Needle: Inside a Modular Crypto-Stealing C2 That Left Its Keys in the Malware

A modular Malware-as-a-Service crypto-stealing platform called Needle has been discovered actively targeting cryptocurrency wallets through two main attack vectors: a browser extension spoofer targeting MetaMask, Phantom, and Trust Wallet, and a Rust-based desktop agent impersonating Exodus, Trezor, and Ledger applications. The campaign compromised 1,932 victims, including 111 browser extension users and 1,821 desktop sessions. The Rust agent embedded its C2 API key without protection, enabling complete enumeration of victims and withdrawal configurations across six blockchains. The operator's EVM hot wallet moved approximately $148 in ETH to cold storage. The panel's React SPA performed authentication entirely client-side, and the same credential used by infected machines could potentially redirect future auto-withdrawals. Infrastructure is hosted on ASN 202412, a known bulletproof hosting provider in Amsterdam.

Pulse ID: 6a0198399994be750fe044cd
Pulse Link: https://otx.alienvault.com/pulse/6a0198399994be750fe044cd
Pulse Author: AlienVault
Created: 2026-05-11 08:50:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BlockChain #Browser #CyberSecurity #Edge #InfoSec #Mac #Malware #MalwareAsAService #OTX #OpenThreatExchange #RAT #Rust #bot #cryptocurrency #AlienVault