Introduction
Meowsterio is a traffer’s group specialised in the cryptocurrency theft, recruiting workers to spread infostealers using fake online custom-created projects as lure to phish people.
The Meowsterio gang has been active since at least, 2023. It was an old affiliate of the infamous now defunct Marko Polo traffer team, and Meowsterio now decided to reappear again in April 2025. In the previous Marko Polo journey, they claim to have 5 million USD in profit turnover.
You can have an insight into old Marko Polo operations here: https://go.recordedfuture.com/hubfs/reports/cta-2024-0917.pdf
Meowsterio Telegram announcement from Marko Polo channels in 2023 and the most recent Meowsterio banner on forums in 2025 (Original Russian)The team is now administrated by user “nicefolr”, being “killiastrius” the technical manager of the team projects and everything related to malware. User “etozhezhe” has the role of the worker’s support.
Victimization
As the comeback of this affiliate to the public traffer work, Meowsterio is suffering from the loss of trust in this affiliate and the lack of people working actively for the team like in the previous days; that’s why the activity registered can be lower compared to other traffer teams.
For an unknown reason, logs from the team are deleted periodically from the team channels, so complete tracking was not possible.
At the moment of writing this, Meowsterio has registered 650 infections worldwide:
https://ipinfo.io/tools/summarize-ips/f79cd490-bd24-45ed-a33c-bef19d0e8239About the actual profits, there is an estimated amount of 80 thousand USD stolen from victims, announced in public on the worker channels.
The biggest profit was generated recently, allegedly stealing around 62 thousand dollars from a Spanish MacOS user.
See: https://x.com/g0njxa/status/1932139035943653473
Landing Pages
Please note that all websites under the control of Meowsterio are hosted in 185.9.145.249, a bulletproof host served by company ServHost (serv.host)
Meowsterio currently offers four fake projects to workers + an extra Zoom impersonation site not listed in the work bot.
Velora
This projects describes itself as a browser-based multi-chain creature collection MMO-lite
In fact, it can be described as a loyal copy of the project “Legends of Venari”, to the maximum detail. References to the original website have not been deleted.
The Meowsterio administration have also created a NFT collection in Opensea and MagicEden for the landing page and listed the project in DappRadar.
This website can issue a direct download of a signed .exe build if the victim was referred to the site using a code generated by a worker and this option was activated to the code (MacOS users will be issued a direct download of a AMOS build), or the victim can register (or skip the login as guest) to interact with the ClickOnce application deployed in the site.
Then, victims can interact with a malicious ClickOnce application disguised as a required update of the Microsoft WebDriver after a error prompt:
The logs format generated by the activity of individuals on this site can be observed below:
Drakthos
This projects describes itself as a derailed action-packed top-down isometric roguelite
In fact, it can be described as a exact copy of the project “Degenheim” with all the details included.
The Meowsterio team has also launched an NFT collection on OpenSea and Magic Eden for this project.
The only website functionality that has been implemented is a direct download of a signed .exe build if the victim was referred to the site using a code generated by a worker and this option was activated to the code (MacOS users will be issued a direct download of a AMOS build), or interaction with the ClickOnce application deployed in the site.
The logs format generated by the activity of individuals on this site can be observed below:
Vidorium
This project describes itself as a decentralized real-time communication application.
In fact, this landing has been build using the content from another project named “dTelecom”
This project is listed in DappRadar by the Meowsterio administration
To issue a download, users will be required to enter an email (valid or invalid). A download button will show in the website delivering a signed .exe build if the victim was referred to the site using a code generated by a worker and this option was activated to the code (MacOS users will be issued a direct download of a AMOS build), or intiating the interaction with the ClickOnce application deployed in the site.
Emails are sent to the email addresses introduced by the users in this website with a link to the main page. For a unkown reason, all users are greated with a “Welcome” in Russian.
Email route:
[vidoriumapp.io (185.9.145.249)] PHPMailer 6.9.3
▼
[panel.serv.host (Exim 4.98.2)]
▼
[Haraka/3.0.5 (internal)]
▼
[Delivered to user]
The logs format generated by the activity of individuals on this site can be observed below:
AIDesolation
This project describes itslef as a cyberpunkish autobattler, deckbuilding PvP game, with AI add-ons that offers intense 1v1 strategic battle.
In fact, this is a detailed copy of another project named “Aipocalypto”
The Meowsterio administration created a NFT collection listed in both MagicEden and Opensea, and also listed this project in DappRadar
The only website functionality that has to offer is a download button of a signed .exe build issued to the victim if it was referred to the site using a code generated by a worker and this option was activated to the code (MacOS users will be issued a direct download of a AMOS build), or the interaction with the ClickOnce application deployed in the site.
The logs format generated by the activity of individuals on this site can be observed below:
Zoom impersonation
Although it is not listed (and probably in development stage / private use) a Zoom impersonation landing was found hosted on the same host and delivering the same signed builds for Windows than on the previous websites
Any 8-digits or more ID introduced on this website will issue a download of a Windows signed binary. At the time of writing this, there’s no download functionality for MacOS users implemented on the site.
Download Functionality
Despite other traffer landings from other groups, it is not required to have a download code to issue a download from the website, in fact, anyone can download the Meowsterio launchers freely on the websites. In order to attribute a download from a victim to the worker of the traffer team that made that victim download the build, workers can generate their own codes through the team bot and modify the behaviour of the website towards the victim.
Codes are submitted to websites in the format
https://website.com/?v=<code>
Workers from the team can make the link with a code to:
- Switch between a direct download of a signed build (.exe) or make the victim interact with the ClickOnce application (default behavior for non-code links, tracked in bot as “Edge Browser”)
- Disable / Enable downloads and interaction for Windows user
- Disable / Enable downloads for MacOS users
Let’s dive into builds delivered from Meowsterio websites:
Analysing Meowsterio Launcher Builds
Windows
On the Windows side, Meowsterio threat actors are weaponizing these ClickOnce application in order to bypass SmartScreen and delivering malware through launchers installed on the victim computer by this technology.
ClickOnce Applications
A ClickOnce application is a deployment technology developed by Microsoft that allows Windows desktop applications to be installed and run with minimal user interaction, often directly from a web page or network share. It’s designed to simplify deployment and updating of Windows applications.
After opening the application, users will be prompted with warning like teh image below. After clicking on the install button, the application will be installed in the victim computer and executed automatically.
Bypassing SmartScreen
The most common approach to bypass SmartScreen on the traffer side is to sign builds delivered to victim with an EV cert, commonly purchased on specialised EV certs sale services. Meowsterio relies on this method (see Code Signing Certificate abuse section on this blog) but they are also using another way to bypass SmartScreen, weaponising ClickOnce applications.
This is achieved by abusing a DLL manifest redirection to load a custom executable that was previously configured in the deployment manifest of the aforementioned ClickOnce application. The build specified in the entry point of the dependent assembly will be downloaded and it will lose the MoTW (Mark of the Web) and with the usage of a self-signed certificate, the build will be executed without triggering SmartScreen, loading further steps of the infection chain.
Let’s see this with a real example. Refer to this detonation: https://app.any.run/tasks/17666af1-4d2a-4e49-b21f-e95392dccaae
This example can be extrapolated to all the four ClickOnce applications present in Meowsterio landings.
DLL manifest redirection
The deployment manifests present on the Meowsterio ClickOnce applications creates a chain of trust and dependency between two components, the assembly declared on the application manifest “Vidorium.exe” and another assembly declared on a DLL manifest “Vidorium.dll.manifest”
Vidorium.application
<dependency>
<dependentAssembly dependencyType=“install” codebase=“Application Files\Vidorium_1_0_0_68\Vidorium.dll.manifest” size=“207889”>
<assemblyIdentity name=“Vidorium.exe” version=“1.0.0.68” publicKeyToken=“dfa98fa0cfed49a3” language=“neutral” processorArchitecture=“msil” type=“win32” />
<hash>
<dsig:Transforms>
<dsig:Transform Algorithm=“urn:schemas-microsoft-com:HashTransforms.Identity” />
</dsig:Transforms>
<dsig:DigestMethod Algorithm=“XML-Signature Syntax and Processing” />
<dsig:DigestValue>MkgiwkjPChgTq4rWAy1wt6atXVIp5Am+nDzm4/1yjV0=</dsig:DigestValue>
</hash>
</dependentAssembly>
</dependency>
On the DLL manifest, an Entry Point is defined to another assembly declared in this manifest, being this the actual executable that will be run first by the ClickOnce application
Vidorium.dll.manifest
<entryPoint>
<assemblyIdentity name=“Launcher” version=“8.0.0.0” language=“neutral” processorArchitecture=“msil” />
<commandLine file=“Launcher.exe” parameters=“” />
</entryPoint>
[…]
<dependency>
<dependentAssembly dependencyType=“install” allowDelayedBinding=“true” codebase=“Launcher.exe” size=“17424”>
<assemblyIdentity name=“Launcher” version=“8.0.0.0” language=“neutral” processorArchitecture=“msil” />
<hash>
<dsig:Transforms>
<dsig:Transform Algorithm=“urn:schemas-microsoft-com:HashTransforms.Identity” />
</dsig:Transforms>
<dsig:DigestMethod Algorithm=“XML-Signature Syntax and Processing” />
<dsig:DigestValue>YotjL3hxoX2hdneHv7rRN7nswMExE+MuQ5Det1HoLdk=</dsig:DigestValue>
</hash>
</dependentAssembly>
</dependency>
When the user accepts to install the application:
- All the files declared on the ClickOnce application deployment manifest will be downloaded via the Distributed File System service.
Launcher.exe and Vidorium.exe share the same self-signed certificate Vidorium.exe is marked with MoTW (ZoneID=3) while Launcher.exe bypass this check. - The EntryPoint is read from the manifest, Launcher.exe is executed
- Vidorium.exe is executed concurrently by Launcher.exe
- Vidorium.exe renders the custom Microsoft Edge WebView2 view from the landing (the main download page), downloads the further malware builds (infostealers) from Dropbox and execute them.
By the observation, seems like SmartScreen restrictions fail to verify the trust on the properties of Vidorium.exe, although it has a self-signed certificate and a MoTW considered untrusted. It is probably because Launcher.exe is executed first and bypasses the MoTW verification (considering it a trusted file) and because the signature is shared with Vidorium.exe, then Vidorium.exe inherits the trust from SmartScreen and it is not considered unsafe. This way, threat actors bypass SmartScreen without using an EV certificate.
Infostealers
No further malware analysis has been done on the malware builds deployed by Meowsterio through their launchers.
Based on observation and detonations, Meowsterio relies on infostealers such as StealC and Rhadamanthys to steal victim computer information and cryptocurrencies wallets data.
Logs are shown in their channels:
Persistence
Persistence is achieved into the machine using a malware build detected as XWorm. Persistence is required by traffers to deploy further malware in cases, for example, where a cold wallet such as Ledger or Trezor is found; or to deploy keyloggers where a password-protected wallet is found.
Find in the IOCs section more information on C2 about malware.
MacOS
On the MacOS side, a direct download from the AMOS dropper domain will be issued for each landing:
MacOS User-Agent required
Drakthos - https://spalaestacada.com/macshare.php?call=odrak
Vidorium - https://spalaestacada.com/macshare.php?call=ovid
Velora - https://spalaestacada.com/macshare.php?call=ovel
Aidesolation - https://spalaestacada.com/macshare.php?call=osai
The Atomic Stealer for MacOS dmg launchers look like this:
Code Signing Certificate Abuse
Although Meowsterio threat actors relies on other malware techniques, they have also been observed abusing Code Signing Certificates. All the certificates stated here were reported and revoked.
The first time the Meowsterio builds were observed in public, they were signed with a SSL.com EV Code Signing Intermediate CA RSA R3 certificate issued to “Jianhe Network Technology (Shanghai) Co., Ltd.” (sn: 01 A1 46 B1 23 74 DE 73 D9 B4 17 6F 83 70 99 C1)
After some time, they were observed again issuing builds with signed by a
GlobalSign GCC R45 EV CodeSigning CA 2020 certificate issued to “HIGHNOR INDIA PRIVATE LIMITED” (sn: 41 50 6B E5 E8 5C 24 7D 61 CC CE 7E)
This certificates are likely purchased from specialised EV certs sale services, and demonstrates the continuous code signing certificate abuse by the traffer community.
IOCs
Landing pages domains
185.9.145.249
vidorium[.]com
drakthos[.]com
aidesolation[.]com
legendsofvelora[.]com
drakthosgame[.]com
drakthosplay[.]com
vidorium[.]io
vidoriumapp[.]com
vidoriumapp[.]io
us07web-zoom[.]com
vidorium[.]app
Malware
MacOS
spalaestacada.com
Windows
~Rhadamanthys
https://185.39.206.236/gateway/aoaowmat.s0srx
185.39.206.236:443
~RAT
178.250.188.57:38493
File Hashes
Windows
6d1af826b565460781c6bd8111d01b1cba967ceaf9bfa9a15d924fb6e6f8ac64
a8a4ea8476b9a10bc8cbbd7b35f55e48832d551ae516e8f1fb122dd197a3c8a7
65c4b56197458a7cce0daf9a4c7991b6f202367294c87d4c4a024e2dc64659ce
4a6ae108cb5e4f038865e8ff7808e258b29124a74978f987683c7526cfc96132
167b15f7ab3ebf4a5a764472fc67683d81f6816c908c082bb7df9ce93a0a4d24
96fd0900a2bf751559dcc6327c15028131c674bf6e4fb7656d762f66897d1211
0de981cd10a04c3a840b269bf6920ff1cf4e4c3f373b858fd78df35c965f3434
531a0c9df75191b70a6de93cc4ac19cdbacbb2fd7fb69ffbe0d5780fe857216b
bd207c4954bdf8276d2645a6e24e7ccd437e7da1f857c33bd6b3e6580dbefdcd
29cba06afa9a9376c3137d3acdbea7792df1309c6cc9feb61d5a6c5976ca35a3
b7d7661d4785b27d94b1cee7dd26045708017824153c14132f8ddebb4c07c975
687ec8253735f213907f040bca156316634024934eb2df84993fdf5abec268a5
MacOS
b62f8fbb039021d7da59c6ca0b6d2df79f83b2044bef9fa0460f9548567304f1
5eebfeb00446941d5ee43ae13664136d661df35c56a882fa798c493477e2a085
1dd46810ab879a7b38bb8d4b467267a6930ddded0e3a3f8aeb5e7bdfd94e62f3
8d8b40e87d3011de5b33103df2ed4ec81458b2a2f8807fbb7ffdbc351c7c7b5e
End
Expect more content, if possible
My best wishes for you.
2025 ~ @g0njxa
Introduction to Malware Binary Triage (IMBT) Course
Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.
Enroll Now and Save 10%: Coupon Code MWNEWS10
Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.
Article Link: Meowsterio: Weaponizing ClickOnce in 2025 | by g0njxa | Jun, 2025 | Medium