Malicious trading website drops malware that hands your browser to attackers
None
<p>The post <a href="https://www.malwarebytes.com/blog/threat-intel/2026/04/malicious-trading-website-drop-malware-that-hands-over-your-browser-to-attackers">Malicious trading website drops malware that hands your browser to attackers</a> appeared first on <a href="https://www.malwarebytes.com/">Malwarebytes</a>.</p><p>During our threat hunting, we found a campaign using the same malware loader from <a href="https://www.malwarebytes.com/blog/threat-intel/2026/04/from-fake-proton-vpn-sites-to-gaming-mods-this-windows-infostealer-is-everywhere)" rel="noreferrer noopener">our previous research</a> to deliver a different threat: <strong>Needle Stealer</strong>, data-stealing malware designed to quietly harvest sensitive information from infected devices, including browser data, login sessions, and cryptocurrency wallets.</p><p>In this case, attackers used a website promoting a tool called <strong>TradingClaw</strong> (<code>tradingclaw[.]pro</code>), which claims to be an AI-powered assistant for TradingView. </p><p>TradingView is a legitimate platform used by traders to analyze financial markets, but this fake TradingClaw site is not part of TradingView, nor is it related to the legitimate startup <code>tradingclaw[.]chat</code>. Instead, it’s being used here as a lure to trick people into downloading malware.</p><h2 class="wp-block-heading" id="h-what-is-needle-stealer">What is Needle Stealer?</h2><p>Needle is a modular infostealer written in Golang. In simple terms, that means it’s built in pieces, so attackers can turn features on or off depending on what they want to steal.</p><p>According to its control panel, Needle includes:</p><ul class="wp-block-list"> <li><strong>Needle Core</strong>: The main component, with features like form grabbing (capturing data you enter into websites) and clipboard hijacking</li> <li><strong>Extension module</strong>: Controls browsers, redirects traffic, injects scripts, and replaces downloads</li> <li><strong>Desktop wallet spoofer</strong>: Targets cryptocurrency wallet apps like Ledger, Trezor, and Exodus</li> <li><strong>Browser wallet spoofer</strong>: Targets browser-based wallets like MetaMask and Coinbase, including attempts to extract seed phrases</li> </ul><p>The panel also shows a “coming soon” feature to generate fake Google or Cloudflare-style pages, suggesting the attackers plan to expand into more advanced phishing techniques.</p><figure class="wp-block-image aligncenter size-full"><img decoding="async" loading="lazy" width="778" height="488" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/04/trading-claw-GO-Needle-Panel.png" alt="Needle Stealer panel" class="wp-image-402735"><figcaption class="wp-element-caption"><em>Needle Stealer panel</em></figcaption></figure><p id="h-in-this-blog-post-we-analyze-the-distribution-of-the-stealer-through-a-fake-website-related-to-an-ai-service-called-tradingclaw-we-have-detected-that-the-same-stealer-is-also-distributed-by-other-malware-such-as-amadey-and-gcleaner">In this article, we analyze the distribution of the stealer through a fake website related to an AI service called <strong>TradingClaw</strong>. We have detected that the same stealer is also distributed by other malware such as Amadey and GCleaner. </p><h2 class="wp-block-heading" id="h-analysis-of-the-tradingclaw-campaign">Analysis of the TradingClaw campaign</h2><p>In this campaign, the malware is distributed through a fake website advertising TradingClaw as an AI trading tool.</p><figure class="wp-block-image aligncenter size-full"><img decoding="async" loading="lazy" width="972" height="522" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/04/trading-claw-GO-1.jpeg" alt="Malicious TradingClaw website" class="wp-image-402739"><figcaption class="wp-element-caption"><em>Malicious TradingClaw website</em></figcaption></figure><p>The site itself behaves selectively. In some cases, visitors are shown the fake TradingClaw page, while in others they are redirected to a different site (<code>studypages[.]com</code>). This kind of filtering is commonly used by attackers to avoid detection and only show the malicious content to intended targets. Search engines, for example, see the Studypages version:</p><figure class="wp-block-image aligncenter size-large"><img decoding="async" loading="lazy" height="205" width="1024" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/04/trading-claw-GO-studypages.png?w=1024" alt="Studypages fake page" class="wp-image-402741"><figcaption class="wp-element-caption"><em>Google results shows the Studypages fake page</em></figcaption></figure><p>If a user proceeds, they are prompted to download a ZIP file. This file contains the first stage of the infection chain.</p><p>Like in the previous campaign, the attack relies on a technique called DLL hijacking. In simple terms, this means the malware disguises itself as a legitimate file that a trusted program will load automatically. When the program runs, it unknowingly executes the malicious code instead.</p><p>In this case, the DLL loader (named <code>iviewers.dll</code>) is executed first. It then loads a second-stage DLL, which ultimately injects the Needle Stealer into a legitimate Windows process (<code>RegAsm.exe</code>) using a technique known as process hollowing.</p><figure class="wp-block-image aligncenter size-large"><img decoding="async" loading="lazy" height="308" width="1024" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/04/trading-claw-GO-RegAsmprocess.png?w=1024" alt="Needle Stealer injected in RegAsm.exe process" class="wp-image-402746"><figcaption class="wp-element-caption"><em>Needle Stealer injected in RegAsm.exe process</em></figcaption></figure><p>The stealer is developed in Golang, and most of the functions are implemented in the “ext” package. </p><figure class="wp-block-image aligncenter size-full"><img decoding="async" loading="lazy" width="345" height="533" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/04/trading-claw-GO-exepackage.png" alt="Part of the “exe” package" class="wp-image-402747"><figcaption class="wp-element-caption"><em>Part of the “exe” package</em></figcaption></figure><h2 class="wp-block-heading">What the malware does</h2><p>Once installed, the Needle core module can:</p><ul class="wp-block-list"> <li>Take screenshots of the infected system</li> <li>Steal browser data, including history, cookies, and saved information</li> <li>Extract data from apps like Telegram and FTP clients</li> <li>Collect files such as .txt documents and wallet data</li> <li>Steal cryptocurrency wallet information</li> </ul><p>One of the more concerning features is its ability to install malicious browser extensions.</p><h2 class="wp-block-heading">Malicious browser extensions</h2><p>The stealer also supports the distribution of malicious browser extensions, giving attackers a powerful way to take control of the victim’s browser.</p><p>We identified multiple variations of these extensions, each with slightly different file structures and components. Behind the scenes, the malware uses built-in Golang features to unpack a hidden ZIP archive (often named <code>base.zip</code> or <code>meta.zip</code>) that contains the extension files, along with a configuration file (<code>cfg.json</code>). </p><p>Partial <code>cfg.json</code> config file:</p><pre class="wp-block-code"><code>{ "extension_host": {}, "api_key": "… "server_url": "https://C2/api/v2", "self_destruct": true, "base_extension": true, "ext_manifest": { "account_extension_type": 0, "active_permissions": { "api": [ "history", "notifications", "storage", "tabs", "webNavigation", "declarativeNetRequest", "scripting", "declarativeNetRequestWithHostAccess", "sidePanel" ], "explicit_host": [ "<all_urls>" ], "manifest_permissions": [], "scriptable_host": [ "<all_urls>" ] }, "commands": { "_execute_action": { "was_assigned": true } }, …</code></pre><p class="has-text-align-center" style="font-size:16px"> </p><p>This configuration file is key. It tells the malware where to send stolen data (the command-and-control server), which malicious extension to install, and which features to enable.</p><p>The stealer extension is dropped in a random folder in the path <code>%LOCALAPPDATA%\Packages\Extensions</code>. The folder contains three main files <code>popup.js</code>, <code>content.js</code>, and <code>background.js</code>. </p><figure class="wp-block-image aligncenter size-full"><img decoding="async" loading="lazy" width="990" height="355" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/04/trading-claw-GO-extension.png" alt="The malicious extension dropped" class="wp-image-402758"><figcaption class="wp-element-caption"><em>The malicious extension dropped</em></figcaption></figure><p>The extensions analyzed have Google-related names.</p><figure class="wp-block-image aligncenter size-full"><img decoding="async" loading="lazy" width="895" height="736" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/04/trading-claw-GO-translate.png" alt="The fake malicious extension on Edge Browser" class="wp-image-402759"><figcaption class="wp-element-caption"><em>The fake malicious extension on Edge Browser</em></figcaption></figure><h2 class="wp-block-heading" id="h-what-the-malicious-extensions-can-do">What the malicious extensions can do</h2><p>The extension gives attackers near full control over the browser, with capabilities that go far beyond typical malware.</p><p>It can:</p><ul class="wp-block-list"> <li><strong>Connect to a remote server</strong> using a built-in API key and regularly check in for instructions. It can also switch to backup domains if the main server goes offline.</li> <li><strong>Generate a unique ID</strong> to track the infected user over time.</li> <li><strong>Collect full browsing history</strong> and send it to a remote server (<code>/upload</code>).</li> <li><strong>Monitor what you’re doing in real time</strong>, including which sites you visit, and apply attacker-controlled redirect rules. This allows it to silently send you to different websites or alter what you see on a page, including injecting or hiding content.</li> <li><strong>Intercept downloads</strong>, cancel legitimate files, and replace them with malicious ones from attacker-controlled servers.</li> <li><strong>Inject scripts directly into web pages</strong>, enabling further data theft or manipulation.</li> <li><strong>Display fake browser notifications</strong> with attacker-controlled text and images.</li> </ul><hr class="wp-block-separator has-alpha-channel-opacity"><h2 class="wp-block-heading">How it communicates with attackers</h2><p>The stealer and its extension communicate with command-and-control (C2) servers using several API endpoints. These are essentially different “channels” used for specific tasks:</p><ul class="wp-block-list"> <li><code>/backup-domains/active</code>—retrieves backup servers to stay connected if the main one is blocked</li> <li><code>/upload</code>—sends stolen data back to the attackers</li> <li><code>/extension</code>—receives instructions for redirects, downloads, and notifications</li> <li><code>/scripts</code>—downloads malicious code to inject into web pages</li> </ul><h2 class="wp-block-heading">How to stay safe</h2><p>Scammers are increasingly using AI-themed tools to make fake websites look legitimate. In this case, a supposed “AI trading assistant” was used to trick people into installing malware.</p><p>To reduce your risk:</p><ul class="wp-block-list"> <li><strong>Download software only from official websites</strong>. If a tool claims to work with a well-known platform, check the platform’s official site to confirm it’s real.</li> <li><strong>Check who created the file before running it</strong>. Look at the publisher name and avoid anything that looks unfamiliar or inconsistent.</li> <li><strong>Review your browser extensions regularly</strong>. Remove anything you don’t recognize, especially extensions you didn’t knowingly install.</li> </ul><h2 class="wp-block-heading" id="h-what-to-do-if-you-think-you-ve-been-affected">What to do if you think you’ve been affected</h2><p>If you think you may have downloaded this infostealer:</p><ul class="wp-block-list"> <li>Check EDR and firewall logs for communications with the C2s listed in the IOCs part.</li> <li>From a different, clean device, sign out of every active session on your important accounts: Google, Microsoft 365, any banking portal, GitHub, Discord, Telegram, Steam, and your crypto exchange. Change all passwords and enable 2FA for accounts you have accessed from this machine.</li> <li>Check the folder <code>%LOCALAPPDATA%\Packages\Extensions</code> and suspicious browser extensions.</li> <li>If you have cryptocurrency wallets on the machine, move the funds from a clean device immediately. This is what these operators monetize first.</li> <li><a href="https://www.malwarebytes.com/solutions/virus-scanner" rel="noreferrer noopener">Run a full scan with Malwarebytes</a>.</li> </ul><h2 class="wp-block-heading" id="h-indicators-of-compromise-iocs">Indicators of Compromise (IOCs)</h2><p><strong>HASH</strong></p><p><code>95dcac62fc15e99d112d812f7687292e34de0e8e0a39e4f12082f726fa1b50ed</code></p><p><code>0d10a6472facabf7d7a8cfd2492fc990b890754c3d90888ef9fe5b2d2cca41c0</code></p><p><strong>Domains</strong></p><p><code>Tradingclaw[.]pro</code>: fake website</p><p><code>Chrocustumapp[.]com</code>: related to malicious extension</p><p><code>Chrocustomreversal[.]com</code>: related to malicious extension</p><p><code>google-services[.]cc</code>: related to malicious extension</p><p><code>Coretest[.]digital</code>: C2 panel</p><p><code>Reisen[.]work</code>: C2 panel</p><p><strong>IPs</strong></p><p><code>178[.]16[.]55[.]234</code>: C2 panel</p><p><code>185[.]11[.]61[.]149</code>: C2 panel</p><p><code>37[.]221[.]66[.]27</code>: C2 panel</p><p><code>2[.]56[.]179[.]16</code>: C2 panel</p><p><code>178[.]16[.]54[.]109</code>: C2 panel</p><p><code>37[.]221[.]66[.]27</code>: C2 panel</p><p><code>209[.]17[.]118[.]17</code>: C2 panel</p><p><code>162[.]216[.]5[.]130</code>: C2 panel</p><hr class="wp-block-separator has-text-color has-cyan-bluish-gray-color has-alpha-channel-opacity has-cyan-bluish-gray-background-color has-background is-style-wide"><p><strong>We don’t just report on threats—we remove them</strong></p><p>Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by <a href="https://www.malwarebytes.com/for-home">downloading Malwarebytes today</a>.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2026/04/malicious-trading-website-drops-malware-that-hands-your-browser-to-attackers/" data-a2a-title="Malicious trading website drops malware that hands your browser to attackers"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fmalicious-trading-website-drops-malware-that-hands-your-browser-to-attackers%2F&linkname=Malicious%20trading%20website%20drops%20malware%20that%20hands%20your%20browser%20to%20attackers" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fmalicious-trading-website-drops-malware-that-hands-your-browser-to-attackers%2F&linkname=Malicious%20trading%20website%20drops%20malware%20that%20hands%20your%20browser%20to%20attackers" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fmalicious-trading-website-drops-malware-that-hands-your-browser-to-attackers%2F&linkname=Malicious%20trading%20website%20drops%20malware%20that%20hands%20your%20browser%20to%20attackers" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fmalicious-trading-website-drops-malware-that-hands-your-browser-to-attackers%2F&linkname=Malicious%20trading%20website%20drops%20malware%20that%20hands%20your%20browser%20to%20attackers" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2026%2F04%2Fmalicious-trading-website-drops-malware-that-hands-your-browser-to-attackers%2F&linkname=Malicious%20trading%20website%20drops%20malware%20that%20hands%20your%20browser%20to%20attackers" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.malwarebytes.com/">Malwarebytes</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Malwarebytes">Malwarebytes</a>. Read the original post at: <a href="https://www.malwarebytes.com/blog/threat-intel/2026/04/malicious-trading-website-drop-malware-that-hands-over-your-browser-to-attackers">https://www.malwarebytes.com/blog/threat-intel/2026/04/malicious-trading-website-drop-malware-that-hands-over-your-browser-to-attackers</a> </p>