Cybersecurity experts have uncovered a new malware campaign by a hacker group known as Dark Partner. The attackers are targeting both macOS and Windows users through fake websites that mimic popular AI tools, VPN services, and cryptocurrency platforms.
The hackers are using advanced social engineering techniques to trick users into downloading malicious software. By exploiting the growing interest in AI and crypto, they lure victims with professional-looking websites that appear safe and reliable.
Fake Websites That Look Real
These fake websites copy the look and feel of legitimate services. They offer fake versions of ChatGPT-like tools, VPN clients, and crypto wallets. Many appear in search engine results and social media ads.
The sites include features like:
- Valid SSL certificates
- Responsive design for mobile and desktop
- Customer testimonials and product descriptions
Security analysts say the sites are designed to build trust and are difficult to distinguish from the real ones.
Cross-Platform Malware and Multi-Stage Attacks
Researcher g0njxa reports that the malware campaign uses a multi-stage infection process. It starts with a fake installer that appears legitimate but hides malicious code.
This malware can target both Windows and macOS systems, showing that the attackers have teams skilled in multiple operating systems.
The campaign affects not only personal users but also businesses, especially those using AI tools and crypto platforms. The malware has attempted to steal:
- Login credentials
- Crypto wallet data
- API keys and business documents
Victims have been found across North America, Europe, and parts of Asia—regions with high usage of AI and cryptocurrency services. Attack themes often change to reflect regional trends and preferences.
How the Infection Works
The fake installers range from 15 to 25 MB. They contain real application files along with hidden malware to avoid suspicion. Once opened, the malware checks the system type and begins its attack based on the operating system.
Windows Systems
On Windows, the malware uses a technique called process hollowing. It creates a normal-looking app process, then replaces its memory with malicious code. Here is a simplified version of the code used:
import subprocess
import ctypes
from ctypes import wintypes
def hollow_process(target_path, payload):
process = subprocess.Popen(target_path, creationflags=0x00000004)
kernel32 = ctypes.windll.kernel32
allocated_mem = kernel32.VirtualAllocEx(
process.handle, None, len(payload), 0x3000, 0x40)
kernel32.WriteProcessMemory(
process.handle, allocated_mem, payload, len(payload), None)
macOS Systems
On macOS, the malware hides inside app bundles. It places files where users won’t see them and creates persistence using LaunchAgents. It also changes system preferences to ensure it runs after each restart.
Stealth and Communication
The malware uses encrypted connections to contact command-and-control servers. It also uses domain generation algorithms (DGA) to stay connected, even if its main servers go offline.
This method helps the hackers keep long-term access to infected systems and makes it harder for traditional security tools to detect the threat.
Conclusion
The Dark Partner campaign shows how cybercriminals are evolving to take advantage of popular technology trends. By faking trusted tools and platforms, they are successfully targeting users worldwide. Experts urge people to download software only from verified sources and remain cautious of online ads and unfamiliar websites.
