During a recent threat hunting exercise, researchers uncovered a sophisticated malware campaign leveraging a previously identified loader to deploy a new payload: Needle Stealer. This modular infostealer is engineered to silently extract sensitive data from compromised systems, including browser credentials, session tokens, and cryptocurrency wallet information.
The Lure: Fake AI Trading Assistant
The attack begins with a deceptive website, tradingclaw[.]pro, which promotes a tool called TradingClaw, marketed as an AI-powered assistant for traders. While it appears to integrate with TradingView—a legitimate financial analysis platform—the site is entirely fraudulent and unrelated to any official service.
To evade detection, the site employs selective content delivery. Some users see the malicious page, while others—such as search engine crawlers—are redirected to benign domains like studypages[.]com. This filtering technique helps attackers remain under the radar while targeting real victims.
Infection Chain: From ZIP Download to Process Injection
Victims are prompted to download a ZIP archive containing the initial infection stage. The attack chain uses DLL hijacking, where a malicious DLL masquerades as a legitimate dependency. When executed, it loads a second-stage payload that injects Needle Stealer into a trusted Windows process (RegAsm.exe) using process hollowing.
This approach allows the malware to operate stealthily under the guise of legitimate system activity, making detection significantly harder.
Understanding Needle Stealer
Needle Stealer is written in Golang and designed with modular components, allowing attackers to customize its functionality. Its control panel reveals several key modules:
- Core Module: Handles form grabbing and clipboard hijacking
- Extension Module: Manipulates browsers, injects scripts, and redirects traffic
- Desktop Wallet Spoofer: Targets crypto wallets like Ledger and Exodus
- Browser Wallet Spoofer: Extracts seed phrases from wallets such as MetaMask
Notably, the malware is evolving, with planned features for generating phishing pages mimicking trusted services like Google or Cloudflare.
Capabilities: What Makes It Dangerous
Once active, Needle Stealer can:
- Capture screenshots
- Extract browser data (cookies, history, saved credentials)
- Harvest files such as
.txtdocuments and wallet data - Access messaging apps like Telegram and FTP clients
- Steal cryptocurrency wallet credentials
One of its most powerful features is the deployment of malicious browser extensions.
Malicious Extensions: Full Browser Takeover
The malware drops extensions into %LOCALAPPDATA%\Packages\Extensions, using hidden ZIP archives and configuration files to control behavior. These extensions request extensive permissions, including access to all URLs and browser APIs.
With these capabilities, attackers can:
- Monitor browsing activity in real time
- Redirect users to malicious sites
- Inject or alter web content
- Replace legitimate downloads with infected files
- Display fake notifications
- Execute scripts within web pages
This effectively gives attackers near-total control over the victim’s browsing environment.
Command-and-Control Communication
Needle communicates with its operators through structured API endpoints:
/upload– sends stolen data/extension– receives commands/scripts– fetches malicious code/backup-domains/active– ensures resilience via fallback servers
These mechanisms ensure continuous control even if primary servers are blocked.
Indicators of Compromise (IOCs)
Tradingclaw[.]pro: fake website
Chrocustumapp[.]com: related to malicious extension
Chrocustomreversal[.]com: related to malicious extension
google-services[.]cc: related to malicious extension
Coretest[.]digital: C2 panel
Reisen[.]work: C2 panel
IPs
178[.]16[.]55[.]234: C2 panel
185[.]11[.]61[.]149: C2 panel
37[.]221[.]66[.]27: C2 panel
2[.]56[.]179[.]16: C2 panel
178[.]16[.]54[.]109: C2 panel
37[.]221[.]66[.]27: C2 panel
209[.]17[.]118[.]17: C2 panel
162[.]216[.]5[.]130: C2 panel
Mitigation and Response
To reduce risk:
- Only download software from verified sources
- Validate publishers before executing files
- Audit browser extensions regularly
If compromised:
- Revoke active sessions and reset credentials
- Enable multi-factor authentication
- Move crypto assets immediately
- Scan systems using trusted security tools
Our Opinion on This Campaign
This campaign highlights a growing trend: attackers are increasingly exploiting the hype around AI tools to build convincing lures. By branding malware as an “AI trading assistant,” threat actors tap into both curiosity and financial motivation—two powerful psychological triggers.
What stands out is the multi-layered sophistication of this attack. From selective content delivery to advanced browser manipulation, the campaign demonstrates a clear evolution beyond traditional infostealers. The use of malicious extensions is particularly concerning, as it shifts persistence and control into the browser—arguably the most critical interface for modern users.
Another key takeaway is the modular design of Needle Stealer. This flexibility allows attackers to rapidly adapt, enabling new capabilities without redeploying entirely new malware. It reflects a broader industrialization of cybercrime, where tools are built for scalability and reuse.
In our view, defense strategies must evolve accordingly. Traditional antivirus solutions are no longer sufficient on their own. Organizations and individuals alike need layered security approaches, including behavioral detection, browser monitoring, and user education.
