{
	"id": "835b6b11-539a-4652-bafe-8adf60a60423",
	"created_at": "2026-04-06T00:09:55.277732Z",
	"updated_at": "2026-04-10T03:30:33.719079Z",
	"deleted_at": null,
	"sha1_hash": "ba4f4605fbc8586acae415d9218974d9ac47a7d2",
	"title": "Cyble - Fake Atomic Wallet Website Distributing Mars Stealer",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1021450,
	"plain_text": "Cyble - Fake Atomic Wallet Website Distributing Mars Stealer\r\nPublished: 2022-08-02 · Archived: 2026-04-05 16:29:33 UTC\r\nCyble analyzes a fake Atomic Wallet website that is being used to distribute Mars Stealer to cryptocurrency users.\r\nInfo Stealer Targeting Browsers and Crypto Wallets\r\nThe popularity of Cryptocurrency has increased exponentially over the recent years as dealing with crypto has\r\nbecome relatively hassle-free and more accessible. The financial returns of crypto investments have attracted many\r\ninvestors to invest in crypto markets.\r\nAs the demand for crypto investment has increased over the years, we can also see a corresponding rise in the\r\nnumber of crypto wallets. Some popular crypto wallets such as Binance, Atomic, Exodus, Coinbase, Metamask,\r\nand Trust are the most commonly used platforms to manage and transact Cryptocurrency.\r\nWorld's Best AI-Native Threat Intelligence\r\nDespite gaining popularity worldwide, Cryptocurrency also has its downsides. It opens the door for various\r\nmalicious activities like phishing, scams, hacking, delivering malware, etc.\r\nCyble Research Labs has constantly been tracking malicious activities targeting Cryptocurrency wallets. During a\r\nroutine threat-hunting exercise, we came across a Twitter post where a researcher mentioned a fake Atomic wallet\r\nsite distributing Mars Stealer.\r\nThe phishing site “hxxp://atomic-wallet[.]net” uses the icon and name of the Atomic wallet. Additionally, the\r\nThreat Actor is trying to copy the UI of a genuine website to trick the user, as shown in the below image.\r\nhttps://blog.cyble.com/2022/08/02/fake-atomic-wallet-website-distributing-mars-stealer/\r\nPage 1 of 7\n\nFigure 1 – Phishing site impersonating Atomic Wallet website\r\nUpon investigating the phishing site, we observed that the TA has invested time in developing a well-designed\r\nphishing site to trick victims into downloading the malware.\r\nThe phishing site appears to be genuine as the TA provided some attractive content such as Trusted Reviews,\r\nCashback, FAQ, Partners, Contact Us page, Support, and Update History.\r\nFigure 2 – Content on Phishing site to appear legitimate\r\nWhen the user interacts with the “Download” button, the phishing site redirects to the download options page,\r\nwhere the user can download Atomic wallet for Windows, iOS, and Android, as shown in the below image.\r\nhttps://blog.cyble.com/2022/08/02/fake-atomic-wallet-website-distributing-mars-stealer/\r\nPage 2 of 7\n\nFigure 3 – Download options for the user\r\nThe App Store button is inactive while, the Google Play button redirects the user to the genuine Atomic Wallet Play\r\nStore link.\r\nWhen the user clicks on the “Download for Windows” button, it connects to shortened URL\r\n“hxxps://bit[.]ly/3PRDyH8” and downloads a Zip file named “Atomic Wallet.zip“.\r\nAfter a detailed investigation, the downloaded file was identified as a Mars Stealer sample. Mars Stealer was\r\ndiscovered in June 2021 and was available for sale on a few underground cybercrime forums. Mars stealer\r\nprimarily targets browser extensions, crypto extensions and wallets, and 2FA plugins.\r\nTechnical Analysis\r\nThe downloaded Zip file contains the “AtomicWallet-Setup.bat” file containing malicious code, as shown in the\r\nbelow image.\r\nFigure 4 – Downloaded Zip file content\r\nUpon execution, the .bat file invokes the Powershell command, enabling the administrative elevation for its\r\nexecution.\r\nhttps://blog.cyble.com/2022/08/02/fake-atomic-wallet-website-distributing-mars-stealer/\r\nPage 3 of 7\n\nFigure 5 – Executing PowerShell command for admin privileges  \r\nThe .bat file then copies powershell.exe into the current directory, renames it as AtomicWallet_Setup.bat.exe, and\r\nthen hides it using the attrib command.\r\nFigure 6 – Hiding the .exe file using the attrib command\r\nThen, the .bat file executes PowerShell content using AtomicWallet_Setup.bat.exe, which further decodes the\r\nbase64-encoded content and decrypts it using an AES algorithm that stores a Gzip Compressed stream in the\r\nmemory.\r\nThe below figure shows the code used by the malware to perform AES decryption and GZip Decompression.\r\nFigure 7 – Code for AES Decryption and GZip Decompression\r\nFinally, the malware decompresses the GZip content and loads the final PowerShell code that downloads Mars\r\nStealer from the Discord server to the victim’s %LOCALAPPDATA% location.\r\nFigure 8 – Downloading Mars Stealer from the Discord server\r\nThe below figure shows the infection chain of Mars Stealer. After downloading Mars stealer, the .bat file deletes the\r\n“AtomicWallet_Setup.bat.exe” from the victim’s machine.\r\nhttps://blog.cyble.com/2022/08/02/fake-atomic-wallet-website-distributing-mars-stealer/\r\nPage 4 of 7\n\nFigure 9 – Infection chain\r\nAfter successful installation, Mars Stealer steals sensitive information from the victim’s device and exfiltrates the\r\nstolen data to the C\u0026C server.\r\nFigure 10 – Malware sending stolen data to the C\u0026C server\r\nConclusion\r\nAccording to our research, the TAs behind Mars stealer are adopting sophisticated phishing attacks to distribute\r\nMars Stealer and gather user credentials, system information, and other sensitive data.\r\nThe criminals may use compromised credentials to carry out attacks to stay under the radar and avoid tripping any\r\nsecurity monitoring rules, thus alerting any victims to the attempted compromise.\r\nOur Recommendations\r\nAvoid downloading pirated software from unverified sites.\r\nUse strong passwords and enforce multi-factor authentication wherever possible. \r\nKeep updating your passwords after certain intervals.\r\nUse a reputed anti-virus and internet security software package on your connected devices, including PC,\r\nlaptop, and mobile.  \r\nhttps://blog.cyble.com/2022/08/02/fake-atomic-wallet-website-distributing-mars-stealer/\r\nPage 5 of 7\n\nRefrain from opening untrusted links and email attachments without first verifying their authenticity.   \r\nBlock URLs that could be used to spread the malware, e.g., Torrent/Warez.  \r\nMonitor the beacon on the network level to block data exfiltration by malware or TAs.  \r\nEnable Data Loss Prevention (DLP) Solutions on employees’ systems. \r\nMITRE ATT\u0026CK® Techniques\r\nTactic Technique ID Technique Name\r\nInitial Access T1566 Phishing\r\nExecution T1204 User Execution\r\nDefense Evasion T1564 Hidden Files and Directory\r\nDefense Evasion T1027 Obfuscated Files or Information\r\nCredential Access\r\nT1555\r\nT1539\r\nT1552\r\nT1528\r\nCredentials from Password Stores\r\nSteal Web Session Cookies\r\nUnsecured Credentials\r\nSteal Application Access Token\r\nDiscovery T1082 System Information Discovery\r\nExfiltration  T1041 Exfiltration Over C\u0026C Channel \r\nIndicators Of Compromise (IOCs)\r\nIndicators\r\nIndicator\r\nType\r\nDescription\r\n33d0d9fe89f0dba2b89347a0e2e6deb22542476d98676187f8c1eb529cb3997f SHA256\r\nHash of the\r\nanalyzed\r\nbat file\r\ndfdbb09661ee90ad4e88e7b0510653c93485a4b2 SHA1\r\nHash of the\r\nanalyzed\r\nbat file\r\n3004914cdfa67357410e6f0c9a091655 MD5\r\nHash of the\r\nanalyzed\r\nbat file\r\n10afe233525aaf99064e4e444f11a8fc01f8b9f508e4f123fd76b314a6d360f9 SHA256 Hash of the\r\nanalyzed\r\nMars\r\nhttps://blog.cyble.com/2022/08/02/fake-atomic-wallet-website-distributing-mars-stealer/\r\nPage 6 of 7\n\nStealer exe\r\nfile\r\n0f6e3442c67d6688fae5f51b4f60b78cd05f30df SHA1\r\nHash of the\r\nanalyzed\r\nMars\r\nStealer exe\r\nfile\r\n10f0d3a64949a6e15a9c389059a8f379 MD5\r\nHash of the\r\nanalyzed\r\nMars\r\nStealer exe\r\nfile\r\nhxxps://atomic-wallet[.]net URL\r\nMalware\r\ndistribution\r\nsite/C\u0026C\r\nserver\r\nSource: https://blog.cyble.com/2022/08/02/fake-atomic-wallet-website-distributing-mars-stealer/\r\nhttps://blog.cyble.com/2022/08/02/fake-atomic-wallet-website-distributing-mars-stealer/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.cyble.com/2022/08/02/fake-atomic-wallet-website-distributing-mars-stealer/"
	],
	"report_names": [
		"fake-atomic-wallet-website-distributing-mars-stealer"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434195,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ba4f4605fbc8586acae415d9218974d9ac47a7d2.pdf",
		"text": "https://archive.orkl.eu/ba4f4605fbc8586acae415d9218974d9ac47a7d2.txt",
		"img": "https://archive.orkl.eu/ba4f4605fbc8586acae415d9218974d9ac47a7d2.jpg"
	}
}