB3F16FA : kernel32_CreateEventW\r\n0x1C23B4F : Rpcrt4_NdrAsyncClientCall\r\n0x8C1F37 : kernel32_WaitForSingleObject\r\n0x7831640 : Rpcrt4_RpcRaiseException\r\n0xF2FCCFE : Rpcrt4_RpcAsyncCompleteCall\r\n0x816F545 : kernel32_SetLastError\r\n0xFBE2D99 : oleaut32_SysAllocString\r\n0x393ACB : oleaut32_SysFreeString\r\n0xC9FEF5F : kernel32_ExpandEnvironmentStringsW\r\n0x74D51D3 : kernel32_CreateProcessW\r\n0xCDE9EC27 : wininet_HttpWebSocketClose\r\n0x80C8449 : kernel32_TerminateProcess\r\n0x418B4E7E : wininet_AppCacheCheckManifest\r\n0x44E65EB : kernel32_WaitForDebugEvent\r\n0x81C3F46 : kernel32_ContinueDebugEvent\r\n0x1FB9EB2 : kernel32_LoadLibraryW\r\nhttps://www.trendmicro.com/en_us/research/23/b/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs.html\r\nPage 4 of 17\n\n0x1071970 : kernel32_GetProcAddress\r\n0xDAE6C9B : combase_CoInitializeEx\r\n0xFD43765 : kernel32_CreateMutexW\r\n0x73861029 : kernel32_BasepSetFileEncryptionCompression\r\n0xA3FE987 : advapi32_RegDeleteKeyW\r\n0x1CA6703 : advapi32_RegCreateKeyA\r\n0x24EBD39 : kernel32_lstrlenA\r\n0x69F38C6 : kernel32_RegSetValueExA\r\n0xC2D33DC : ntdll_RtlGetVersion\r\n0xBD5D03A : kernel32_GetNativeSystemInfo\r\n0x10BEDD60 : wininet_CreateMD5SSOHash \r\nTo resolve the API hash, the malware first passes two arguments to the \"mw_resolveAPI\" function. The first\r\nargument is the specific library name index number (in this case 0xA = Kernel32.dll), while the second argument\r\nis the export function name hashed value (which, in this example, is 0xFD43765A)\r\nThe mw_resolveAPI function first finds the specific index, jumps to it, and decrypts the corresponding library\r\nname value as shown in the bottom image of Figure 9.\r\nThe following is the list of decrypted library names:\r\nWinInet.dll\r\nuserenv.dll\r\npsapi.dll\r\nnetapi32.dll\r\nmpr.dll\r\nwtsapi32.dll\r\napi-ms-win-core-processthreads-l1-1-0.dll\r\nntoskrnl.exe\r\nRpcrt4.dll\r\nUser32.dll\r\napi-ms-win-core-com-l1-1-0.dll\r\nCabinet.dll\r\nshell32.dll\r\nOleAut32.dll\r\nOle32.dll\r\nntdll.dll\r\nmscoree.dll\r\nkernel32.dll\r\nadvapi32.dll\r\nThe library name and export function name hashed value is then passed to GetExportAddressByHash, which is\r\nresponsible for opening the handle to the library, creating a hash for each export function name, and comparing it\r\nwith the passed argument. Once the match is found, the malware returns the function address and calls it. \r\nhttps://www.trendmicro.com/en_us/research/23/b/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs.html\r\nPage 5 of 17\n\nThe code snippet in Figure 11 demonstrates how mw_GetExportAddressByHash resolves the given API hash and\r\nretrieves the address of an exported function. The techniques used to decrypt strings and resolve API hashes in\r\nboth the stage 1 and stage 2 payloads are identical.\r\nWith an understanding of this process, we can then proceed with our analysis.\r\nUpon execution, the malware creates the mutual exclusion object (mutex) to mark its presence in the system and\r\nretrieves the MachineGuid of the infected system from the SOFTWARE\\Microsoft\\Cryptography\\MachineGuid\r\nregistry key, which it uses as a unique identifier to register the system with its C\u0026C server and track its infection.\r\nopen on a new tab\r\nFigure 12. Constructing a unique system identifier and creating a mutex\r\nIt then deletes the HKCU\\SOFTWARE\\Intel registry key and recreates it with two values, HWID and ID, as shown\r\nin Figure 13.\r\nIt then collects information about the .NET Framework Setup on the infected system and sends it to its C\u0026C\r\nserver as shown in Figure 14.\r\nThere are two C\u0026C servers that were used in this attack chain. The first one ,193[.]56[.]146[.]29, is used to send\r\nprogram execution DEBUG and Telegram to deliver payloads and send commands.\r\nTo download the next stage payload, the malware first sends a request to the attacker-controlled Telegram channel\r\nhttps://api[.]telegram[.]org/bot{token}/getFile to obtain the file_path. This approach allows the attacker to\r\ncontinuously update and eliminates reliance on fixed file names.\r\nNote that in this case, the next stage payload was file_17.pack. However, this file and other stage names were\r\nchanged multiple times during our investigation. \r\nhttps://www.trendmicro.com/en_us/research/23/b/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs.html\r\nPage 6 of 17\n\nUpon obtaining the file_path, the malware then sends a request to download the next stage binary file (shown in\r\nFigure 17)\r\nopen on a new tab\r\nFigure 18. The code responsible for decrypting the next stage payload file_id and Telegram token\r\nIf the file's download, deobfuscation, and decompression are successful, the malware sends the message \"bot\r\ngetted\" to the debug server.\r\nTo decompress the payload, the malware uses Microsoft Cabinet's Compressapi with the compression algorithm\r\n(\"COMPRESS_RAW  | COMPRESS_ALGORITHM_LZMS\"). The code snippet in Figure 20 demonstrates how\r\nthe malware downloads, deobfuscates, and decompresses  file_17.pack (UpdateTask.dll).\r\nhttps://www.trendmicro.com/en_us/research/23/b/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs.html\r\nPage 7 of 17\n\nopen on a new tab\r\nFigure 20. Code responsible for downloading, deobfuscating, decompressing, and renaming the\r\ndownloaded payload\r\nBefore executing the payload, the malware attempts to elevate its privileges by executing the mw_UAC_bypass\r\nfunction, which is part of an open-source project. This technique, Calling Local Windows RPC Servers from .NET\r\n(which was unveiled in 2019 by Project Zero), allows a user to bypass user account control (UAC) using only two\r\nremote procedure call (RPC) requests instead of DLL hijacking.\r\nThe malware requires elevated privileges for the subsequent stage payload, which involves loading the malicious\r\ndriver by exploiting CVE-2015-2291.\r\nFinally, the malware executes an export function called \"Entry\" from UpdateTask.dll via rundll32.exe as shown in\r\nFigure 23. \r\nStage 2: EnigmaDownloader_s002\r\nMD5 377f617ccd4aa09287d5221d5d8e1228\r\nSHA-1 288358deaa053b30596100c9841a7d6d1616908d\r\nhttps://www.trendmicro.com/en_us/research/23/b/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs.html\r\nPage 8 of 17\n\nSHA-256 f1623c2f7c00affa3985cf7b9cdf25e39320700fa9d69f9f9426f03054b4b712\r\nFile size 497.50 KB (509440 bytes)\r\nThe second stage payload, UpdatTask.dll, is a dynamic-link library (DLL) written in C++ that comprises two\r\nexport functions (DllEntryPoint and Entry). The malicious code is executed in the Entry export function, which is\r\ntriggered by the first stage routine. The primary objective of this malware is to disable Microsoft Defender by\r\ndeploying a malicious kernel mode driver (“bring your own vulnerable driver” or BYOVD method) via exploiting\r\na vulnerable Intel driver (CVE-2015-2291) and then downloading and executing the third-stage payload.\r\nPlease note that the first, second, and third-stage payloads all obtain the infected system's MachineGuid at the start\r\nand use it to identify the machine in debug message network traffic, enabling the adversary to track the infected\r\nsystem's malware execution state.\r\nUpon execution, the malware creates the mutex to mark its presence on the system and retrieves the MachineGuid\r\nof the infected system from the \"SOFTWARE\\Microsoft\\Cryptography\\MachineGuid\" registry key.\r\nopen on a new tab\r\nFigure 24. Constructing a unique system identifier and creating a mutex\r\nNext, the malware will determine if it is running as an account with administrator privileges or simply as a regular\r\nuser using the GetTokenInformation API. If the malware fails to obtain elevated privileges, it will bypass the\r\ndisablement of Windows Defender and proceed to download and execute the next stage of its attack.\r\nIf the process successfully obtains elevated privileges, it proceeds to drop the files shown in Figure 26. \r\nName iQVW64.SYS (CVE-2015-2291)\r\nhttps://www.trendmicro.com/en_us/research/23/b/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs.html\r\nPage 9 of 17\n\nDescription Vulnerable Intel driver, used for kernel exploitation\r\nMD5 1898ceda3247213c084f43637ef163b3\r\nSHA-1 d04e5db5b6c848a29732bfd52029001f23c3da75\r\nSHA-256 4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b\r\nName Driver.SYS\r\nDescription Malicious drivers reduce the token integrity of Microsoft defender (MsMpEng.exe)\r\nMD5 28ca7a21de60671f3b528a9e08a44e1c\r\nSHA-1 21F1CFD310633863BABAAFE7E5E892AE311B42F6\r\nSHA-256 D5B4C2C95D9610623E681301869B1643E4E2BF0ADCA42EAC5D4D773B024FA442\r\nThe malware uses an open-source project called KDMapper to manually map non-signed/self-signed drivers in\r\nmemory by exploiting the iqvw64e.sys Intel driver. Testing on this has reportedly been conducted on Windows 10\r\nversion 1607 to Windows 11 version 22449.1. The functions intel_driver::Load() and kdmapper::MapDriver() are\r\nboth responsible for achieving this task.\r\nThe following snippet demonstrates the debug message related to drive loading and installation:\r\nhttps://www.trendmicro.com/en_us/research/23/b/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs.html\r\nPage 10 of 17\n\nopen on a new tab\r\nFigure 27. Debug message for loading the driver and providing execution status\r\nThe malware then establishes persistence on the targeted system by creating scheduled tasks.  \r\nhttps://www.trendmicro.com/en_us/research/23/b/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs.html\r\nPage 11 of 17\n\nopen on a new tab\r\nFigure 28. Malware persistence is achieved via scheduled tasks (click the image for a larger version)\r\nFinally, the EnigmaDownloader_s002 downloads and executes the next-stage payload on the infected system. To\r\nachieve this task, it employs similar techniques as those used in the first stage — the only difference, in this case,\r\nis that the malware is executing a .NET Assembly from C++ in memory using the CLR (Common Language\r\nRuntime) hosting technique. \r\nStage 2.1: Enigma Driver analysis\r\nMD5 Driver.SYS\r\nSHA-1 28CA7A21DE60671F3B528A9E08A44E1C\r\nSHA-256 21F1CFD310633863BABAAFE7E5E892AE311B42F6\r\nFile size D5B4C2C95D9610623E681301869B1643E4E2BF0ADCA42EAC5D4D773B024FA442\r\nThe driver's sole purpose is to patch the integrity level of the Microsoft defender (MsMpEng.exe) and forcibly\r\nreduce it from system to untrusted integrity. The reduction of the integrity level to untrusted impedes the process\r\nof accessing secure resources on the system for the victimproducts, silently disabling it without terminating the\r\nprocess. \r\nopen on a new tab\r\nhttps://www.trendmicro.com/en_us/research/23/b/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs.html\r\nPage 12 of 17\n\nFigure 30. Microsoft defender token integrity modification before and after executing Enigma\r\nDriver\r\nThe code snippets in Figure 31 demonstrate how the malware performs these operations.\r\nopen on a new tab\r\nFigure 33. Details of the certificate of the vulnerable driver (top) and Enigma Driver (bottom)\r\nStage 3: EnigmaDownloader_s003\r\nThe following table shows the details of Enigma.Bot.Net.exe.\r\nMD5 50949ad2b39796411a4c7a88df0696c8\r\nSHA-1 67a502395fc4193721c2cfc39e31be11e124e02c\r\nSHA-256 8dc192914e55cf9f90841098ab0349dbe31825996de99237f35a1aab6d7905bb\r\nFile size 10.50 KB (10752 bytes)\r\nEnigmaDownloader_s003 is a third-stage downloader written in C#. It is responsible for downloading,\r\ndecompressing, and executing the final stealer payload on an infected system. The malware also accepts\r\ncommands from a Telegram channel, though these commands may vary between variants.\r\nstop\r\nalive\r\nrunassembly\r\nUpon launch, the malware sends a \"Bot started\" message to both the Debug server and the Telegram channel,\r\nindicating its successful execution.\r\nIt then sends a GET request to  https://api[.]telegram[.]org/bot{token}/getUpdates to retrieve the command. Upon\r\nreceiving the runassembly command, the malware downloads the next part of the final stage payload\r\n(file_19.pack), decompresses it using the GZipStream API, and executes it.\r\nhttps://www.trendmicro.com/en_us/research/23/b/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs.html\r\nPage 13 of 17\n\nopen on a new tab\r\nFigure 36. An example of network communication between EnigmaDownloader_s003 and the\r\nattacker’s Telegram channel.\r\nStage 4: Enigma Stealer\r\nMD5 4DC2D57D9DB430235B21D7FB735ADF36\r\nSHA-1 98BF3080A85743AB933511D402E94D1BCEE0C545\r\nSHA-256 4D2FB518C9E23C5C70E70095BA3B63580CAFC4B03F7E6DCE2931C54895F13B2C\r\nFile size 2954.75 KB (2954752 bytes)\r\nThe final stage is the Enigma Stealer which, as we previously mentioned, is a modified version of an open-source\r\ninformation stealer project called Stealerium.\r\nUpon execution, the malware initializes configuration and sets up its working directory.\r\nhttps://www.trendmicro.com/en_us/research/23/b/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs.html\r\nPage 14 of 17\n\nThe malware configuration is as follows:\r\npublic static string Version = \"0.05.01\";\r\npublic static string DebugMode = \"0\";\r\npublic static string Mutex = \"6C0560CE-2E75-4BB4-A26E-F08592A1D56D\";\r\npublic static string AntiAnalysis = \"0\";\r\npublic static string Autorun = \"1\";\r\npublic static string StartDelay = \"0\";\r\npublic static string WebcamScreenshot = \"1\";\r\npublic static string KeyloggerModule = \"0\";\r\npublic static string ClipperModule = \"0\";\r\npublic static string GrabberModule = \"0\";\r\npublic static string TelegramToken = \"5894962737:AAHAFZnz2AkLAyHC0G-7S2je9JMWWLJHGsU\";\r\npublic static string TelegramChatID = \"5661436914\";\r\nIt then starts to collect system information and steals user information, tokens, and passwords from various web\r\nbrowsers and applications such as Google Chrome, Microsoft Edge, Microsoft Outlook, Telegram, Signal,\r\nOpenVPN and others. It captures screenshots and extracts clipboard content and VPN configurations. \r\nThe collected information is then compressed and exfiltrated to the attacker via Telegram. \r\nFigure 41 illustrates a sample of the network traffic generated by the malware.\r\nopen on a new tab\r\nFigure 41. Network traffic of data upload to the attacker's telegram channel\r\nIt's worth mentioning that some strings, such as web browser paths and Geolocation API services URLs, are\r\nencrypted with the AES algorithm in cipher-block chaining (CBC) mode.\r\nhttps://www.trendmicro.com/en_us/research/23/b/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs.html\r\nPage 15 of 17\n\nList of decrypted strings:\r\n\\Chromium\\User Data\\\r\n\\Google\\Chrome\\User Data\\\r\n\\Google(x86)\\Chrome\\User Data\\\r\n\\Opera Software\\\r\n\\MapleStudio\\ChromePlus\\User Data\\\r\n\\Iridium\\User Data\\\r\n7Star\\7Star\\User Data\r\n//CentBrowser\\User Data\r\n//Chedot\\User Data\r\nVivaldi\\User Data\r\nKometa\\User Data\r\nElements Browser\\User Data\r\nEpic Privacy Browser\\User Data\r\nuCozMedia\\Uran\\User Data\r\nFenrir Inc\\Sleipnir5\\setting\\modules\\ChromiumViewer\r\nCatalinaGroup\\Citrio\\User Data\r\nCoowon\\Coowon\\User Data\r\nliebao\\User Data\r\nQIP Surf\\User Data\r\nOrbitum\\User Data\r\nComodo\\Dragon\\User Data\r\nAmigo\\User\\User Data\r\nTorch\\User Data\r\nYandex\\YandexBrowser\\User Data\r\nComodo\\User Data\r\n360Browser\\Browser\\User Data\r\nMaxthon3\\User Data\r\nK-Melon\\User Data\r\nCocCoc\\Browser\\User Data\r\nBraveSoftware\\Brave-Browser\\User Data\r\nMicrosoft\\Edge\\User Data\r\nhttp://ip-api.com/line/?fields=hosting/content/dam/trendmicro/global/en/research/23/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs/iocs-enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs-tm.txt\r\nhttps://api.mylnikov.org/geolocation/wifi?v=1.1\u0026bssid=\r\nhttps://discordapp.com/api/v6/users/@me\r\nConclusion\r\nSimilar to previous campaignsnews article involving groups such as Lazarusnews- cybercrime-and-digital-threats,\r\nthis campaign demonstrates a persistent and lucrative attack vector for various advanced persistent threat (APT)\r\ngroups and threat actors. Through the use of employment lures, these actors can target individuals and\r\nhttps://www.trendmicro.com/en_us/research/23/b/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs.html\r\nPage 16 of 17\n\norganizations across the cryptocurrency and Web 3 sphere. Furthermore, this case highlights the evolving nature\r\nof modular malware that employ highly obfuscated and evasive techniques along with the utilization of\r\ncontinuous integration and continuous delivery (CI/CD) principles for continuous malware development.\r\nOrganizations can protect themselves by remaining vigilant against phishing attacks. Furthermore, individuals are\r\nadvised to remain cautious of social media posts or phishing attempts that offer job opportunities unless they are\r\nsure of their legitimacy. Due to current economic conditions, threat actors can be expected to continue to heavily\r\ndeploy employment lures to target those seeking employment.\r\nMeanwhile, organizations should also consider cutting edge multilayered defensive strategyproducts and \r\ncomprehensive security solutionproductss such as Trend Micro™ XDR that can detect, scan, and block malicious\r\nURLs across the modern threat landscape.\r\nIndicators of Compromise (IOCs)\r\nThe indicators of compromise for this entry can be found here.\r\nSource: https://www.trendmicro.com/en_us/research/23/b/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs.html\r\nhttps://www.trendmicro.com/en_us/research/23/b/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs.html\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.trendmicro.com/en_us/research/23/b/enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs.html" ], "report_names": [ "enigma-stealer-targets-cryptocurrency-industry-with-fake-jobs.html" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434698, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8f46e752a91b5d81ac11ae51f217987a7fed5d87.pdf", "text": "https://archive.orkl.eu/8f46e752a91b5d81ac11ae51f217987a7fed5d87.txt", "img": "https://archive.orkl.eu/8f46e752a91b5d81ac11ae51f217987a7fed5d87.jpg" } }