A sophisticated malware campaign is currently targeting cryptocurrency enthusiasts on Reddit, offering fake “cracked” versions of the popular trading platform TradingView.
The malicious actors are distributing two dangerous data stealers—AMOS for macOS users and Lumma Stealer for Windows users—through seemingly helpful posts on cryptocurrency trading subreddits.
The threat actors create legitimate-looking Reddit posts claiming to provide free lifetime access to premium TradingView features.
.png
)
These posts include download links for both Windows and macOS, directing users to a compromised website belonging to a Dubai cleaning company rather than common file-sharing platforms.
The scammers employ social engineering tactics by actively engaging with the Reddit community, responding to user questions and offering “helpful” advice when victims encounter security warnings, encouraging them to bypass these critical safeguards.
Malwarebytes researchers noted that both malware variants are distributed in password-protected zip files, a common tactic used to evade security scanners.
The password for unpacking these archives is consistently provided as “github” to appear legitimate while tricking security systems.
Spreading AMOS and Lumma Stealers
The researchers discovered that the macOS version delivers AMOS (Atomic Stealer), which contains anti-VM detection capabilities to evade analysis.
The malware checks for virtual machine environments with code like: osascript -e "set memData to do shell script \"system_profiler SPMemoryDataType\" if memData contains \"QEMU\" or memData contains \"VMware\" then do shell script \"exit 42\" else do shell script \"exit 0\" end if".
.webp)
This script shows the VM detection logic and data exfiltration functionality.
For Windows users, the payload is distributed via an obfuscated batch file named “Costs.tiff.bat” that executes a malicious AutoIt script.
This Lumma Stealer variant communicates with a command and control server at cousidporke[.]icu, a domain registered approximately one week ago with Russian attribution.
.webp)
While the Windows payload depicts the obfuscated batch file execution path.
Victims of these attacks have reported emptied cryptocurrency wallets, followed by account takeovers where attackers impersonate them to spread phishing links to their contacts, creating a chain of compromises.
The researchers warn users to be suspicious of offers for free premium software, especially when instructed to disable security software or when files are password-protected.
Cryptocurrency traders should exercise particular caution when downloading trading tools from unofficial sources.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
