Cybersecurity experts have identified a sophisticated scam campaign using counterfeit video conferencing applications to distribute the Realst information stealer, specifically targeting Web3 professionals. The operation, dubbed “Meeten,” creates convincing fake companies using AI to enhance legitimacy.
The attack methodology involves:
– Initial contact through Telegram discussing investment opportunities
– Directing targets to fraudulent meeting platforms (Clusee, Cuesee, Meeten, Meetone, Meetio)
– Prompting downloads for Windows or macOS versions
On macOS systems, the malware:
– Claims compatibility issues requiring system password entry
– Uses osascript technique common among various macOS stealer families
– Targets sensitive data including cryptocurrency wallets, Telegram credentials, banking information, and browser data
The Windows version features:
– Signed NSIS file using stolen Brys Software Ltd. credentials
– Electron application that downloads Rust-based stealer executable
The malware can extract data from multiple browsers including Chrome, Edge, Opera, Brave, Arc, and Vivaldi. This campaign follows similar attacks like meethub[.]gg and markopolo, which targeted cryptocurrency users with various stealer malware.
The trend coincides with the emergence of new stealer families (Fickle, Wish, Hexon, Celestial) and increased targeting of users seeking pirated software and AI tools through RedLine and Poseidon Stealers.