October 3, 2023

A joint advisory report from the FBI, NSA, CISA, NCSC revealed new Russian Infamous Chisel malware is being used to target cryptocurrency wallet and exchange applications, among other data.

The malware is associated with activity linked to a hacking unit within Russia’s GRU military intelligence agency known as Sandworm, which has been targeting the Ukrainian military since their invasion. It’s designed to allow continuous access to a compromised Android device via the Tor network and periodically gather and send out victim data from the affected devices.

As part of the unauthorized copying, transfer or retrieval of data, the malware searches for specific application directories on a device, including those related to the web3 browser Brave, Binance and Coinbase apps, the Trust crypto wallet and communications platforms Telegram and Discord. It also targets the Android Keystore system that lets users store private keys, and every file in the directories is extracted.


The components used by Infamous Chisel are of low to medium sophistication, developed with little regard for the concealment of the malicious activity, according to the report. Although the components lack basic obfuscation or stealth techniques to disguise activity, the actor may have deemed this not necessary since many Android devices do not have a host-based detection system.

With digital assets becoming increasingly valuable, cybercriminals have been devising new methods to breach security protocols. Last month, security researchers issued warnings on malware aimed at stealing Apple users’ crypto assets via fake blockchain games.

Leave a Reply

%d bloggers like this: