Interestingly, this Trojan is being distributed through pirated disk images and masquerades as an activator. Once executed, the user is prompted to copy the application data to the Applications folder and then asked to enter their system password after clicking the PATCH button.
To deceive users further, the fake activator installs a Python 3.9.6 package. Upon deployment, the virus discreetly downloads an encrypted script that grants control to the hacker.
As part of its sinister strategy, the scammer manipulates the icon of a legitimate cryptocurrency wallet, substituting it with that of a counterfeit one. Unsuspecting victims are duped into launching the fraudulent application and unknowingly providing their wallet credentials, resulting in the theft of their cryptocurrency holdings.
To prevent falling victim to such attacks, Kaspersky Lab advises users to exclusively download applications from official stores, use robust and unique passwords, and regularly update them. The company has also raised concerns about the growing number of asset thefts from cryptocurrency investors in Russia.