By rssfeeds-admin 
According to the Report, Researchers from Moonlock Lab have uncovered at least four concurrent operations where threat actors are weaponizing fake versions of Ledger Live, using advanced phishing mechanisms to deceive users and extract critical wallet credentials and recovery seed phrases.
Malicious Ledger Live Clones
The current threat landscape represents a dramatic escalation in attackers’ capabilities.
Initially, campaigns distributed malicious clones of Ledger Live that harvested data such as passwords, notes, and wallet details.
However, technical limitations had prevented the theft of actual funds. Since late 2024, attackers have refined their malware, engineering phishing interfaces designed to coax seed phrases directly from victims through highly convincing pop-ups or fake error dialogs.
Once a user submits their seed phrase, attackers gain full control over wallet assets, effectively bypassing Ledger Live’s hardware-enforced security.
A significant vector in these attacks involves social engineering: victims are lured by realistic threat warnings purportedly regarding suspicious activity or critical errors displayed by the trojanized Ledger Live app.
These interfaces mirror the look and feel of the legitimate app, often demanding a 24-word seed phrase “to restore access” or resolve “security issues.”
The harvested phrases are instantly transmitted to attacker-controlled command-and-control (C2) servers, giving criminals all the information required to drain the wallets in real time.
Technical Distinction Across Threat Actors
Researchers have tracked notable actors orchestrating these campaigns:
- Odyssey Stealer: This malware retrieves user identification data from local system paths and launches sophisticated phishing pages that request the user’s wallet seed phrase. The data is exfiltrated to hardcoded C2 endpoints using dedicated URL structures.
- Mentalpositive Stealer: While recent dark web chatter touts an “anti-Ledger” feature, technical analysis shows basic data theft capabilities browser credentials and exfiltration of local files with imminent upgrades to target Ledger Live more directly. The malware’s evolution is observable through string obfuscation and C2 infrastructure changes.
- Jamf-Identified Campaign: This operation leverages undetected DMG payloads on VirusTotal, delivering Mach-O binaries packed with PyInstaller for stealth. Attackers deploy layered data collection techniques, combining AppleScript and Python to extract system passwords, key documents, and browser data before displaying phishing interfaces over HTML iframes.
- AMOS (Atomic macOS Stealer): The AMOS campaign deploys obfuscated DMG installers leveraging terminal aliases to bypass Gatekeeper. After establishing persistence and harvesting browser and local file data, AMOS replaces the legitimate Ledger Live app with a counterfeit version, terminating the authentic process and misleading users into surrendering their seed phrases through a staged restoration process.
All observed campaigns emphasize anti-analysis features, such as VM detection routines and modular code, to evade research and automated defenses.
The surge in targeted attacks against Ledger Live on macOS highlights an evolution in both malware sophistication and the operational acumen of cybercriminals.
The technical barriers to compromising cold wallets are being systematically dismantled by social engineering, clone app deployment, and fast-evolving malware.
Threat researchers warn that dark web forums are abuzz with innovation, and subsequent campaign waves are imminent.
Users are urged to exercise heightened security hygiene:
- Never input a seed phrase into any dialog, pop-up, or website even if it mimics official branding.
- Download Ledger Live only from official sources.
- Monitor threat intelligence feeds for fresh indicators of compromise (IoCs) and remain alert to suspicious activity on their devices.
Indicators of Compromise (IOC)
| Type | Value | Description |
|---|---|---|
| Hash (SHA-256) | 0dba9a31da4248a64df6488fe11f289efcbf95b1b69784d878cb96be5fd5adbb | Odyssey Mach-O binary |
| Hash (SHA-256) | 4bb8f7f241eb8f47ecfb8a10d455b1e64b1153ff118945a789d8e6141a0a5aab | Odyssey Mach-O binary |
| URL | hxxp://185.147.124[.]212/ledger-seed/<USER>/<SEED> | Odyssey C2 (seed exfiltration path) |
| URL | hxxp://185.147.124[.]212/ledger-seed/ | Odyssey C2 server |
| Hash (SHA-256) | e539b6b53cf7009e86d0ddb279dec9b84a099aa8c8b2ecd18d65ee17538d772a | Mentalpositive sample (“JENYA” string) |
| Hash (SHA-256) | a95c414686b78296910ba7ecbc684e22eaccd508ad48bf279dcb110e66985a66 | Mentalpositive sample (updated C2) |
| URL | http://gq8ruzk1h3a8.cfd | Mentalpositive C2 server |
| URL | https://lagkill.cc/ | Mentalpositive C2 server |
| Hash (SHA-256) | 3992d69d17a2cd460c99f98f9dd1e61bc56ce362be1bab3d3a574c414a7b6ad2 | Malicious DMG (Jamf campaign) |
| URL | hxxp://138.68.93.230/Ledger-Live.dmg | Malicious DMG download (Jamf campaign) |
| URL | http://138.68.93.230/ledgeras | HTML phishing interface |
| Hash (SHA-256) | a5255d7a4f7fb67a0682d1827cfba80c3e296b23b4ef450beea832c1292e12d8 | AMOS JandiInstaller.dmg |
| Hash (SHA-256) | 451fb16f40687fb34ef5fa639fd3ac884b2cdef28c284f04c217e285294a82b5 | AMOS JandiInstaller.lor |
| Hash (SHA-256) | 09c68e48fcaabad74626be5f3a15b9e1f3e6f45919737aa8475f74a3a353d778 | AMOS Mach-O binary |
| Hash (SHA-256) | 86ff1cebe2fa691bc9142a1645461051eb347854d093eef506a1acf1665d0bb9 | AMOS trojanized Ledger Live app |
| Hash (SHA-256) | b6887f35cd87b20664ac5757f47296c394eda96da5e8edd23c1579b0d2c83672 | AMOS fake Ledger Live app (phishing welcome screen) |
| URL | hxxp://45.94.47.102/contact | AMOS C2 server (data exfiltration) |
| URL | hxxps://gknkargo.com/zxc/app.zip | AMOS fake app download |
| URL | hxxps://aimplyhired.com/receive.php | AMOS C2 server (seed exfiltration) |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
The post Cybercriminals Target macOS Users with Fake Ledger Apps to Deploy Malware appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.