Cardano Wallet Security Alert: Eternl Desktop Phishing Attack Exposed, Private Keys at Risk of Remote Control

Recently, a phishing attack targeting Cardano users has been spreading. Multiple security researchers have discovered that attackers are using carefully forged emails to lure users into downloading a fraudulent wallet application called Eternl Desktop, thereby stealing device control and jeopardizing the security of crypto assets. This incident is considered one of the more serious wallet security risks currently present in the Cardano ecosystem.

The malicious email content is highly professional, with a formal tone and rigorous grammar, almost free of spelling or formatting errors. The email claims that users can earn NIGHT and ATMA token rewards through the Diffusion Staking Basket program to enhance credibility, and directs users to click on a download link. In reality, the link points to a newly registered domain download.eternldesktop.network, not an official channel.

Security researcher Anurag found that the Eternl.msi installer distributed via this domain is approximately 23.3 MB in size and bundles a hidden remote management tool called LogMeIn Resolve. After installation, the malicious program releases an executable named unattended-updater.exe and creates a complete file structure within the system’s Program Files directory, while also writing multiple configuration files such as unattended.json, logger.json, mandatory.json, and pc.json. Notably, unattended.json directly enables remote access without user confirmation.

Further network analysis shows that this malicious program connects to the infrastructure of GoTo Resolve and continuously transmits system event information to a remote server in JSON format using hardcoded API credentials. This means that once the attacker successfully infiltrates, they can maintain long-term control over the victim’s device, including remote command execution, credential theft, and potential access to wallet private keys. The security risk is assessed as high.

It is also important to note that the fraudulent version of Eternl Desktop nearly perfectly copies the official version in interface and feature descriptions, including hardware wallet compatibility, local key management, and advanced staking delegation, making it highly deceptive. The attackers clearly exploit narratives around Cardano governance, staking rewards, and ecosystem incentives to conduct social engineering attacks.

Security experts warn that all Cardano users should verify the software source through official channels before downloading wallet applications or participating in staking activities, and confirm the validity of digital signatures. Any “wallet updates” coming from newly registered domains, email attachments, or non-official links should be regarded as potential threats. This incident once again highlights the real challenges posed by crypto wallet phishing attacks and supply chain abuse to the security of the Cardano ecosystem.