Cardano Users Hit by Fake Eternl Wallet Phishing Scam

• Attackers distribute a malicious Eternl.msi installer with GoTo Resolve malware, allowing remote access and credential theft.

• Phishing emails mimic official Eternl announcements, exploiting staking and governance references to appear legitimate.

• Users must download wallets only from verified Eternl channels to prevent persistent unauthorized access and malware infection.

A sophisticated phishing campaign is targeting Cardano (ADA) users through fraudulent emails promoting a fake Eternl Desktop wallet. The campaign references legitimate ecosystem terms like NIGHT and ATMA token rewards. Security experts warn users to download wallet software only from verified channels to avoid malware and unauthorized access.

Malware Installer Disguised as Wallet Software

Threat hunter Anurag identified the malicious installer distributed via the unverified domain download.eternldesktop.network. The 23.3-megabyte Eternl.msi file carries a hidden LogMeIn GoTo Resolve remote management tool.

During installation, it drops an executable called unattended-updater.exe, which creates configuration files under Program Files to enable remote access without user interaction. The malware connects to GoTo Resolve infrastructure, transmitting system event data in JSON format using hardcoded API credentials.

Security researchers classified the activity as critical, noting that remote management tools allow long-term persistence, remote commands, and credential theft once installed.

Campaign Uses Professional Phishing Techniques

The phishing emails maintain professional language with no spelling errors, closely mimicking official Eternl Desktop announcements. The messages promote features like hardware wallet compatibility, local key management, and advanced delegation controls.

Attackers exploit governance narratives and ecosystem-specific references, creating false legitimacy around Diffusion Staking Basket rewards. Experts warn that the campaign targets users seeking to participate in staking or governance activities.

The fraudulent installer lacks digital signatures or verification, preventing users from confirming authenticity before installation. Analysts emphasize that newly registered domains and unofficial download links are key warning signs.

Risk of Persistent Unauthorized Access

Anurag’s analysis revealed the supply chain abuse intent, allowing attackers to establish persistent access to victim systems. Once installed, the malware compromises wallet security and private key access. Security researchers advise downloading wallet applications exclusively from official Eternl channels.

Users are urged to remain cautious and avoid installing software from unverified sources. The campaign highlights ongoing threats in the cryptocurrency ecosystem, demonstrating how attackers exploit trusted-looking updates to gain control over users’ devices.