Skip to content

Marko Polo campaign infects thousands in gaming, crypto sectors

  • by
  • 3 min read

A highly complex malware operation carried out by the cybercriminal group Marko Polo includes 30 campaigns aimed at the gaming, cryptocurrency, and software development sectors. The operation involves over 50 malware strains, such as AMOS, Stealc, and Rhadamanthys, and has affected tens of thousands of devices globally, raising concerns about potential financial losses that could amount to millions.

The Marko Polo group has employed an aggressive and varied strategy to infect victims, using malvertising, spearphishing, and brand impersonation.

According to researchers, the threat actor targets these sectors as the possibility of handling sensitive data is greater. The group often uses spearphishing attacks on social media platforms, tricking users into downloading malicious software through the guise of job opportunities or collaborative projects.

“Based on the widespread nature of the Marko Polo campaign, Insikt Group suspects that likely tens of thousands of devices have been compromised globally — exposing sensitive personal and corporate data,” researchers said.

MarkoPolo attack chain explained. | Source: Recorded Future

Prominent brands like Fortnite, RuneScape, and Zoom have been impersonated in these campaigns, with victims unknowingly engaging with fake websites or services that distribute malware. The group has also created entirely fabricated brands, such as Vixcall and SpectraRoom, which they use for further deception.

Marko Polo’s attacks span both Windows and macOS platforms. On Windows, the group uses HijackLoader to deliver malware such as Stealc, which steals information from browsers and cryptocurrency wallets, and Rhadamanthys, an advanced malware that targets a wide range of applications and data types.

Vixcall mimics Vortax and Vorion’s interface. | Source: Recorded Future

A recent update to Rhadamanthys includes a cryptocurrency clipper and the ability to evade Windows Defender, making it particularly dangerous, reports BleepingComputer.

Marko Polo released AMOS (Atomic) infostealer for macOS users. This infostealer is available for rent for around $1,000 per month and is designed to extract data from web browsers, Apple Keychain passwords and MetaMask wallets, among others.

Researchers have observed Marko Polo’s use of zero-day vulnerabilities, fake VPNs, and fraudulent responses on sites like GitHub and StackOverflow. This shows the lengths to which threat actors will go to infiltrate corporate networks and steal sensitive data.

Experts have urged individuals and organisations to download software only from respected stores or official websites. Furthermore, installing antivirus on the devices can also help detect Marko Polo’s malware.

In the News: Dell faces second data leak; 3.5 GB of Atlassian files exposed

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>