A sophisticated cybercriminal group known as LARVA-208 has launched a new campaign targeting Web3 developers through an elaborate phishing scheme involving fake AI workspace platforms.
The operation represents a significant evolution in the group’s tactics, shifting from targeting traditional IT staff to exploiting the growing Web3 developer community.
The threat actors have created a convincing replica of the legitimate AI workspace platform “Teampilot” under the domain “norlax.ai,” branded as “Norlax AI.”
This fake service serves as the centerpiece of a multi-stage attack designed to harvest valuable cryptocurrency wallets, development credentials, and sensitive project data from unsuspecting victims.
Dual-Vector Attack Strategy
LARVA-208 employs two distinct approaches to lure victims into their trap. The first involves directly targeting developers who actively engage with Web3 and blockchain content on social media platforms like X (formerly Twitter) and Telegram.
Attackers approach these individuals with meeting links that disguise themselves as job interview opportunities or portfolio review sessions.
The second vector targets individuals who previously applied for Crypto Analyst positions on the remote job platform Remote3. Recognizing that the platform warns users against downloading suspicious files, LARVA-208 has adapted its approach.
The attackers initiate legitimate Google Meet conversations before transitioning victims to their malicious Norlax AI platform, sharing the harmful links through chat during what appears to be a genuine interview process.
Technical Execution and Malware Deployment
Once victims access the fake meeting platform using attacker-generated email addresses and invitation codes, they encounter a sophisticated technical deception.
The platform displays a false error message claiming their audio drivers are outdated or missing, prompting them to download what appears to be a legitimate Realtek HD Audio Driver from “audiorealtek.com.”
This malicious file contains embedded PowerShell commands hidden within setup.dll, which establishes communication with the group’s command and control server at “cjhsbam.com.”
The attack deploys the Fickle stealer malware, which systematically harvests comprehensive system information including device specifications, installed programs, running processes, and geolocation data.
Infrastructure and Attribution
The stolen data is uploaded to servers branded as “SilentPrism,” allowing LARVA-208 to monitor victim information in real-time.
The group acquires its malicious domains through FFv2’s bulletproof hosting services, with intelligence suggesting connections to the broader Luminous Mantis cybercriminal community.
This campaign represents a notable shift in LARVA-208’s operational focus, moving from their traditional ransomware deployment model toward data exfiltration and credential harvesting for potential resale in illicit markets.
The sophisticated social engineering tactics, combined with the exploitation of emerging AI platform trends, highlight the evolving threat landscape facing Web3 developers and their high-value digital assets.
Security experts recommend enhanced verification procedures for meeting invitations and extreme caution when downloading software during virtual meetings, particularly in the rapidly expanding Web3 development sector.
