Research has uncovered a new malware campaign that exploits a fake Ross Ulbricht account for attacks. The attackers employ a strategy named "Click-Fix," posing as a verification system to lure victims into clicking links that infect their devices. The attackers impersonate Ulbricht on the social platform X, guiding users to a Telegram channel through a fraudulent verification process, and asking them to run PowerShell scripts to infect their devices. This campaign capitalizes on the news hype following Ulbricht's pardon by President Trump.

<p>Ross Ulbricht, the controversial creator of the Silk Road, has long been at the heart of debates about the intersection of technology and criminal activity. Following a full pardon from US President Donald Trump, a new wave of cybercrime has emerged, leveraging news of Ulbricht’s case to deliver malware to unsuspecting targets.</p><p>Exploiting the news surrounding him, threat actors on X are redirecting users to a Telegram channel where they are duped into running PowerShell scripts that infect their devices with malware.</p><h2>Ross Ulbricht Malware Campaign</h2><p>According to vx-underground researchers’ latest update, the attack uses a new variation of the popular “Click-Fix” tactic, but with a twist. Rather than disguising itself as a common error fix, this version pretends to be a captcha or verification process required to join the channel.</p><p>In this case, cybercriminals are impersonating Ulbricht using fake but verified accounts on X to lure users to Telegram channels falsely claimed to be official. Once on Telegram, users encounter a fraudulent “Safeguard” identity verification process, which leads them to a mini app that generates a fake verification dialog and automatically copies a PowerShell command to their clipboard.</p><p>Users are then instructed to run the command via the Windows Run dialog. As such, executing the command triggers a chain of events. Initially, it downloads a PowerShell script, which retrieves a ZIP file from http://openline[.]cyou. The ZIP file contains several files, including identity-helper.exe, suspected to be a Cobalt Strike loader – a tool frequently used by attackers for remote access and launching ransomware or data theft campaigns.</p><p>The entire process is carefully worded to avoid detection.</p><h2>Ross Ulbricht Released</h2><p>This development comes after Ulbricht was pardoned and released this week after being imprisoned since 2013 for founding and operating the infamous dark web marketplace Silk Road.</p><p>Silk Road was an online marketplace on the Tor network that allowed people to trade illegal items, such as narcotics. Ulbricht operated the site using the pseudonym “Dread Pirate Roberts.” The FBI arrested him in October 2013 and took the site offline.</p><p>In 2015, Ulbricht was found guilty of charges including drug distribution and money laundering. He received a life sentence without parole, and his appeals in 2017 and 2018 were denied.</p>

New Malware Activity Impersonating Ross Ulbricht Accounts