Researchers at the Open Security Alliance are tracking a malicious campaign led by a group called Elusive Comet, which has been targeting cryptocurrency users through sophisticated social engineering tactics. The group’s primary goal is to convince victims to install malware, allowing the attackers to steal their cryptocurrency after gaining access to the infected devices.
At present, Elusive Comet is responsible for millions of dollars in stolen funds, presenting a significant threat to users due to its carefully crafted backstory and deceptive methods. According to the researchers, the group’s approach involves creating an air of legitimacy to gain the trust of potential victims.
Building Trust with Deception
Elusive Comet has worked hard to create a strong online presence to facilitate its deception. It runs legitimate-looking websites and active social media profiles, including those of Aureon Capital, which masquerades as a legitimate venture capital firm. The group also operates Aureon Press and The OnChain Podcast, which it uses to engage with potential victims.
Victims are typically contacted through X direct messages or emails, with some even being invited to appear as a guest on the podcast. If the offer is accepted, the group schedules a Zoom call, often withholding meeting details until the last minute to create a sense of urgency.
Once the victim joins the call, they are asked to share their screen and present their work. At this point, Elusive Comet uses the Zoom session to request control over the victim’s computer. With control, the attackers can install malware such as an infostealer or remote access Trojan (RAT), giving them the ability to exfiltrate sensitive information from the victim’s device either immediately or at a later time.
Real-Life Example of Targeting
In one notable case, cybersecurity research firm Trail of Bits detailed how its own CEO was targeted by this campaign. After receiving an invitation to appear on a podcast called “Bloomberg Crypto,” the CEO quickly recognized the signs of a social engineering attack. What seemed like a legitimate media opportunity was in fact a ploy by Elusive Comet to install malware and steal valuable data.
Recommendations for Protection
To protect against Elusive Comet’s sophisticated tactics, researchers from the Open Security Alliance advise users to remain cautious when receiving media offers or requests from unknown individuals. Additionally, when using Zoom for video calls, users should be vigilant and avoid granting remote control of their device to others unless they are entirely certain of the legitimacy of the situation.
