Phishing Scam Using TRUMP Coins Leads to Remote Takeover via ConnectWise RAT

Listen to this Post

In a recent phishing campaign targeting unsuspecting cryptocurrency users, hackers have exploited a counterfeit Binance offer of “free TRUMP Coins” to infect victims with a remote access tool (RAT), namely ConnectWise, which allows the attackers to hijack the victim’s computer. The attack, as detailed in a Flash Alert by Cofense Intelligence, uses cleverly crafted emails with Binance’s branding to convince users to download malicious software, ultimately leading to the installation of the RAT and the hijacking of the system.

the Attack

The phishing email purports to be from Binance, the popular cryptocurrency exchange, and offers recipients up to 2000 TRUMP Coins upon completion of a series of “special trading tasks.” The email contains several trust-building elements, such as an offer to prevent phishing and warnings about the volatility of cryptocurrency markets. These features are designed to make the email appear legitimate and authentic.

The email urges recipients to download tasks, which could earn them 500 TRUMP Coins. Clicking the download button leads them to a fake Binance page where they are encouraged to download what seems to be a Binance Windows client. Instead, it’s actually the ConnectWise Remote Access Tool (RAT) disguised as the client, and it is sourced from the attackers’ Command and Control (C2) server.

Once the RAT is installed, the attacker gains remote control over the victim’s system within minutes. The URLs in the phishing campaign include variations of “binance-web3.com.ru,” making the scam appear more legitimate, especially the “binance-web3” part, even though the “.ru” domain could raise suspicions, particularly in NATO countries or the U.S.

What Undercode Says:

This phishing scheme highlights the dangerous blend of social engineering and technical deception that cybercriminals continue to use in targeting cryptocurrency enthusiasts. By leveraging the popularity of meme coins like TRUMP Coins, which are associated with a high-profile name (Donald Trump) and marketed as valuable despite their lack of utility, attackers are able to exploit both curiosity and greed. The cryptocurrency market’s volatility and the public’s eagerness for easy profits make it a fertile ground for these types of scams.

Binance, as a prominent exchange, is often used in phishing attacks because it is a well-known brand within the crypto space. However, the tactics employed in this attack, such as the fake tasks and the offer of up to 2000 TRUMP Coins, reflect how attackers exploit the psychology of their targets. The high reward promises lure victims in, making them more likely to ignore red flags.

What is particularly concerning here is the use of ConnectWise RAT. While ConnectWise itself is legitimate software designed for managed service providers (MSPs), it has been exploited by malicious actors in the past to remotely access victims’ systems. Once installed, the RAT allows attackers to steal sensitive data, monitor user activities, and potentially use the compromised machine for further attacks, such as ransomware deployment or as part of a botnet for launching DDoS attacks.

The deceptive URL trickery – the inclusion of “binance-web3.com.ru” – shows how subtle variations in domain names are used to mask the true nature of phishing websites. While the “.com” may appear familiar and secure, the “.ru” domain immediately suggests it could be based in Russia, which should raise suspicion for many users. In regions like the U.S. or NATO countries, these kinds of domains are often associated with malicious or suspicious activities.

The attackers’ manipulation of users’ trust is another striking feature of this campaign. By mimicking Binance’s official communications and even including warnings about phishing and the volatility of cryptocurrencies, the scam preys on users’ desire to avoid scams and make informed decisions in the cryptocurrency space. These trust-building tactics make the phishing attempt seem like a genuine offer, increasing the likelihood of success.

The TRUMP Coin aspect is an interesting inclusion because it plays into the meme coin phenomenon, where coins like Dogecoin or Shiba Inu have garnered significant attention and value through their association with internet culture and high-profile figures. By offering these coins as a reward, the attackers are tapping into this trend, which further lowers the skepticism of victims.

Fact Checker Results:

  1. The TRUMP Coin is indeed a meme coin, launched in January 2025 on the Solana blockchain, with no real utility beyond the meme culture associated with Donald Trump.
  2. Binance is a real and widely used cryptocurrency exchange, but the phishing email in question is not from Binance.
  3. ConnectWise is a legitimate software service used by MSPs, but it has been exploited in the past by cybercriminals for remote control attacks.

References:

Reported By: https://www.securityweek.com/trump-coins-used-as-lure-in-malware-campaign/
Extra Source Hub:
https://www.quora.com/topic/Technology
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp
💬 TelegramFeatured Image