"a paired device. the privatekeyverifyscreen remains unused – it is designed to handle a private key rather than a mnemonic, specifically the key generated by the wallet based on the entered seed phrase. since ledger live doesn ’ t give users direct access to private keys or suppo…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1071.001Web Protocols
77%
"##vvcbzf hxxps : / / mziyytm5ytk. ahroar [. ] com / kan2pieaarifb8yc hxxps : / / ngy2yjq0otlj. ahroar [. ] com / epcxmkdmx1roygj hxxps : / / ngy2yjq0otlj. ahroar [. ] com / 17piwjfr9dbixyrsb c2 addresses hxxps : / / kkkhhhnnn [. ] com / api / open / postbytokenpocket hxxps : / / …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1027Obfuscated Files or Information
71%
"##crypted using rsa with the pkcs # 1 scheme. - the encrypted data is then encoded into base64. - finally, the encoded string – along with metadata like the malicious module type, the app name, and a unique identification code – is sent to the attackers ’ server. in this specific…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
68%
", the trojan encrypts the captured mnemonics and sends the resulting value to the c2 server. the data is encrypted using the same algorithm described earlier ( rsa encryption followed by base64 encoding ). if the app is closed or minimized, the trojan checks the status of the pre…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1566.002Spearphishing Link
64%
"##f296d1 fd0dc5d4bba740c7b4cc78c4b19a5840 7b4c61ff418f6fe80cf8adb474278311 8cbd34393d1d54a90be3c2b53d8fc17a d138a63436b4dd8c5a55d184e025ef99 5bdae6cb778d002c806bb7ed130985f3 malicious react native application hash 84c81a5e49291fe60eb9f5c1e2ac184b phishing html for infected ledger…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1566.002Spearphishing Link
61%
"own, with mnemonics handled exclusively by the fakewallet modules. we suspect sparkkitty might be present for one of two reasons : either the authors of both malicious campaigns are linked and forgot to remove it, or it was embedded by different attackers and is currently inactiv…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1657Financial Theft
49%
"function and the mnemonic validation method within the original walletcore class. these are followed by two wrapper functions designed to : - resolve symbols datainit or processx0parameter from the malicious library - hand over control to these newly discovered functions - execut…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1048.003Exfiltration Over Unencrypted Non-C2 Protocol
47%
"a paired device. the privatekeyverifyscreen remains unused – it is designed to handle a private key rather than a mnemonic, specifically the key generated by the wallet based on the entered seed phrase. since ledger live doesn ’ t give users direct access to private keys or suppo…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
45%
"##f296d1 fd0dc5d4bba740c7b4cc78c4b19a5840 7b4c61ff418f6fe80cf8adb474278311 8cbd34393d1d54a90be3c2b53d8fc17a d138a63436b4dd8c5a55d184e025ef99 5bdae6cb778d002c806bb7ed130985f3 malicious react native application hash 84c81a5e49291fe60eb9f5c1e2ac184b phishing html for infected ledger…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1566.002Spearphishing Link
45%
"frequently use log messages in chinese. - both campaigns distribute infected apps via phishing pages that mimic the official app store. - both campaigns specifically target victims ’ cryptocurrency assets. conclusion our research shows that the fakewallet campaign is gaining mome…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1566.002Spearphishing Link
44%
"our investigation, we identified 26 phishing apps in the app store mimicking the following major wallets : - metamask - ledger - trust wallet - coinbase - tokenpocket - imtoken - bitpie we ’ ve reported all of these findings to apple, and several of the malicious apps have alread…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
43%
"##crypted using rsa with the pkcs # 1 scheme. - the encrypted data is then encoded into base64. - finally, the encoded string – along with metadata like the malicious module type, the app name, and a unique identification code – is sent to the attackers ’ server. in this specific…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1574.006Dynamic Linker Hijacking
37%
"- school phishing. we found two versions of the ledger implant, one using a malicious library injection and another where the app ’ s source code itself was tampered with. in the library version, the malware sneaks in through standard entry points : two objective - c initializati…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
In March 2026, we uncovered more than twenty phishing apps in the Apple App Store masquerading as popular crypto wallets.