Researchers have uncovered a new attack campaign using a previous malware loader to deliver a different threat: Needle Stealer, a data-stealing malware designed to quietly harvest sensitive information from infected devices, including browser data, login sessions, and cryptocurrency wallets. This time, attackers use a website promoting a tool called TradingClaw (tradingclaw[.]pro), which claims to be an AI-powered assistant for TradingView, a legitimate platform used by traders to analyze financial markets. The fake TradingClaw site is not part of TradingView, nor is it related to the legitimate startup tradingclaw[.]chat. Instead, it’s being used here as a lure to trick people into downloading malware.
More details can be found here: https://www.malwarebytes.com/blog/threat-intel/2026/04/malicious-trading-website-drop-malware-that-hands-over-your-browser-to-attackers
Ensar Seker, CISO at SOCRadar, commented:
“This campaign reflects a growing shift where threat actors weaponize trust in legitimate platforms like TradingView by building highly convincing AI-themed lures around them. The use of “AI trading assistants” is particularly effective because it targets both curiosity and financial motivation, lowering user skepticism. What stands out here is the reuse of a known loader to deploy a different payload, which shows how modular and scalable modern malware operations have become.
More importantly, the focus on harvesting browser sessions and crypto wallets signals that attackers are prioritizing immediate monetization over persistence. Once session tokens are stolen, MFA becomes irrelevant, and accounts can be hijacked in real time. Organizations and individuals need to treat any third-party tool claiming integration with financial platforms as high risk unless it is directly verified.
This is not just malware delivery, it is identity compromise at scale disguised as innovation.”
This is scary as this is a big jump in terms of what threat actors can do. Thus you really need to by hyper aware to threats as they can come from anywhere and pop up in the most unexpected places.
Like this:
Like Loading...
Related
This entry was posted on April 22, 2026 at 1:36 pm and is filed under Commentary with tags SOCRadar. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Malicious Trading Site Drops “Needle Stealer” to Harvest Browser Data
Researchers have uncovered a new attack campaign using a previous malware loader to deliver a different threat: Needle Stealer, a data-stealing malware designed to quietly harvest sensitive information from infected devices, including browser data, login sessions, and cryptocurrency wallets. This time, attackers use a website promoting a tool called TradingClaw (tradingclaw[.]pro), which claims to be an AI-powered assistant for TradingView, a legitimate platform used by traders to analyze financial markets. The fake TradingClaw site is not part of TradingView, nor is it related to the legitimate startup tradingclaw[.]chat. Instead, it’s being used here as a lure to trick people into downloading malware.
More details can be found here: https://www.malwarebytes.com/blog/threat-intel/2026/04/malicious-trading-website-drop-malware-that-hands-over-your-browser-to-attackers
Ensar Seker, CISO at SOCRadar, commented:
“This campaign reflects a growing shift where threat actors weaponize trust in legitimate platforms like TradingView by building highly convincing AI-themed lures around them. The use of “AI trading assistants” is particularly effective because it targets both curiosity and financial motivation, lowering user skepticism. What stands out here is the reuse of a known loader to deploy a different payload, which shows how modular and scalable modern malware operations have become.
More importantly, the focus on harvesting browser sessions and crypto wallets signals that attackers are prioritizing immediate monetization over persistence. Once session tokens are stolen, MFA becomes irrelevant, and accounts can be hijacked in real time. Organizations and individuals need to treat any third-party tool claiming integration with financial platforms as high risk unless it is directly verified.
This is not just malware delivery, it is identity compromise at scale disguised as innovation.”
This is scary as this is a big jump in terms of what threat actors can do. Thus you really need to by hyper aware to threats as they can come from anywhere and pop up in the most unexpected places.
Share this:
Like this:
Related
This entry was posted on April 22, 2026 at 1:36 pm and is filed under Commentary with tags SOCRadar. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.