Tag: Crypto phishing campaign

Yoroi Wallet Phishing Abuses GoTo Resolve and ScreenConnect for Device Takeover

Anurag Gawande1 Comment

Overview

I recently came across a phishing campaign impersonating the Yoroi Desktop Wallet, targeting cryptocurrency users with what looked like a legitimate upgrade.

The email itself was clean and well-written. It talked about improved security, hardware wallet support, and even AI-based scam detection. Nothing immediately stood out as suspicious. The landing page looked polished too, with proper branding and a familiar layout.

The Setup

The phishing email redirects users to a domain:

hxxps://download[.]v1desktop-yoroiwallet[.]com/

the domain was recently registered (Feb 2026), yet it was already indexed on Google, meaning users could also land on it via search results, not just email.

The Download That Isn’t a Wallet

The site promotes a “Yoroi Desktop” download, but instead of hosting anything legitimate, it redirects to a file-sharing service and delivers an MSI file:

hxxps://store-na-phx-1.gofile.io/download/direct/900a7e14-a15a-41f6-94fb-c88603d09463/YoroiDesktop-installer.msi

hxxps://cold8[.]gofile[.]io/download/direct/900a7e14-a15a-41f6-94fb-c88603d09463/YoroiDesktop-installer.msi

hxxps://store-na-phx-5[.]gofile[.]io/download/direct/87c6015b-8a47-4cde-9e31-aaacd3f4193c/YoroiDesktop-installer.msi

Running the installer doesn’t give you a wallet. It installs GoTo Resolve (LogMeIn) in unattended mode.

Silent Remote Access via GoTo Resolve

File name: YoroiDesktop-installer.msi
File hash: 8634AD3C6488D6A27719C5341E91EEB9
File name: unattended-updater.exe
File hash: 2A2D9B03AA6185F434568F5F4C42BF49

Once executed, the system is quietly enrolled into a remote access setup. There’s no obvious warning, no suspicious pop-ups, just a legitimate tool being used in the wrong way.

Looking at the configuration reveals what’s happening behind the scenes:

CompanyId: 5504330483880245799
Namespace: syn-prd-ava-unattended
FleetTemplateName: syn-prd-ava-unattended

This isn’t random. It shows the machine is being registered into a pre-configured remote access fleet, controlled by whoever owns that GoTo Resolve tenant.

At this point, the attacker doesn’t need to trick the user anymore. They already have what they need, persistent access to the device.

A Second Variant: ScreenConnect

File hash: e79a47fc85955123f0821223a4cf2595
File name: yoroi-wallet.msi

While pivoting on this activity through URLScan, I came across another domain following the same theme:

yoroi-wallet[.]org

This one doesn’t use GoTo Resolve. Instead, it delivers a payload based on ConnectWise ScreenConnect, another legitimate remote access tool.

Inside the dropped configuration file, the intent becomes clear:

The important part here is the relay server:

instance-p1b26i-relay[.]screenconnect[.]com

This tells the client exactly where to connect. Once installed, the system reaches out to that server and establishes a remote session.

Again, no exploit, no malware in the traditional sense, just legitimate software used to gain control.

A Familiar Pattern

This isn’t the first time I’ve seen something like this.

It closely resembles a campaign I previously analyzed where RMM tools were abused in a crypto wallet distribution flow:

RMM Abuse in a Crypto Wallet Distribution Campaign

One thing that stands out across both campaigns is how the payload is delivered.

In all cases, the final MSI files are not hosted directly on the phishing domains. Instead, the sites redirect users to gofile[.]io, a legitimate file-sharing service, to download the installer.

This adds another layer of evasion. Hosting the MSI on a legitimate service like gofile makes it harder to block and also reduces suspicion from users, since the download doesn’t come directly from the phishing domain.

While digging further into this, I also noticed that the MSI files are hosted across multiple gofile storage endpoints such as:

store-na-phx-[1/4/5].gofile.io/download/direct/

Changing the server index (for example, 1, 4, or 5) reveals similar download paths hosting MSI files that follow the same theme, crypto wallet installers that actually deploy RMM tools.

Combined with the use of legitimate tools like GoTo Resolve (LogMeIn) and delivery through trusted file-sharing services, the overall chain appears clean on the surface but ultimately leads to full remote access.

Indicators

URLs

v1desktop-yoroiwallet[.]com
yoroi-wallet[.]org
instance-p1b26i-relay[.]screenconnect[.]com
YoroiDesktop-installer.msi
yoroi-wallet.msi
CompanyId: 5504330483880245799
Namespace: syn-prd-ava-unattended

File Hash

8634ad3c6488d6a27719c5341e91eeb9
2a2d9b03aa6185f434568f5f4c42bf49
e79a47fc85955123f0821223a4cf2595
be8c2d03333cbd13dab654260c60b025

RMM Abuse in a Crypto Wallet Distribution Campaign

Anurag Gawande9 Comments

Analysis of a Suspicious “Eternl Desktop” MSI Installer Dropping LogMeIn Resolve

Overview

A professionally written announcement email titled “Eternl Desktop Is Live — Secure Execution for Atrium & Diffusion Participants” is currently circulating within the Cardano community.

At first glance, the email appears legitimate and well aligned with Cardano’s governance narrative promoting security, decentralization, and staking incentives. However, deeper inspection of the download mechanism and installer behavior raises significant red flags.

Email Social Engineering Highlights

The email leverages high trust messaging and ecosystem specific incentives.

The email strategically references Atrium and the Diffusion Staking Basket to establish legitimacy within the Cardano ecosystem, while also making enticing claims of NIGHT and ATMA token rewards to drive user interest. It reinforces trust by emphasizing “local-first, non-browser signing,” positioning the application as a more secure alternative to browser based wallets. The overall messaging maintains a polished, professional tone with no visible spelling or grammatical issues, lending credibility to the communication. This is capped with a strong, authoritative call to action “Eternl Desktop is where Cardano decisions are finalized.” designed to create urgency and frame the software as an essential tool for serious Cardano participants.

Download Infrastructure Red Flags

The provided download URL, hxxps://download[.]eternldesktop[.]network, raises immediate concerns, as the domain appears to be newly created and lacks any established historical reputation. There is no independent verification or announcement from official, well known Eternl communication channels to validate its legitimacy. Additionally, the software is distributed as a direct MSI installer without publicly available checksums, digital signature transparency, or formal release notes, preventing users from independently verifying the integrity and authenticity of the installer before execution.

New infrastructure + wallet software + MSI installer is a high-risk combination.

Domain Information

MSI Installer Analysis

File Name: Eternl.msi
File Size: 23.3MB
File Type: Windows Intaller (MSI)
Hash: 8fa4844e40669c1cb417d7cf923bf3e0
Title: LogMeIn Resolve Unattended
Comments: LogMeIn Resolve Unattended v1.30.0.636

Using CFF Explorer, I identified an embedded executable within the MSI file. I then used LessMSI to extract the executable for further analysis.

Extracted Executable File

File Name: unattended-updater.exe
File Type: PE32
File Size: 23.35MB
Original File Name: GoToResolveUnattendedUpdater.exe
File Hash: 3f317e17741122cd4ea30123ba241cd0
File Description: LogMeIn Resolve

During dynamic analysis, the sample was observed writing log files and JSON artifacts to disk.

It also tried to connect to below domains.

  • hxxt://ip.zscaler.com
  • hxxt://zerotrust.services.gotoresolve.com
  • hxxt://dumpster.console.gotoresolve.com/api/live
  • hxxt://sessions.console.gotoresolve.com
  • hxxt://devices-iot.console.gotoresolve.com/
  • hxxps://devices.console.gotoresolve.com/properties
  • hxxps://applet.console.gotoresolve.com
  • hxxps://custombranding.console.gotoresolve.com

The executable is placed within a uniquely identified folder created under “C:\Program Files (x86)\GoTo Resolve Unattended“. All executables, along with JSON configuration files related to the RMM setup, are stored in this directory.

The unattended.json configuration file enables unattended access, allowing a technician to connect to the remote system without the end user being physically present.

The application attempts to connect to hxxps://dumpster.console[.]gotoresolve[.]com/api/sendEventsV2 to transmit event information in JSON format. The connection fails, and the application retries the request multiple times.

Why This Is Concerning

This behavior is concerning because Remote Monitoring and Management (RMM) tools inherently provide powerful capabilities such as remote command execution, system monitoring, persistent access, and unattended control. While legitimate in enterprise environments, these features are frequently abused by threat actors during initial access operations, particularly in crypto themed malware campaigns and fake wallet or airdrop lures, where RMM software is leveraged to establish long-term post exploitation persistence on compromised systems.

While LogMeIn Resolve itself is a legitimate product, its silent delivery inside a wallet installer is not legitimate behavior.

Detection Summary

  • Flagged as PUA / Riskware
  • Behavioral indicators consistent with remote management agents
  • Not a known component of any official Eternl wallet release

Threat Assessment

IndicatorRisk
Newly registered download domainHigh
MSI installer for wallet softwareHigh
Drops RMM toolCritical
PUA classificationConfirmed

HIGHLY SUSPICIOUS – DO NOT INSTALL

This campaign exhibits multiple overlapping indicators consistent with supply-chain abuse and trojanized wallet distribution, combined with pre positioning techniques that leverage RMM tools to establish persistent access. Together, these behaviors suggest preparation for potential follow on activity, including future credential harvesting or cryptocurrency wallet compromise.

Indicators of Compromise (IOCs)

Domains:

  • download[.]eternldesktop[.]network

Files

  • etrnl.msi
  • unattended-updater.exe

Product Identifiers

  • LogMeIn Resolve
  • GoTo Resolve

Hash

  • 8fa4844e40669c1cb417d7cf923bf3e0
  • 3f317e17741122cd4ea30123ba241cd0

This campaign demonstrates how crypto governance narratives are increasingly weaponized to distribute covert access tooling under the guise of professional software.