Cardano users beware: Eternl wallet phishing attack escalates, malware can remotely control devices and private keys

A carefully crafted phishing attack is spreading within the Cardano ecosystem. The attacker forges professional emails claiming to offer NIGHT and ATMA token rewards, enticing users to download a fraudulent version of the Eternl Desktop wallet. Once installed, the malicious program launches a remote management tool in the background, allowing the attacker to maintain long-term control over the victim’s device, including access to wallet private keys. This has been assessed by security researchers as a high-severity threat.

Attack Methods: Looks Like a Professional Social Engineering Trap

The “Perfect” Design of Forged Emails

The phishing emails are highly professional. The tone is formal, with rigorous grammar and almost no spelling or formatting errors, greatly increasing their deceiving effectiveness. The emails claim that users can earn NIGHT and ATMA tokens through the “Diffusion Staking Basket” program, leveraging the real staking rewards narrative within the Cardano ecosystem to enhance credibility. This combination of real project background with social engineering makes it harder to detect than simple spam.

Concealed Malware Deployment

Security researcher Anurag’s analysis shows that the fake domain download.eternldesktop.network distributes an Eternl.msi installer approximately 23.3 MB in size, bundled with a hidden remote management tool LogMeIn Resolve. After installation, the malicious program releases an executable named unattended-updater.exe and creates a complete file structure within the system’s Program Files directory, writing multiple configuration files. Among them, unattended.json directly enables remote access without user confirmation.

This means users unknowingly open a backdoor on their device for the attacker.

Ongoing Remote Control Capabilities

The malicious program connects to the GoTo Resolve infrastructure, continuously transmitting system event information to a remote server via hardcoded API credentials in JSON format. Once compromised, the attacker can maintain long-term control over the device, including remote command execution, credential theft, and wallet private key access. This is not a one-time data theft but a persistent control channel.

Why This Attack Is Especially Dangerous

How Users Should Protect Themselves

Immediate Actions

• If you have downloaded Eternl Desktop, verify the source and domain immediately
• If downloaded from download.eternldesktop.network, uninstall immediately and scan your system
• If the device stores ADA or other crypto assets, consider transferring assets to a secure device

Verify Official Channels

• All wallet applications must be downloaded from official websites or app stores
• The correct domain for the official Eternl wallet is eternl.io; be cautious of any other domains
• Check the digital signature validity as a technical standard for verifying software authenticity

Recognize Phishing Signals

• Any “wallet update” from unofficial channels should be considered a potential threat
• Executable files in email attachments (.exe, .msi, etc.) require special caution
• Newly registered domains, shortened links, and download links from unofficial social media accounts are high-risk signals

Deeper Issues Reflected

This incident exposes the ongoing challenges within the crypto wallet ecosystem: users have high trust in wallet applications but limited ability to verify authenticity. Attackers exploit this information asymmetry through meticulously designed social engineering tactics to breach defenses.

Eternl, as a well-known wallet in the Cardano ecosystem, ironically becomes a tool for attackers due to its high visibility. This demonstrates that even mature projects cannot fully prevent impersonation.

Summary

The danger of this phishing attack lies in the combination of three aspects: professional social engineering design, covert malware implantation, and persistent control over user devices. For Cardano users, the most urgent task is to verify wallet sources immediately and ensure no fraudulent versions are installed. In the long term, this also highlights the need for the entire crypto ecosystem to establish more effective software authenticity verification mechanisms, rather than relying solely on user vigilance. Before downloading any wallet application, spending an extra 30 seconds to verify the official channel could save you millions in assets.