{"id":9627,"date":"2026-01-03T10:03:35","date_gmt":"2026-01-03T10:03:35","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/01\/03\/potential-wallet-phishing-campaign-targets-cardano-users-via-eternl-desktop-announcement\/"},"modified":"2026-01-03T10:03:35","modified_gmt":"2026-01-03T10:03:35","slug":"potential-wallet-phishing-campaign-targets-cardano-users-via-eternl-desktop-announcement","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/01\/03\/potential-wallet-phishing-campaign-targets-cardano-users-via-eternl-desktop-announcement\/","title":{"rendered":"Potential Wallet Phishing Campaign Targets Cardano Users via \u2018Eternl Desktop\u2019 Announcement"},"content":{"rendered":"<p>    Potential Wallet Phishing Campaign Targets Cardano Users via \u2018Eternl Desktop\u2019 Announcement<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>A sophisticated phishing campaign is currently circulating within the Cardano community, posing significant risks to users seeking to download the newly announced Eternl Desktop application. <\/p>\n<p>The attack leverages a professionally crafted <a href=\"https:\/\/cybersecuritynews.com\/beware-of-fake-meta-emails-from-hackers\/\" target=\"_blank\" rel=\"noreferrer noopener\">email<\/a> claiming to promote a legitimate wallet solution designed for secure Cardano token staking and governance participation. <\/p>\n<p>The fraudulent announcement references ecosystem-specific incentives, including NIGHT and ATMA token rewards through the Diffusion Staking Basket program, to establish credibility and drive user engagement.<\/p>\n<p>The attackers have created a nearly identical replica of the official Eternl Desktop announcement, complete with messaging about hardware wallet compatibility, local key management, and advanced delegation controls. <\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh_Va7hh_vCFb0QWk2vz_GMU1XDFeUVk5dTlJGDuTKeqwgwILJwf-52ZyiObf568NmuCmUcvFwOgGpTkDvsuyduT-KfGSYvicFVJKIAZiThXQslVq-ARFu6q0-7VAwhFkvWG7W8Az8DhvNJ9AR1HQa3H2ijTgDwpsMV4jctfnd1vY9QToWRh0bH3rzAOek\/s16000\/New%2520infrastructure%2520%2B%2520wallet%2520software%2520%2B%2520MSI%2520installer%2520is%2520a%2520high-risk%2520combination%2520%28Source%2520-%2520Malwr-analysis.com%29.webp?ssl=1\" alt=\"New infrastructure + wallet software + MSI installer is a high-risk combination (Source - Malwr-analysis.com)\"><\/figure>\n<p>The email maintains a polished, professional tone with proper grammar and no visible spelling errors, making it particularly effective at deceiving community members. <\/p>\n<p>The campaign uses a newly registered domain, download.eternldesktop.network, to distribute a malicious installer package without any official verification or digital signature validation.<\/p>\n<p>Independent threat hunter and malware analyst Anurag <a href=\"https:\/\/malwr-analysis.com\/2025\/12\/31\/rmm-abuse-in-a-crypto-wallet-distribution-campaign\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">identified<\/a> the malicious installer through detailed technical examination, revealing that the seemingly legitimate Eternl.msi file contains a hidden LogMeIn Resolve remote management tool bundled within its installation package. <\/p>\n<p>This discovery exposed a significant supply-chain abuse attempt aimed at establishing persistent unauthorized access on victim systems.<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-malicious-msi-installer\"><strong>Malicious MSI installer<\/strong><\/h2>\n<p>The malicious MSI installer, measuring 23.3 megabytes with hash 8fa4844e40669c1cb417d7cf923bf3e0, actually drops an executable called unattended-updater.exe bearing the original filename GoToResolveUnattendedUpdater.exe. <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhNpLK-D9lvgmz2zybxzLRTf5xq2TYbi-hnW9UvLI3JWDXuOcqfkVwiDQflt7vetsNFII64xkJ4nDMPGr273LNZBFwX6FyjYIgzhh8RZ86ThsOkgHqhkFrVNlI6GuAQnz4p0-1JvghlTT2by5ub-lUnFj3YjUVINFEnoHDijCJ5qyAOpGBylZNzZPgBM-8\/s16000\/Domain%2520Information%2520%28Source%2520-%2520Malwr-analysis.com%29.webp?ssl=1\" alt=\"Domain Information (Source - Malwr-analysis.com)\"><figcaption class=\"wp-element-caption\">Domain Information (Source \u2013 Malwr-analysis.com)<\/figcaption><\/figure>\n<\/div>\n<p>During runtime analysis, this executable creates a uniquely identified folder structure under the system\u2019s Program Files directory and writes multiple configuration files including unattended.json, logger.json, mandatory.json, and pc.json. <\/p>\n<p>The unattended.json configuration file enables remote access functionality without requiring user interaction or awareness.<\/p>\n<p>The dropped executable attempts to establish connections to infrastructure associated with legitimate GoTo Resolve services, including devices-iot.console.gotoresolve.com and dumpster.console.gotoresolve.com. <\/p>\n<p><a href=\"https:\/\/cybersecuritynews.com\/analyzing-malwares-network-traffic\/\" target=\"_blank\" rel=\"noreferrer noopener\">Network analysis<\/a> reveals the malware transmits system event information in JSON format to remote servers using hardcoded API credentials, establishing a communication channel for command execution and system monitoring. <\/p>\n<p>Security researchers classify this behavior as critical because remote management tools provide threat actors with capabilities for long-term persistence, remote command execution, and credential harvesting once installed on victim systems.<\/p>\n<p>This campaign demonstrates how <a href=\"https:\/\/cybersecuritynews.com\/preventing-phishing-attacks\/\" target=\"_blank\" rel=\"noreferrer noopener\">cryptocurrency<\/a> governance narratives and legitimacy-lending ecosystem references are weaponized to distribute covert access tools. <\/p>\n<p>Users should verify software authenticity through official channels only and avoid downloading wallet applications from unverified sources or newly registered domains, regardless of how polished the distribution emails appear.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 90%,rgb(169,184,195) 100%)\"><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0<strong>Set CSN as a Preferred Source in\u00a0<a href=\"https:\/\/www.google.com\/preferences\/source?q=cybersecuritynews.com\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google<\/a>.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/potential-wallet-phishing-campaign-targets-cardano-users\/\">Potential Wallet Phishing Campaign Targets Cardano Users via \u2018Eternl Desktop\u2019 Announcement<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/potential-wallet-phishing-campaign-targets-cardano-users\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Potential Wallet Phishing Campaign Targets Cardano Users via \u2018Eternl Desktop\u2019 Announcement A sophisticated phishing campaign is currently circulating within the Cardano community, posing significant risks to users seeking to download the newly announced Eternl Desktop application. The attack leverages a professionally crafted email claiming to promote a legitimate wallet solution designed for secure Cardano token [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-9627","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/9627"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=9627"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/9627\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=9627"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=9627"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=9627"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}