Satacom’ stealer secretly syphons… uh, Bitcoins

Jun 07 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that keeps its story straight. Unlike Prince Harry.

Today’s hottest cyber security stories:

  • Sneaky ‘Satacom’ stealer secretly syphons… uh, Bitcoins. Damn.

  • New ‘PowerDrop’ targets U.S aerospace. For updates, watch this space

  • LinkedIn spam, sorry scams hit UK, US, & Canada. HARD


There’s a new stealer in town by the name of Satacom stealer and, bad news crypto-heads, it’s coming for your Bitcoins.

It’s a stealthy bit of malware that targets victims via a rogue extension for Chromium-based browsers.

Which browsers are Chromium-based? A lot of them. Namely, Google Chrome (duh), Microsoft Edge (boomers beware), Vivaldi (not a football player), Brave (for those scared of snooping), Opera (not the talk show host), and a bunch of others.

Once it’s fooled the innocent party into downloading this so-called rogue extension, usually by clicking a DOWNLOAD button triggering the .exe file, it gets to work. Slow at first. Watching, waiting. In the shadows. Anyone remember The Rasmus?

And once it gets a whiff of a cryptocurrency exchange being visited, it leaps into silent action, syphoning away precious bitcoins. But don’t just take our word for it, here’s what the experts have to say.

"The main purpose of the malware that is dropped by the Satacom downloader is to steal BTC from the victim's account by performing web injections into targeted cryptocurrency websites," Kaspersky researchers Haim Zigel and Oleg Kupreev said.

So, who’s at risk? Anyone, potentially. But so far, targets of the campaign include the crypto exchanges:

  • Coinbase

  • Bybit

  • KuCoin

  • Huobi

  • Binance

Targeted users are primarily located in Brazil, Algeria, Turkey, Vietnam, Indonesia, India, Egypt, and Mexico.

So, how do you get it? Either a totally malicious website or a sneaky rogue ‘download’ button on an otherwise legit ad.

"Various types of websites are used to spread the malware," the researchers explained. "Some of them are malicious websites with a hardcoded download link, while others have the 'Download' button injected through a legitimate ad plugin."

Doesn't seem to be an issue in the west just yet which is something, but remain vigilant.

Remember, cybercrime doesn’t take a day off!


PowerDrop gets 3…2…1… LIFT-OFF! Introducing a new one, folks. Just launched. Geddit? This one’s a bit creepy. So, an unknown threat actor has been observed targeting the U.S. aerospace industry with a new PowerShell-based malware called PowerDrop.

Creepy thing is the malware was already implanted. Just sitting there, listening. According to the experts the malicious part of the malware wasn’t particularly sophisticated but, once again, it’s the strain’s ability to avoid detection that impressed/worried the researchers.

"PowerDrop uses advanced techniques to evade detection such as deception, encoding, and encryption," according to Adlumin, which found the malware implanted in an unnamed domestic aerospace defence contractor in May 2023.

Nerdy stuff

"The name is derived from the tool, Windows PowerShell, used to concoct the script, and 'Drop' from the DROP (DRP) string used in the code for padding."

PowerDrop is also a post-exploitation tool, meaning it's designed to gather information from victim networks after obtaining initial access through other means.

As mentioned, it was the threat's ability to hide which was its strongest suit…

"While the core DNA of the threat is not particularly sophisticated, its ability to obfuscate suspicious activity and evade detection by endpoint defences smacks of more sophisticated threat actors," Mark Sangster, vice president of strategy at Adlumin, said.

Sneaky, sneaky.


LinkedIn has apparently gone from spamming our inboxes 24/7 to facilitating the execution of scams to the tune of more than half of all users in the UK, U.S., and Canada.

Annoying as it may be at times, LinkedIn always seemed to us a bit of an oasis from the blatant phishing attempts on other social networks such as Facebook and Twitter. Apparently not, folks.

Indeed, LinkedIn scams targeting businesses have surged dramatically in Canada, the UK and US, but a Middle East cybersecurity expert warns that the region could be next, urging users to be more careful on the platform.

They’re coming for the Saudis! Lord knows there’s plenty of money in that region. So, whether you’re in the west or the middle east, keep your eyes peeled. But what should we be looking out for?

More social-engineering

“Like in every social media platform, attackers and scammers seek information and money to ruin reputations,” said NordLayer cybersecurity expert, Carlos Salas, in a statement last week.

“We know that employees are considered to be the weakest link in the cybersecurity chain, and LinkedIn has millions of professional accounts, making it an even more appealing target for scammers. So no one should let their guard down, no matter how professional a message might look.”

So, if a new connection suddenly offers you the job of your dreams if you’ll only provide a few personal details… Go for it, you only live once. Ha, just kidding, maybe do a bit of P.I. work before you spill any major cyber-beans.

Stay safe, true believers!

So long and thanks for reading all the phish!

Recent articles