Pulse Detail — Threat Intelligence

PULSE NAME

Crypto Drainers as a Converging Threat: Insights into Emerging Hybrid Attack Ecosystems

WHITE AlienVault 2026-04-23 Modified: 2026-04-24

IOCs

MEDIUM VOLUME

Cybercriminals are merging traditional malware operations with cryptocurrency-focused attacks, creating hybrid threat ecosystems. Modern crypto drainers have evolved into automated systems capable of extracting assets across multiple blockchains with minimal user interaction, supported by well-developed underground marketplaces offering drainer-as-a-service kits. Two case studies exemplify this convergence: StepDrainer operates as a multichain drainer-as-a-service platform that abuses Web3Modal and smart contract methods across over 20 blockchain networks, using AI-themed lures and polished interfaces to deceive victims into connecting wallets. EtherRAT represents a hybrid Windows implant delivered through trojanized TFTP installers, combining traditional RAT capabilities with blockchain-aware functionality including Ethereum RPC endpoints and embedded wallet addresses. Both threats demonstrate how cryptocurrency theft infrastructure now intersects with mainstream attack surfaces affecting enterprise envir...

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1059.007 T1573.001 T1082 T1218.007 T1140 T1036 T1505.003 T1083 T1497 T1102 T1204 T1059.001 T1547.001 T1566 T1027 T1132 T1070.004 T1071.001 T1564.001

MALWARE FAMILIES

StepDrainer EtherRAT MioLab SUPERNOVA - S0578

Indicators of Compromise (36)

All URL domain hostname FileHash-MD5 FileHash-SHA1 FileHash-SHA256

TYPE	INDICATOR	DESCRIPTION	CREATED
URL	http://corsproxy.io/?hXXps://api.mainnet-beta.solana.com	—	2026-04-23
URL	http://mainnet.helius-rpc.com/	—	2026-04-23
domain	8kwfaa30jtlnwi.com	—	2026-04-23
domain	scanclaw.live	—	2026-04-23
domain	wpuadmin.shop	—	2026-04-23
hostname	mainnet.helius-rpc.com	—	2026-04-23
hostname	solana-mainnet.rpc.extrnode.com	—	2026-04-23
hostname	solana.publicnode.com	—	2026-04-23
FileHash-MD5	96c2ff1601099c21c598c24e6f43c7c4	MD5 of 7fd19c564761e2c8c9b583cf30db810e313417c7d3572f637f8cedf4d2cc1e91	2026-04-24
FileHash-SHA1	d78fa2e81b7b5ccf287c793c5a9985caaa0f6162	SHA1 of 7fd19c564761e2c8c9b583cf30db810e313417c7d3572f637f8cedf4d2cc1e91	2026-04-24
FileHash-SHA256	3188313f38e2114f5a9524bf812efaa7f70a89cd8ef2907b962cb1466251df70	—	2026-04-24
FileHash-SHA256	35e01440b9c63f17eb9e70096d2ec01d18309106a0d644db1110950d2d438e59	—	2026-04-24
FileHash-SHA256	53d232e7a2670a6f010c23ebd60ca8f881d0433eaf28883a79b41ddd09e47d88	—	2026-04-24
FileHash-SHA256	6c958397294c279dcbe806c1403c229fdb5ca3ffe030d4d8ce1533e9e7810af4	—	2026-04-24
FileHash-SHA256	73b1d65c05da79b43f5dbddf4736d37b722a8fa6ea649d0ed5089b2bdb2c9e67	—	2026-04-24
FileHash-SHA256	7fd19c564761e2c8c9b583cf30db810e313417c7d3572f637f8cedf4d2cc1e91	—	2026-04-24
FileHash-SHA256	b3e28c6a4fec257f4cdc63d93c84596c4c0ee67b839c0711e06d771dd5410b96	—	2026-04-24
FileHash-SHA256	ba3512ed46270b9cb037bdc3d0b398fad2d3017d1b866645afb7445b089211fa	—	2026-04-24
FileHash-SHA256	c44d5c888647e78947fc93006d92e5521795ef31f7b0cae1ec829fec60d4bd7a	—	2026-04-24
URL	http://moonscan.live/7w2NU3Z-.php	—	2026-04-24
URL	http://rpc.flashbots.net/fast	—	2026-04-24
URL	http://scanclaw.live/KjYQnKB-.php	—	2026-04-24
domain	8kwfaa30jtlnwi.com	—	2026-04-24
domain	aahdjjsivunugynqjvyfbhqnjekniyfboma.com	—	2026-04-24
domain	aodefevrgdkhqltdnwgzbyjoywrlbntbhfwq.com	—	2026-04-24
domain	moonscan.live	—	2026-04-24
domain	scanclaw.live	—	2026-04-24
domain	wpuadmin.shop	—	2026-04-24
hostname	eth-mainnet.public.blastapi.io	—	2026-04-24
hostname	eth.drpc.org	—	2026-04-24
hostname	eth.merkle.io	—	2026-04-24
hostname	ethereum-rpc.publicnode.com	—	2026-04-24
hostname	mainnet.gateway.tenderly.co	—	2026-04-24
hostname	rpc.flashbots.net	—	2026-04-24
hostname	rpc.mevblocker.io	—	2026-04-24
hostname	rpc.payload.de	—	2026-04-24

References (1)

↗ https://www.levelblue.com/blogs/spiderlabs-blog/crypto-drainers-as-a-converging-threat-insights-into-emerging-hybrid-attack-ecosystems