Cybercriminals Exploit TRUMP Coin to Spread Phishing Campaign

A group of cybercriminals used the popularity of the cryptocurrency associated with US President Donald Trump and Binance’s name to carry out a sophisticated phishing campaign. The attackers distributed a Remote Access Trojan (RAT) via fake emails pretending to be from Binance, promising victims the opportunity to purchase the TRUMP coin.

"If victims follow the instructions and download 'Binance Desktop' to get TRUMP coins, they instead install ConnectWise RAT. The threat actors behind this campaign are eagerly monitoring infections and can connect to infected computers in less than two minutes," says Max Gannon, Threat Researcher, Cofense, which identified the campaign. This tactic reflects how cybercriminals take advantage of high-profile events to increase the credibility of their scams.

The TRUMP coin, launched in late January, has generated significant interest in the cryptocurrency ecosystem, especially given Trump's public endorsement of digital assets. Over his term, Trump has promoted multiple initiatives related to cryptocurrencies, such as the creation of a strategic digital asset pool and the organization of meetings with industry executives. However, these actions have also attracted the attention of malicious actors seeking to exploit the popularity of cryptocurrencies for fraudulent purposes.

Binance, one of the world's largest cryptocurrency exchanges, is frequently used as a lure in phishing campaigns due to its global recognition. Cybercriminals have perfected spoofing techniques to trick users, combining authentic images and convincing messages that mimic official communications from the platform.

Campaign Details

The phishing campaign was conducted via emails pretending to be from Binance, offering users the opportunity to purchase the TRUMP coin. The messages included detailed instructions, such as installing a supposed Binance desktop tool and making deposits into an account on the exchange. However, the download link provided actually installed ConnectWise RAT, a malicious software that allows attackers to take remote control of infected systems.

Once installed, the RAT connected to a command and control (C2) server operated by the cybercriminals, who actively monitored the infections. Unlike other similar campaigns, in this case the attackers interacted with the compromised systems in a matter of minutes, searching for passwords stored in browsers such as Microsoft Edge. This speed and aggressiveness highlight the sophistication of the operation.

Jason Soroko, Principal Researcher, Sectigo, tells Security Boulevard that current events are fertile ground for social engineering, arguing that phishing messages aligned with trending news stories increase credibility and evoke emotional reactions, leading to hasty actions by victims. This approach allows attackers to exploit the urgency and interest generated by popular topics, such as TRUMP currency.

Stephen Kowski, CTO, SlashNext Email Security+, stresses the importance of implementing advanced security solutions to combat these threats. "Phishing techniques, including legitimate-looking emails and convincing websites, underscore the need for real-time security analytics with AI-based detection capabilities," he says.

Kowski recommends adopting a multi-layered approach that combines email content analysis, link verification and educating users about the risks of downloading apps from unofficial sources.