{“lastseen”:”2026-04-22T14:07:11″,”description”:”During our threat hunting, we found a campaign using the same malware loader from our previous research to deliver a different threat: **Needle Stealer** , data-stealing malware designed to quietly harvest sensitive information from infected devices, including browser data, login sessions, and cryptocurrency wallets.\\n\\nIn this case, attackers used a website promoting a tool called **TradingClaw** (`tradingclaw[.]pro`), which claims to be an AI-powered assistant for TradingView. \\n\\nTradingView is a legitimate platform used by traders to analyze financial markets, but this fake TradingClaw site is not part of TradingView, nor is it related to the legitimate startup `tradingclaw[.]chat`. Instead, it\u2019s being used here as a lure to trick people into downloading malware.\\n\\n## What is Needle Stealer?\\n\\nNeedle is a modular infostealer written in Golang. In simple terms, that means it\u2019s built in pieces, so attackers can turn features on or off depending on what they want to steal.\\n\\nAccording to its control panel, Needle includes:\\n\\n * **Needle Core** : The main component, with features like form grabbing (capturing data you enter into websites) and clipboard hijacking\\n * **Extension module** : Controls browsers, redirects traffic, injects scripts, and replaces downloads\\n * **Desktop wallet spoofer** : Targets cryptocurrency wallet apps like Ledger, Trezor, and Exodus\\n * **Browser wallet spoofer** : Targets browser-based wallets like MetaMask and Coinbase, including attempts to extract seed phrases\\n\\n\\n\\nThe panel also shows a \u201ccoming soon\u201d feature to generate fake Google or Cloudflare-style pages, suggesting the attackers plan to expand into more advanced phishing techniques.\\n\\n_Needle Stealer panel_\\n\\nIn this article, we analyze the distribution of the stealer through a fake website related to an AI service called **TradingClaw**. We have detected that the same stealer is also distributed by other malware such as Amadey and GCleaner. \\n\\n## Analysis of the TradingClaw campaign\\n\\nIn this campaign, the malware is distributed through a fake website advertising TradingClaw as an AI trading tool.\\n\\n_Malicious TradingClaw website_\\n\\nThe site itself behaves selectively. In some cases, visitors are shown the fake TradingClaw page, while in others they are redirected to a different site (`studypages[.]com`). This kind of filtering is commonly used by attackers to avoid detection and only show the malicious content to intended targets. Search engines, for example, see the Studypages version:\\n\\n_Google results shows the Studypages fake page_\\n\\nIf a user proceeds, they are prompted to download a ZIP file. This file contains the first stage of the infection chain.\\n\\nLike in the previous campaign, the attack relies on a technique called DLL hijacking. In simple terms, this means the malware disguises itself as a legitimate file that a trusted program will load automatically. When the program runs, it unknowingly executes the malicious code instead.\\n\\nIn this case, the DLL loader (named `iviewers.dll`) is executed first. It then loads a second-stage DLL, which ultimately injects the Needle Stealer into a legitimate Windows process (`RegAsm.exe`) using a technique known as process hollowing.\\n\\n_Needle Stealer injected in RegAsm.exe process_\\n\\nThe stealer is developed in Golang, and most of the functions are implemented in the \u201cext\u201d package. \\n\\n_Part of the \u201cexe\u201d package_\\n\\n## What the malware does\\n\\nOnce installed, the Needle core module can:\\n\\n * Take screenshots of the infected system\\n * Steal browser data, including history, cookies, and saved information\\n * Extract data from apps like Telegram and FTP clients\\n * Collect files such as .txt documents and wallet data\\n * Steal cryptocurrency wallet information\\n\\n\\n\\nOne of the more concerning features is its ability to install malicious browser extensions.\\n\\n## Malicious browser extensions\\n\\nThe stealer also supports the distribution of malicious browser extensions, giving attackers a powerful way to take control of the victim\u2019s browser.\\n\\nWe identified multiple variations of these extensions, each with slightly different file structures and components. Behind the scenes, the malware uses built-in Golang features to unpack a hidden ZIP archive (often named `base.zip` or `meta.zip`) that contains the extension files, along with a configuration file (`cfg.json`). \\n\\nPartial `cfg.json` config file:\\n \\n \\n {\\n \\”extension_host\\”: {},\\n \\”api_key\\”: \\”\u2026\\n \\”server_url\\”: \\”https:\/\/C2\/api\/v2\\”,\\n \\”self_destruct\\”: true,\\n \\”base_extension\\”: true,\\n \\”ext_manifest\\”: {\\n \\”account_extension_type\\”: 0,\\n \\”active_permissions\\”: {\\n \\”api\\”: [\\n \\”history\\”,\\n \\”notifications\\”,\\n \\”storage\\”,\\n \\”tabs\\”,\\n \\”webNavigation\\”,\\n \\”declarativeNetRequest\\”,\\n \\”scripting\\”,\\n \\”declarativeNetRequestWithHostAccess\\”,\\n \\”sidePanel\\”\\n ],\\n \\”explicit_host\\”: [\\n \\”\\u003call_urls\\u003e\\”\\n ],\\n \\”manifest_permissions\\”: [],\\n \\”scriptable_host\\”: [\\n \\”\\u003call_urls\\u003e\\”\\n ]\\n },\\n \\”commands\\”: {\\n \\”_execute_action\\”: {\\n \\”was_assigned\\”: true\\n }\\n }, \\n \u2026\\n\\nThis configuration file is key. It tells the malware where to send stolen data (the command-and-control server), which malicious extension to install, and which features to enable.\\n\\nThe stealer extension is dropped in a random folder in the path `%LOCALAPPDATA%\\\\Packages\\\\Extensions`. The folder contains three main files `popup.js`, `content.js`, and `background.js`. \\n\\n_The malicious extension dropped_\\n\\nThe extensions analyzed have Google-related names.\\n\\n_The fake malicious extension on Edge Browser_\\n\\n## What the malicious extensions can do\\n\\nThe extension gives attackers near full control over the browser, with capabilities that go far beyond typical malware.\\n\\nIt can:\\n\\n * **Connect to a remote server** using a built-in API key and regularly check in for instructions. It can also switch to backup domains if the main server goes offline.\\n * **Generate a unique ID** to track the infected user over time.\\n * **Collect full browsing history** and send it to a remote server (`\/upload`).\\n * **Monitor what you\u2019re doing in real time** , including which sites you visit, and apply attacker-controlled redirect rules. This allows it to silently send you to different websites or alter what you see on a page, including injecting or hiding content.\\n * **Intercept downloads** , cancel legitimate files, and replace them with malicious ones from attacker-controlled servers.\\n * **Inject scripts directly into web pages** , enabling further data theft or manipulation.\\n * **Display fake browser notifications** with attacker-controlled text and images.\\n\\n\\n\\n* * *\\n\\n## How it communicates with attackers\\n\\nThe stealer and its extension communicate with command-and-control (C2) servers using several API endpoints. These are essentially different \u201cchannels\u201d used for specific tasks:\\n\\n * `\/backup-domains\/active`\u2014retrieves backup servers to stay connected if the main one is blocked\\n * `\/upload`\u2014sends stolen data back to the attackers\\n * `\/extension`\u2014receives instructions for redirects, downloads, and notifications\\n * `\/scripts`\u2014downloads malicious code to inject into web pages\\n\\n\\n\\n## How to stay safe\\n\\nScammers are increasingly using AI-themed tools to make fake websites look legitimate. In this case, a supposed \u201cAI trading assistant\u201d was used to trick people into installing malware.\\n\\nTo reduce your risk:\\n\\n * **Download software only from official websites**. If a tool claims to work with a well-known platform, check the platform\u2019s official site to confirm it\u2019s real.\\n * **Check who created the file before running it**. Look at the publisher name and avoid anything that looks unfamiliar or inconsistent.\\n * **Review your browser extensions regularly**. Remove anything you don\u2019t recognize, especially extensions you didn\u2019t knowingly install.\\n\\n\\n\\n## What to do if you think you’ve been affected\\n\\nIf you think you may have downloaded this infostealer:\\n\\n * Check EDR and firewall logs for communications with the C2s listed in the IOCs part.\\n * From a different, clean device, sign out of every active session on your important accounts: Google, Microsoft 365, any banking portal, GitHub, Discord, Telegram, Steam, and your crypto exchange. Change all passwords and enable 2FA for accounts you have accessed from this machine.\\n * Check the folder `%LOCALAPPDATA%\\\\Packages\\\\Extensions` and suspicious browser extensions.\\n * If you have cryptocurrency wallets on the machine, move the funds from a clean device immediately. This is what these operators monetize first.\\n * Run a full scan with Malwarebytes.\\n\\n\\n\\n## Indicators of Compromise (IOCs)\\n\\n**HASH**\\n\\n`95dcac62fc15e99d112d812f7687292e34de0e8e0a39e4f12082f726fa1b50ed`\\n\\n`0d10a6472facabf7d7a8cfd2492fc990b890754c3d90888ef9fe5b2d2cca41c0`\\n\\n**Domains**\\n\\n`Tradingclaw[.]pro`: fake website\\n\\n`Chrocustumapp[.]com`: related to malicious extension\\n\\n`Chrocustomreversal[.]com`: related to malicious extension\\n\\n`google-services[.]cc`: related to malicious extension\\n\\n`Coretest[.]digital`: C2 panel\\n\\n`Reisen[.]work`: C2 panel\\n\\n**IPs**\\n\\n`178[.]16[.]55[.]234`: C2 panel\\n\\n`185[.]11[.]61[.]149`: C2 panel\\n\\n`37[.]221[.]66[.]27`: C2 panel\\n\\n`2[.]56[.]179[.]16`: C2 panel\\n\\n`178[.]16[.]54[.]109`: C2 panel\\n\\n`37[.]221[.]66[.]27`: C2 panel\\n\\n`209[.]17[.]118[.]17`: C2 panel\\n\\n`162[.]216[.]5[.]130`: C2 panel\\n\\n* * *\\n\\n**We don\u2019t just report on threats\u2014we remove them**\\n\\nCybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.”,”published”:”2026-04-22T12:30:02″,”modified”:”2026-04-22T12:30:02″,”type”:”malwarebytes”,”title”:”Malicious trading website drops malware that hands your browser to attackers”,”source”:””,”references”:””,”id”:”MALWAREBYTES:C78A1F2057588AA9FA075A59848F5A4C”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/threat-intel\/2026\/04\/malicious-trading-website-drop-malware-that-hands-over-your-browser-to-attackers”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-22T14:07:11″,”description”:”During our threat hunting, we found a campaign using the same malware loader from our previous research to deliver a different threat: **Needle Stealer** ,…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-48700","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n