Skip to main content

Cryptocurrency companies are being targeted in a new campaign that delivers a remote access trojan called Parallax RAT. The malware uses advanced injection techniques to hide within legitimate processes, making it difficult to detect. Once it has been successfully injected, attackers can interact with their victim via Windows Notepad, which serves as a communication channel.

According to a report by cybersecurity firm Uptycs, Parallax RAT grants attackers remote access to victim machines. It comes with features to upload and download files, record keystrokes, and capture screenshots. The RAT has been in use since early 2020 and was previously delivered via COVID-19-themed lures.

In February 2022, cybersecurity firm Proofpoint detailed an activity cluster dubbed TA2541, which targeted aviation, aerospace, transportation, manufacturing, and defense industries using different RATs, including Parallax RAT. The first payload is a Visual C++ malware that employs the process hollowing technique to inject Parallax RAT into a legitimate Windows component called pipanel.exe.

Parallax RAT, besides gathering system metadata, is also capable of accessing data stored in the clipboard and even remotely rebooting or shutting down the compromised machine.

One notable aspect of the attacks is the use of the Notepad utility to initiate conversations with the victims and instructing them to connect to an actor-controlled Telegram channel.

Uptycs’ analysis of the Telegram chat reveals that the threat actor has an interest in crypto companies such as investment firms, exchanges, and wallet service providers. The attackers search public sources such as DNSdumpster for identifying mail servers belonging to the targeted companies via their mail exchanger (MX) records and send phishing emails bearing the Parallax RAT malware.

The development comes as Telegram is increasingly becoming a hub for criminal activities, enabling threat actors to organize their operations, distribute malware, and facilitate the sale of stolen data and other illegal goods. One reason why Telegram is attractive to cybercriminals is its alleged built-in encryption and the ability to create channels and large private groups, making it difficult for law enforcement and security researchers to monitor and track criminal activity on the platform.

In addition, cybercriminals often use coded language and alternative spellings to communicate on Telegram, making it even more challenging to decipher their conversations. As a result, Telegram has become a popular platform for cybercriminals to carry out their nefarious activities.

Given the increasing use of cryptocurrencies and the rising value of digital assets, it is not surprising that crypto companies are being targeted by cybercriminals. These companies often hold large amounts of digital assets and may have less robust cybersecurity measures in place than traditional financial institutions.

As a result, it is crucial for these companies to implement robust cybersecurity measures to protect their assets and their customers’ data. This includes implementing multi-factor authentication, conducting regular security assessments, and ensuring that all employees receive regular security training.

In conclusion, the Parallax RAT campaign targeting cryptocurrency companies is yet another reminder of the evolving threat landscape facing businesses and individuals today. Cybercriminals are becoming increasingly sophisticated in their attacks, and it is crucial for organizations to remain vigilant and take proactive measures to protect their assets and data.

CryptoArmor is cybersecurity company based in Austin, Texas. CryptoArmor offers advanced cybersecurity protection for Digital Asset Firms, Crypto Mining Companies, and Financial Institutions. Protection Against Tomorrow’s Attacks. Today.

Contact CryptoArmor:


Leave a Reply