Russian Hackers Use Malicious ‘GrassCall’ Meeting App to Drain Crypto Wallets: Report

Reports find that a new crypto malware has targeted hundreds of web3 job seekers through a malicious “GrassCall” meeting app.

Per Bleeping Computer, Russian team of hackers known as “Crazy Evil,” carried out a social engineering campaign that lured job seekers with fake interviews. The attackers used a malicious meeting app “that installs information-stealing malware to steal cryptocurrency wallets.”

The attack was initially flagged by several impacted users on Telegram, helping affected users to navigate through the loss. The malware is designed to infect both Mac and Windows devices.

GrassCall’s Social Engineering Tactics

Choy Kwok, a web3 professional, posted on X early this week, warning followers about the scam. He cautioned users not to download any meeting app that was asked by recruiters pretending to be from Chain Seeker.

Another Monday, another scam

This time it is @ChainSeeker_io

Setting up time to speak with them will take you to @GrassCall

Do not download anything! https://t.co/Tl8CtkKzA5 pic.twitter.com/4nDXRvDRjk

— Choy (@choykwok) February 24, 2025

Crypto Jobs List, a web3 job portal, carried several job listings for a blockchain-based platform ‘ChainSeeker.io’. However, little did the applicants know that perpetrators were behind the job scam. The jobs were also listed on LinkedIn and X, from legitimate-looking fake profiles.

“Setting up time to speak with them will take you to GrassCall. Do not download anything,” Kwok wrote.

Aspirants who applied for jobs via the portal, were reportedly asked to reach out to the company’s Chief Marketing Officer via Telegram to coordinate the meeting.

They were then asked to download a video meeting software GrassCall, with a website link and call code. The website “grasscall[.]net” led to a download link that described GrassCall as a “revolutionary AI solution in the field of communications.”

Atomic Stealer Malware Drains Cryptos From Victim Wallets

According to a cybersecurity researcher g0njxa, GrassCall website is a clone of a “Gatherum” website, which was used by the same Russian group in previous campaigns.

The GrassCall app prompts to enter a code shared by the fake CMO, and installs remote access trojans (RATs). The RAT then installs the Atomic (AMOS) Stealer malware on Macs.

“The rat is used to create persistence in the machine, add a keylogger for password too and deploying seed phishing for the hard wallets,” G0njxa told Bleeping Computer.

Once the malware takes control of the computer, it attempts to steal files based on keywords, cryptocurrency wallets, and passwords.

If a crypto wallet is found with the extracted password, the assets in the wallet are drained, he explained.

This comes parallelly with the recent widespread malware campaign targeting users on GitHub, flagged by cybersecurity firm Kaspersky.