Trump Coins Used in ConnectWise RAT Malware Campaign via Fake Binance Emails

• Hackers use Trump Coins as a lure in a phishing campaign targeting crypto enthusiasts.
• They impersonated Binance in an email campaign that disseminated ConnectWise RAT.
• Attackers can ultimately gain remote access to the victim’s system, exfiltrate sensitive information, or carry out further attacks.

An alarming new phishing campaign is targeting cryptocurrency enthusiasts, leveraging the popularity of Trump Coins as bait in fake emails impersonating leading cryptocurrency exchange Binance to ConnectWise Remote Access Trojan (RAT). 

The scheme exploits Binance's credibility to infect crypto fans with the ConnectWise RAT, which enables attackers to take control of victims' systems, according to a recent Flash Alert issued by Cofense Intelligence.

The phishing emails, designed to appear as official Binance communications, offer recipients up to 2,000 free Trump Coins for completing “special trading tasks.” These emails include tactics to build trust, such as warnings about cryptocurrency volatility and claims of helping users avoid phishing. 

Clicking the provided "download" button leads unsuspecting users to a fake but highly convincing Binance webpage, urging them to download what is purportedly a Binance Windows client but is instead ConnectWise RAT.

The links used in this campaign mimic Binance's branding to appear legitimate, featuring domains like binance-web3[.]com[.]ru, which are designed to seem familiar to users but contain subtle discrepancies like the Russian “.ru” top-level domain. 

The real Binance domain for U.S. users is “binance.us.” The fake domains may raise suspicion among savvy individuals but could easily fool less discerning users.

Trump Coins, a highly volatile meme cryptocurrency launched by Donald Trump on January 17, 2025, form the core incentive of this campaign. Despite their lack of intrinsic utility, these coins attracted early trading activity. Their current value is listed at a little over $10, according to Kraken.

Binance is a global cryptocurrency giant operating in over 180 countries and handling trades for around 350 cryptocurrencies. 

Last year, the official X account of OpenAI Newsroom was taken over by cryptocurrency scammers promoting a bogus blockchain token.