A fake Phantom security update scam has been sent in the form of phishing NFTs to Solana cryptocurrency owners. The NFTs were airdropped into the cryptowallets of users, claiming to be from the developers of Phantom with names such as ‘PHANTOMUPDATE.COM’ or ‘UPDATEPHANTOM.COM’, and descriptions that gave instructions on how to apply this fake update. The included text urges victims to click the link or visit the website listed to download the ‘update’, with added urgency threatening users with the potential “loss of funds due to hackers exploiting the Solana network” if the fake update is not applied. 

 As soon as the victim access the phishing sites from either a computer or mobile device, a Windows batch file Phantom_Update_2022-10-08.bat is automatically downloaded from DropBox. When launched, this file requests permission to run with administrator privileges through a Windows UAC prompt. If this is accepted, a PowerShell script is triggered that decrypts more Windows executables, resulting in the download of windll32.exe, which is executed from the C:\Users\<username>\AppData\Local folder. This .exe file has been reported by threat analysers on VirusTotal, and identified as a password-stealer trojan, which searchers for information in the browser, such as history, cookies, passwords, and SSH keys.  

 Although this trojan is currently unidentified, there is a similarity between this trojan malware and a previous malware campaign known as MarsStealer. Identified in 2020, MarsStealer has been known to steal browser data including from two-factor authentication (2FA) plugins, as well as cryptocurrency extensions and wallets. Victims who have downloaded this fake Phantom update should immediately scan their devices for malware to remove all malicious files and prevent further access to their devices. Victims can also mitigate the risk of loss by transferring all crypto funds to a new Phantom wallet, as well as changing their passwords on all related sites. Passwords should always be complex and unique, to prevent a data leak on one platform affecting any other accounts held, especially when related to finance.