Mars Stealer malware spread through fake Atomic Wallet site

MarsStealer Malware Fake Atomic Wallet Social Media Malvertising SEO Poisoning Fraud Prevention Cryptocurrency

Threat actors have been spotted operating a fake website that impersonates Atomic Wallet’s official portal to spread the Mars Stealer infostealer malware toward their targeted victims.

Being one of the most popular decentralised wallets and cryptocurrency exchange portals, Atomic Wallet became a new target of threat actors to abuse and clone, aiming to spread malware. The researchers’ observations show that the fake website has used official logos, marketing photos, themes, and website structure of the real Atomic Wallet portal.

The analysts added that if the targeted victims are unfamiliar with the legitimate Atomic Wallet site, they could be easily tricked. Social media malvertising, direct messages, SEO poisoning, or email spamming are some ways that analysts see how the hackers target their victims.

Inside the fake Atomic Wallet portal, the visitors will be presented with three download buttons they can choose from, including Windows, Android, and iOS versions. However, only the button for Windows would download the malware onto the computer since the two buttons would redirect the visitors to authentic download locations.


This situation implies that only users attempting to download the Atomic Wallet app on their computers would be infected with Mars Stealer.


A ZIP file named ‘Atomic Wallet[.]zip’ will be downloaded on the victim’s computer upon clicking the Windows button on the malicious site.

During the analysis of the ZIP file, the experts explained that it contains a batch file named ‘AtomicWallet-Setup[.]bat,’ which triggers a PowerShell command that elevates the malware’s privileges on the compromised system. It will copy the PowerShell executable in the computer’s directory, rename it, and hide it, which will then be used in executing a base64-encoded PowerShell content.

Few other critical steps will be performed to install the malicious payload on the compromised device, including downloading a Mars Stealer copy from a Discord server to be dropped on the computer’s local app data folder.

Once launched, it will begin its activities, including stealing account credentials from several web browsers, crypto assets, and 2FA plugins.

Since more and more individuals are drawn to investing in cryptocurrency platforms, cybersecurity experts stress the importance of downloading wallet applications only from official portals and websites.

About the author

Leave a Reply