ELECTRUM

Electrum is a threat actor that has been implicated in numerous cyber attacks, including those against Ukraine on February 1, 2022. These attacks were Bitcoin-themed and involved Electrum Bitcoin wallets, with similarities observed in later attacks conducted in April of the same year. The delivery method involved PDF documents that referenced Electrum Bitcoin wallets, and an initial loader Trojan executable downloaded by JavaScript within these documents. This executable was signed using a certificate bearing the name "Electrum Technologies GmbH", further connecting the threat actor to the attacks. The malware used by Electrum demonstrated a significant focus on exploiting financial data, particularly targeting cryptocurrency wallets such as Coinbase, MetaMask, Wasabi, Binance, Daedalus, Electrum, Atomic, Harmony, Enjin, Hoo, Dapper, Coinomi, Trust, Blockchain, and XDeFI. Cyble's team also reported that Atomic Stealer, another malware variant, could target crypto wallets like Electrum, Binance, Exodus, Atomic, and Coinomi. This focus on crypto wallets indicates a high risk of substantial financial losses for victims whose wallet information is compromised. Electrum has been linked to power grid outages in Ukraine and other incidents, often working in conjunction with other threat groups like Kamacite. The group appears to specialize in gaining initial access before handing off to Electrum, which functions as an "ICS effects team". Increased activity from mature threat groups like ELECTRUM has been noted during periods of geopolitical tension, such as the Ukraine-Russia conflict and tensions between China and Taiwan. The new Atomic Stealer malware has also leveraged several functions to steal browser data and assets from cryptocurrency wallets, including Atomic, Exodus, Coinomi, and Electrum.