Meeten Malware Exploits Meeting Apps To Target Crypto Wallets

A new malware campaign dubbed “Meeten” is targeting Web3 professionals using a fake meeting application to steal sensitive data and cryptocurrency.

Discovered by Cado Security Labs, the malware operates across macOS and Windows platforms and is part of a sophisticated phishing scam designed to appear legitimate through the use of AI-generated content.

The attackers behind Meeten pose as representatives of a fake company, “Meetio,” which has operated under multiple aliases, including Clusee and Meeten.gg.

To lure victims, the scammers create professional-looking websites, complete with AI-generated blogs and social media profiles, to establish credibility.

Victims are typically approached via Telegram, often by someone impersonating a known contact, and are invited to discuss business opportunities through a video call.

The victim is directed to download the “Meeten” meeting application from the fake company’s website. However, instead of a legitimate conferencing tool, the application is an information stealer.

The malware is designed to exfiltrate cryptocurrency, browser credentials, and sensitive personal information.

In some instances, the scammers demonstrate extensive planning by sending victims investment presentations from their own companies, further convincing them of the scam’s authenticity.

Victims report losing cryptocurrency and other financial assets after downloading the application.

Notably, the Meeten websites also embed JavaScript capable of stealing cryptocurrency stored in browsers, even if the malware itself is not installed. This demonstrates the layered nature of the attack, where victims’ assets can be compromised at multiple stages.

The macOS variant of Meeten disguises itself as a 64-bit Rust binary called “fastquery.” Once executed, it requests the user’s password via a pop-up under the guise of a connection error.

The malware then searches for sensitive information, including browser cookies, autofill credentials, and wallet data from popular crypto wallets such as Ledger and Trezor. The stolen data is packaged into a zip file and sent to a remote server.

The Windows version of Meeten uses an Electron-based application structure to target data from browsers, Telegram credentials, and crypto wallets. It also employs advanced techniques like compiling JavaScript into bytecode to evade detection.

The use of AI in this campaign highlights the increasing sophistication of cyber threats.

AI-generated content adds a veneer of legitimacy, making it harder for users to detect fraudulent websites. This represents a growing trend where AI is used not just for malware development but also to craft convincing social engineering campaigns.

One reported scam involved a victim being contacted by a Telegram account mimicking an acquaintance, complete with a seemingly genuine investment presentation. Once trust was established, the victim was directed to the Meeten website, which hosted the malware.

To avoid falling victim, users are urged to verify the authenticity of business contacts. Always cross-check website URLs, avoid downloading software from unverified sources, and maintain strict cybersecurity practices.