← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
FakeWallet crypto stealer spreading in the App Store
WHITE AlienVault 2026-04-20 Modified: 2026-04-20
73
IOCs
HIGH VOLUME
In March 2026, over twenty phishing applications were discovered in the Apple App Store masquerading as popular cryptocurrency wallets. These malicious apps redirect users to browser pages that distribute trojanized versions of legitimate wallets designed to steal recovery phrases and private keys. The campaign primarily targets users in China, exploiting regional restrictions that prevent official crypto wallet apps from being available in the Chinese App Store. Attackers use typosquatting and fake promotional materials to deceive users. The infected applications leverage iOS enterprise provisioning profiles for distribution and employ various techniques including malicious library injection and source code modification. The campaign has been active since at least fall 2025 and targets major wallets including MetaMask, Ledger, Trust Wallet, Coinbase, TokenPocket, imToken, and Bitpie. Some infected apps also contained SparkKitty modules, suggesting potential links between threat actors.
provisioning profilesfakewalletchinese targetingenterprise certificatesiosphishing appscryptocurrencysparkkitty
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
FakeWallet SparkKitty
Indicators of Compromise (73)
All FileHash-MD5 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 0565364633b5acdd24a498a6a9ab4eca 2026-04-20
FileHash-MD5 114721fbc23ff9d188535bd736a0d30e 2026-04-20
FileHash-MD5 19733e0dfa804e3676f97eff90f2e467 2026-04-20
FileHash-MD5 31d25ddf2697b9e13ee883fff328b22f 2026-04-20
FileHash-MD5 4126348d783393dd85ede3468e48405d 2026-04-20
FileHash-MD5 417ae7f384c49de8c672aec86d5a2860 2026-04-20
FileHash-MD5 5bdae6cb778d002c806bb7ed130985f3 2026-04-20
FileHash-MD5 686989d97cf0d70346cbde2031207cbf 2026-04-20
FileHash-MD5 79fe383f0963ae741193989c12aefacc 2026-04-20
FileHash-MD5 7b4c61ff418f6fe80cf8adb474278311 2026-04-20
FileHash-MD5 7e678ca2f01dc853e85d13924e6c8a45 2026-04-20
FileHash-MD5 84c81a5e49291fe60eb9f5c1e2ac184b 2026-04-20
FileHash-MD5 8cbd34393d1d54a90be3c2b53d8fc17a 2026-04-20
FileHash-MD5 8d45a67b648d2cb46292ff5041a5dd44 2026-04-20
FileHash-MD5 8f51f82393c6467f9392fb9eb46f9301 2026-04-20
FileHash-MD5 b639f7f81a8faca9c62fd227fef5e28c 2026-04-20
FileHash-MD5 bafba3d044a4f674fc9edc67ef6b8a6b 2026-04-20
FileHash-MD5 be9e0d516f59ae57f5553bcc3cf296d1 2026-04-20
FileHash-MD5 d138a63436b4dd8c5a55d184e025ef99 2026-04-20
FileHash-MD5 d48b580718b0e1617afc1dec028e9059 2026-04-20
FileHash-MD5 fd0dc5d4bba740c7b4cc78c4b19a5840 2026-04-20
URL https://139.180.139.209/prod-api/system/confData/getUserConfByKey/ 2026-04-20
URL https://6688cf.jhxrpbgq.com/6axqkwuq 2026-04-20
URL https://api.dc1637.xyz 2026-04-20
URL https://api.npoint.io/153b165a59f8f7d7b097 2026-04-20
URL https://appstoreios.com/DjZH?key=646556306F6Q465O313L737N3332939Y353I830F31 2026-04-20
URL https://crypto-stroe.cc/ 2026-04-20
URL https://helllo2025.com/api/open/postByTokenpocket 2026-04-20
URL https://iosfc.com/ledger/ios/Rsakeycatch.php 2026-04-20
URL https://kkkhhhnnn.com/api/open/postByTokenpocket 2026-04-20
URL https://mgi1y.siyangoil.com/vmzLvi4Dh/1Dd0m4BmAuhVVCbzF 2026-04-20
URL https://mti4ywy4.lahuafa.com/UVB2U/mw2ZmvXKUEbzI0n 2026-04-20
URL https://mtjln.siyangoil.com/08dT284P/1ZMz5Xmb0EoQZVvS5 2026-04-20
URL https://mziyytm5ytk.ahroar.com/kAN2pIEaariFb8Yc 2026-04-20
URL https://ngy2yjq0otlj.ahroar.com/17pIWJfr9DBiXYrSb 2026-04-20
URL https://ngy2yjq0otlj.ahroar.com/EpCXMKDMx1roYGJ 2026-04-20
URL https://nmu8n.com/tpocket/ios/Rsakeyword.php 2026-04-20
URL https://ntm0mdkzymy3n.oukwww.com/7nhn7jvv5YieDe7P?0e7b9c78e=686989d97cf0d70346cbde2031207cbf 2026-04-20
URL https://ntm0mdkzymy3n.oukwww.com/jFms03nKTf7RIZN8?61f68b07f8=0565364633b5acdd24a498a6a9ab4eca 2026-04-20
URL https://nziwytu5n.lahuafa.com/10RsW/mw2ZmvXKUEbzI0n 2026-04-20
URL https://odm0.siyangoil.com/TYTmtV8t/JG6T5nvM1AYqAcN 2026-04-20
URL https://sxsfcc.com/api/open/postByTokenpocket 2026-04-20
URL https://www.gxzhrc.cn/download/ 2026-04-20
URL https://xz.apps-store.im/CqDq?key=646R563V6F6Y465K313J737G343C3352383R336O35 2026-04-20
URL https://xz.apps-store.im/DjZH?key=646B563L6F6N4657313B737U3436335E3833331737 2026-04-20
URL https://xz.apps-store.im/s/dDan?key=646756376F6A465D313L737J333993473233038L39&c= 2026-04-20
URL https://xz.apps-store.im/s/iuXt?key=646Y563Y6F6H465J313X737U333S9342323N030R34&c= 2026-04-20
URL https://yjzhengruol.com/s/3f605f 2026-04-20
URL https://zdrhnmjjndu.ulbcl.com/7uchSEp6DIEAqux?a3f65e=417ae7f384c49de8c672aec86d5a2860 2026-04-20
URL https://zdrhnmjjndu.ulbcl.com/tWe0ASmXJbDz3KGh?4a1bbe6d=31d25ddf2697b9e13ee883fff328b22f 2026-04-20
URL https://zmx6f.com/btp/ios/receiRsakeyword.php 2026-04-20
domain appstoreios.com 2026-04-20
domain crypto-stroe.cc 2026-04-20
domain helllo2025.com 2026-04-20
domain iosfc.com 2026-04-20
domain kkkhhhnnn.com 2026-04-20
domain nmu8n.com 2026-04-20
domain sxsfcc.com 2026-04-20
domain yjzhengruol.com 2026-04-20
domain zmx6f.com 2026-04-20
hostname 6688cf.jhxrpbgq.com 2026-04-20
hostname api.dc1637.xyz 2026-04-20
hostname mgi1y.siyangoil.com 2026-04-20
hostname mti4ywy4.lahuafa.com 2026-04-20
hostname mtjln.siyangoil.com 2026-04-20
hostname mziyytm5ytk.ahroar.com 2026-04-20
hostname ngy2yjq0otlj.ahroar.com 2026-04-20
hostname ntm0mdkzymy3n.oukwww.com 2026-04-20
hostname nziwytu5n.lahuafa.com 2026-04-20
hostname odm0.siyangoil.com 2026-04-20
hostname www.gxzhrc.cn 2026-04-20
hostname xz.apps-store.im 2026-04-20
hostname zdrhnmjjndu.ulbcl.com 2026-04-20
References (1)
↗ https://securelist.com/fakewallet-cryptostealer-ios-app-store/119482/