Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical OpenAI Vulnerability Exposed Sensitive Prompts and API Activity
July 6, 2026
SSH Honeypots Fail to Detect Post-Login Attacks, Study Finds
July 6, 2026
Parrot OS 7.3 Released With Security Updates, Optimized Packages
July 6, 2026
Home/Threats/Fake TradingView AI Agent Site Spreads Needle Stealer Malware
Threats

Fake TradingView AI Agent Site Spreads Needle Stealer Malware

Key Takeaways A new, sophisticated malware campaign is impersonating the popular financial charting platform TradingView to distribute the Needle Stealer malware. Attackers are using a fake website,...

Emy Elsamnoudy
Emy Elsamnoudy
April 23, 2026 4 Min Read
43 0

Key Takeaways

  • A new, sophisticated malware campaign is impersonating the popular financial charting platform TradingView to distribute the Needle Stealer malware.
  • Attackers are using a fake website, tradingclaw[.]pro, promoting a non-existent AI trading assistant called “TradingClaw” to trick users.
  • The Needle Stealer malware is designed to harvest sensitive financial data, including cryptocurrency wallet credentials, browser cookies, saved passwords, and login sessions, and can install persistent malicious browser extensions.
  • The attack employs advanced techniques like DLL hijacking and process hollowing to evade detection and targets individuals involved in financial markets and cryptocurrency trading.

A cunning new malware campaign is actively preying on financial traders, leveraging the trusted reputation of TradingView, a widely recognized platform for market analysis, to distribute a potent data-stealing threat.

Table Of Content

  • Key Takeaways
  • Exploiting Trust and AI Hype
  • Evasion Techniques and Infection Chain
  • How the Infection Works
  • What You Should Do

The attackers have established a fraudulent website that mimics a legitimate AI trading product, promoting a fictitious tool named “TradingClaw.” This deceptive site is entirely unrelated to the genuine startup tradingclaw[.]chat and operates under the domain tradingclaw[.]pro.

Unsuspecting users who download and execute what they believe to be a beneficial AI trading assistant are inadvertently installing Needle Stealer, a sophisticated malware engineered to discreetly exfiltrate sensitive information from compromised devices.

Exploiting Trust and AI Hype

TradingView holds significant trust among retail traders, analysts, and investors globally. The cybercriminals behind this operation are exploiting this established trust, combining it with the growing enthusiasm around AI-powered trading applications.

Researchers at Malwarebytes identified this campaign during routine threat intelligence gathering. Their analysis revealed that the attackers have evolved their tactics, reusing a previously documented malware loader but now deploying Needle Stealer as the final payload. This modular approach enhances the operation’s scalability and complicates attribution, as defenders might recognize the initial loader but overlook the novel payload.

The threat posed by Needle Stealer is severe, particularly for individuals active in financial markets or cryptocurrency trading. The malware is specifically designed to steal browser cookies, saved passwords, active login sessions, and cryptocurrency wallet credentials from infected systems. Furthermore, it installs malicious browser extensions, granting attackers persistent control over the victim’s browser, potentially leading to significant financial losses through emptied crypto wallets and intercepted account activity.

Evasion Techniques and Infection Chain

The fake TradingClaw site employs a sophisticated filtering mechanism to evade detection by security tools. When visited by search engine crawlers or automated security scanners, the site redirects to an unrelated and harmless webpage. Only specific visitors, likely those matching a predefined target profile, are presented with the malicious content, allowing the campaign to operate longer under the radar.

How the Infection Works

Once a target engages with the fake TradingClaw site, they are prompted to download a ZIP archive containing the initial stage of the infection. This stage demonstrates technical sophistication, utilizing a technique known as DLL hijacking.

The downloaded archive includes files crafted to impersonate a legitimate library that a trusted Windows program is expected to load automatically. When this trusted program, in this campaign’s case, RegAsm.exe (a legitimate .NET component for registering assemblies), executes, it inadvertently loads the malicious library instead of the authentic one, executing the attacker’s code without raising user suspicion.

The first-stage executable then loads a second-stage DLL, which employs process hollowing to inject Needle Stealer directly into the RegAsm.exe process. This technique allows the malware to hide within a legitimate system process, making it significantly more challenging for endpoint security solutions to flag the malicious activity.

Needle Stealer, developed in Golang, features a modular architecture, enabling attackers to activate or deactivate specific components based on their targeting objectives. Its core module is capable of capturing screenshots, exfiltrating browser data, extracting information from applications like Telegram and FTP clients, and collecting text files and wallet data. An additional extension module installs a malicious browser add-on that connects to a remote command-and-control server, tracks victims with unique IDs, intercepts web traffic, and can even replace legitimate file downloads with malicious ones. The malware also includes spoofers targeting popular desktop wallets such as Ledger and Exodus, and browser-based wallets like MetaMask and Coinbase, specifically attempting to steal seed phrases.

What You Should Do

  • Verify Software Sources: Always download software, especially financial or trading tools, exclusively from official developer websites or trusted application stores. Avoid unofficial sources, even if they appear convincing.
  • Be Skeptical of AI Claims: Exercise extreme caution with platforms promoting “AI-enhanced trading capabilities” without a verifiable track record and robust security assurances.
  • Maintain Endpoint Security: Keep your operating system, web browsers, and all endpoint security software (antivirus, anti-malware) updated to their latest versions.
  • Enable Multi-Factor Authentication (MFA): Implement MFA on all financial accounts, trading platforms, and cryptocurrency wallets to add an extra layer of security against credential theft.
  • Review Browser Extensions: Regularly audit and remove any unfamiliar or suspicious browser extensions.
  • Backup Cryptocurrency Wallets: Securely back up your cryptocurrency wallet seed phrases offline and never store them digitally on your computer or in cloud storage.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitMalwareSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

GoGra Linux Backdoor Hides C2 in Outlook Mailboxes

Next Post

Fake Wallpaper App, YouTube Channel Deliver notnullOSX Malware

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Mythos Ransomware Returns, Kali Linux 2024.2 Released, WhatsApp Vulnerability
July 5, 2026
Microsoft Patches Windows 11 OOBE Flaw in Cumulative Update
July 5, 2026
PamStealer Mimics Maccy, Silently Harvests Data
July 4, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us