Cybersecurity researchers have uncovered a highly sophisticated cyber campaign targeting both macOS and Windows users through fake websites that mimic popular AI tools, VPN services, and cryptocurrency platforms.
The threat group, identified as “Dark Partner,” is using advanced social engineering tactics to take advantage of the growing public interest in artificial intelligence and crypto technologies. Their goal is to trick users into downloading malware disguised as legitimate software.
These fraudulent websites are carefully designed to look like official services, offering fake alternatives to well-known ChatGPT apps, VPN clients, and crypto wallets. Many appear in search engine results or are promoted through social media ads. They often feature professional designs, customer reviews, and feature lists that closely match those of real companies.
Researchers say the attackers have gone to great lengths to make these sites appear genuine. Many include valid SSL certificates and responsive layouts that work smoothly across different devices and browsers.
According to an analyst known as g0njxa, the malware is spread through a multi-stage infection process designed to bypass traditional security tools. The downloaded installer appears legitimate but contains hidden malicious code that begins the attack.
The malware is capable of running on both macOS and Windows, with tailored versions for each system. This suggests that the operation is well-funded and managed by teams familiar with both platforms.
The attack poses a risk not only to individual users but also to businesses. Many of the applications being mimicked are used in corporate environments, and researchers have found the malware attempting to steal login credentials, cryptocurrency wallet data, and sensitive documents.
A major concern is the theft of authentication tokens and API keys, which can give attackers long-term access to cloud services and financial platforms.
The campaign has a global reach, with victims reported across North America, Europe, and parts of Asia—regions where AI tools and cryptocurrency adoption are particularly high. The attackers are adjusting their strategies based on regional tech trends and user behavior.
Infection Mechanism and Payload Delivery
The attack starts when a user downloads what appears to be a normal software installer from one of the fake websites. The file, typically 15–25 MB, includes both real and malicious components to avoid suspicion.
Once opened, the installer checks the system’s architecture and OS version. On Windows, it uses a method called process hollowing—launching a normal app in a suspended state and then replacing its code with the malware. On macOS, it hides inside .app bundles, disguising its malicious components.
To remain active, the malware creates persistence mechanisms, such as LaunchAgents on macOS, and modifies system settings to run on reboot. It communicates with command-and-control servers through encrypted channels and uses domain generation algorithms (DGAs) to stay connected even if its main servers are shut down.
This advanced setup shows that the attackers are focused on long-term access and stealth, using techniques that are difficult for traditional security tools to detect.
