$BTC

In wallets

Once the malicious package is installed, it begins scanning the device for installed cryptocurrency wallets, especially Atomic and Exodus. If found, the malware extracts the application files to temporary folders, then injects malicious code into them, and repackages the files in a way that appears intact and unmodified.

Replacing addresses and transferring funds to attackers

The danger of this attack lies in its ability to modify the code related to cryptocurrency sending operations within the wallet, such that the recipient's address is replaced with another address owned by the attacker, using base64 encoding to conceal the address within the code.

The transaction appears normal in the wallet interface, while the funds go to a malicious address without the user's knowledge.

No visible indicators of compromise

One of the most concerning aspects is that the user does not notice any changes in the user interface or during the transaction execution. There are no warning messages or signs indicating manipulation.

The issue is only discovered when reviewing the transaction details on the blockchain, revealing that the funds were sent to an unknown address.