Home Altcoin Backdoored cryptocurrency software found serving AZORult malware

Backdoored cryptocurrency software found serving AZORult malware

Hackers have compromised the GitHub account of the Denarius cryptocurrency project lead and have backdoored the Windows client with the AZORult infostealer malware.

The compromised Denarius cryptocurrency client –which node operators run on their servers to support the Denarius blockchain– was spotted earlier today by a security researcher named Misterch0c, who alerted ZDNet.

ZDNet independently confirmed the researcher’s findings with the help of RiskIQ threat researcher Yonathan Klijnsma.

Carsen Klock, the top dev behind the Denarius cryptocurrency, said the incident occurred because he reused an older password to secure his GitHub account.

This allowed a hacker to silently access his GitHub account and upload a backdoored version of the Denarius Window client —version 3.3.6, released on January 22.

According to Misterch0c and Klijnsma, this file (VirusTotal link) was a modified Denarius client installer that installed a version of the AZORult malware.

“The .bat file is started, which it will start the other bins in sequence, with smaller one being AZORult,” Klijnsma said after analyzing the backdoored Denarius installer.

AZORult malware inside the Denarius client installer
Image: Yonathan Klijnsma

Once installed on a user’s computer, AZORult can steal a vast array of user data, such as browser passwords, browser cookies, passwords for FTP clients, chat histories, and most importantly, wallet database files from popular cryptocurrency clients.

Misterch0c told ZDNet that all the data collected from infected users would then be sent to a command and control (C&C) located at

After looking up the IP address in RiskIQ’s huge database of historical threat intelligence data, Klijnsma told ZDNet that the had hosted an AZORult control panel since July 2018.

AZORult control panel
Image: Yonathan Klijnsma

According to Misterch0c, this IP address was also linked to other malware samples, all who appeared to be backdoored cryptocurrency software, and all who communicated with this same domain.

Wow… I think this is bigger than I thought. Look at all these shitcoins wallets that were compromised… pic.twitter.com/gim2mkeXYU— 𝙈𝙞𝙨𝙩𝙚𝙧𝙘𝙝0𝙘 (@MisterCh0c) February 5, 2019

This appears to be a very well-organized hacking spree that targeted cryptocurrency aficionados by backdooring cyrptocurrency node clients and wallet apps.

One of the cryptocurrencies included in Misterch0c’s list is New York Coin (NYC), which admitted two weeks ago that a 51% attack carried out in October was most likely caused by malware that was slipped into its wallets before the attack.

The New York Coin 51% attack resulted in hackers taking control of more than half of all NYC blockchain nodes and using this superior position to issue and immediately confirm illicit transactions that siphoned NYC coins from the wallets of the Trade Satoshi cryptocurrency exchange. Trade Satoshi later delisted New York Coin from its index following this attack.

After getting contacted by ZDNet and Misterch0c, Klock, the main Denarius dev, removed the backdoored Windows client from the currency’s official GitHub attack before this article’s publication. At the time of writing, there have not been any 51% attacks against the Denarius blockchain.

Nonetheless, because AZORult is such an intrusive threat that can collect all sorts of data such as passwords, cookies, and wallet files, this doesn’t mean that the hacker group behind this hacking spree acted in the same way after every compromised cryptocurrency software client.

In many cases, they might have been satisfied with emptying out the wallets of users who installed any of the other backdoored clients, rather than take over an entire blockchain to defraud cryptocurrency exchanges.


Please enter your comment!
Please enter your name here

Must Read

Staking: these are the 5 preferred cryptos for passive profits

Staking has been called in various ways, some accurate, others not so much. This has also happened with PoS,...

United Kingdom forces to block cryptocurrency advertising

The advertisements of the company Luno will be withdrawn from the United Kingdom after the resolution that obliges them to do so...

Cryptocurrencies find some relief after their crash

Cryptocurrencies find some support for a bounce after one of the toughest weeks for investors. Although last Thursday we...

China Strikes Cryptocurrencies Again, Bitcoin Slumps Again

The highest level of government in China has proposed new measures to regulate mining in the country. The proposal has been received...

Bitcoin on the Playstation? Sony’s patent finally accepted

On May 17, 2021, the publication of a patent by Sony Interactive Entertainment mentioning Bitcoin was greeted with great fanfare by the...