{ "id": "1f40ef1b-b100-446f-9601-732ccca48f93", "created_at": "2026-04-06T00:13:34.775682Z", "updated_at": "2026-04-10T03:30:32.851408Z", "deleted_at": null, "sha1_hash": "d3e4ec319ede578b7d3b936b2d2401d1aeabd19e", "title": "To the moon and hack: Fake SafeMoon app drops malware to spy on you", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 554703, "plain_text": "To the moon and hack: Fake SafeMoon app drops malware to spy\r\non you\r\nBy Martina LópezTomáš Foltýn\r\nArchived: 2026-04-05 22:36:51 UTC\r\nScams\r\nCryptocurrencies rise and fall, but one thing stays the same – cybercriminals attempt to cash in on the craze\r\n06 Oct 2021  •  , 3 min. read\r\nCybercriminals are trying to capitalize on “the next big thing” in the turbulent cryptocurrency space in an attempt\r\nto take remote control of people’s computers and then steal their passwords and money. A campaign spotted\r\nrecently impersonates the SafeMoon cryptocurrency app and uses a fake update to lure Discord users to a website\r\nthat distributes a well-known remote access tool (RAT).\r\nSafeMoon is one of the latest altcoins to, well, shoot for the moon. Ever since its inception six months ago,\r\nSafeMoon has been highly popular (and duly volatile), with the craze propelled by influencers and numerous\r\nenthusiasts on social media. The buzz hasn’t escaped the notice of scammers, as swindles targeting cryptocurrency\r\nusers – including fraud that namedrops celebrities to give it some extra allure – have been running rampant for\r\nyears.\r\nHouston, we have a problem\r\nhttps://www.welivesecurity.com/2021/10/06/moon-hack-fake-safemoon-cryptocurrency-app-drops-malware-spy/\r\nPage 1 of 5\n\nThe ruse exploiting SafeMoon’s sudden popularity begins with a message (Figure 1) that scammers have sent to a\r\nnumber of users on Discord. Posing as the official SafeMoon account, the fraudsters promote a new version of the\r\napp.\r\nFigure 1. The message impersonating SafeMoon\r\nIf you were to click on the URL in the message, you would land on a website (Figure 2) that is apparently\r\ndesigned to look the part of SafeMoon's official site – its old version, to be exact. First reported by a Reddit user\r\nin August 2021, the domain name also mimics its legitimate counterpart, except that it adds an extra letter at the\r\nend in the hopes that the difference will go unnoticed by most people in their haste to obtain the required\r\n“update”. As of the time of writing, the malicious site is still up and running.\r\nFigure 2. The fake (L) versus the legitimate (R) SafeMoon website, August 2021 (source: web.archive.org)\r\nhttps://www.welivesecurity.com/2021/10/06/moon-hack-fake-safemoon-cryptocurrency-app-drops-malware-spy/\r\nPage 2 of 5\n\nFigure 3. The official SafeMoon website, early October 2021\r\nAll external links on the site are legitimate, except for the arguably most important one – the link that prompts you\r\nto download the “official” SafeMoon app from the Google Play Store. Instead of the SafeMoon app for Android\r\ndevices, it downloads a payload that includes rather common, off-the-shelf Windows software that can be used\r\nboth for legitimate and nefarious ends.\r\nFigure 4. The development section of the obfuscated malicious app\r\nUpon execution, the installer (Safemoon-App-v2.0.6.exe) will drop several files on the system, including a RAT\r\ncalled Remcos. While touted as a legitimate tool, this RAT is also being peddled for sale in underground forums,\r\nwhich also earned it an official alert from US authorities shortly after the tool was released. If used for evil ends, a\r\nRAT is often understood to stand for a “remote access trojan” instead.\r\nRemcos has since been deployed in a number of campaigns, both by cybercrime and cyberespionage groups.\r\nIndeed, just a few months ago ESET researchers spotted Remcos in what they nicknamed “Operation Spalax”,\r\nwhere threat actors took aim at a slew of organizations in Colombia.\r\nAs is customary with RATs, Remcos gives the attacker a backdoor into the victim’s computer and is used to gather\r\nsensitive data from the victim. It is operated via a command and control (C\u0026C) server whose IP address is\r\nhttps://www.welivesecurity.com/2021/10/06/moon-hack-fake-safemoon-cryptocurrency-app-drops-malware-spy/\r\nPage 3 of 5\n\ninjected into the downloaded files. Remcos’s capabilities include theft of login credentials from various web\r\nbrowsers, logging keystrokes, hijacking the webcam, capturing audio from the victim's microphone, downloading\r\nand executing additional malware on the machine ... the whole nine yards, really.\r\nA cursory look at the RAT's configuration file (Figure 5) provides an idea of its extensive functionality.\r\nFigure 5. Part of the Remcos configuration file binary showing some of what the RAT is after\r\nStrap yourself in\r\nA few basic precautions will go a long way towards staying safe from these scams:\r\nBe wary of any out-of-the-blue communications, be it via email, social media, texts or other channels\r\nDon’t click on links in such messages, especially when they come from an unverified source\r\nBe alert to irregularities in URLs – you’re better off typing it in yourself\r\nUse strong and unique passwords or passphrases and, wherever available, two-factor authentication (2FA)\r\nUse comprehensive security software\r\nWhen it comes to investing in cryptocurrencies, you need to proceed with caution, and not just because the market\r\nis rife with investment fraud, fake giveaways and other scams. But surely you know the drill by now.\r\nIndicators of Compromise (IoCs)\r\nhttps://www.welivesecurity.com/2021/10/06/moon-hack-fake-safemoon-cryptocurrency-app-drops-malware-spy/\r\nPage 4 of 5\n\nSHA-256 hash\r\nESET detection\r\nname\r\n035041983ADCFB47BBA63E81D2B98FA928FB7E022F51ED4A897366542D784E5B\r\nA Variant of\r\nMSIL/Injector.VQB\r\nThe files downloaded later as part of the Remcos “package” are detected by ESET products as Win32/Rescoms.B.\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: https://www.welivesecurity.com/2021/10/06/moon-hack-fake-safemoon-cryptocurrency-app-drops-malware-spy/\r\nhttps://www.welivesecurity.com/2021/10/06/moon-hack-fake-safemoon-cryptocurrency-app-drops-malware-spy/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.welivesecurity.com/2021/10/06/moon-hack-fake-safemoon-cryptocurrency-app-drops-malware-spy/" ], "report_names": [ "moon-hack-fake-safemoon-cryptocurrency-app-drops-malware-spy" ], "threat_actors": [ { "id": "64d750e4-67db-4461-bae2-6e75bfced852", "created_at": "2022-10-25T16:07:24.01415Z", "updated_at": "2026-04-10T02:00:04.839502Z", "deleted_at": null, "main_name": "Operation Spalax", "aliases": [], "source_name": "ETDA:Operation Spalax", "tools": [ "AsyncRAT", "Bladabindi", "Jorik", "Remcos", "RemcosRAT", "Remvio", "Socmer", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434414, "ts_updated_at": 1775791832, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d3e4ec319ede578b7d3b936b2d2401d1aeabd19e.pdf", "text": "https://archive.orkl.eu/d3e4ec319ede578b7d3b936b2d2401d1aeabd19e.txt", "img": "https://archive.orkl.eu/d3e4ec319ede578b7d3b936b2d2401d1aeabd19e.jpg" } }