According to a recent report published by Dutch mobile security firm ThreatFabric, there is a new advanced piece of malware called "RatOn" posing a threat to cryptocurrency wallets.
This is a sophisticated new type of RAT (Remote Access Trojan), which makes it possible for attackers to take over an infected device remotely.
RatOn combines various attack techniques from various malware families, which makes it more dangerous than run-of-the-mill banking trojans.
How it works
The new malware was first seen in June 2025, and it became increasingly active throughout August.
It supports multiple languages on top of English, including Czech and Slovak.
What makes RatOn increasingly dangerous is that this sort of malware is not widely detected by multivirus engines.
Are crypto holders at risk?
Notably, RatOn is specifically targeting popular cryptocurrency wallets, such as MetaMask, Trust Wallet, Phantom andBlockchain.com.
The new malware automates the steps that are needed for hijacking a new cryptocurrency wallet.
It launches the wallet app on the victim's phone and uses stolen PINs that were captured earlier with keylogging or overlays.
The malware then helps the attacker to automatically navigate the interface of the app and reveal the secret recovery phrase.