According to a recent report published by Dutch mobile security firm ThreatFabric, there is a new advanced piece of malware called "RatOn" posing a threat to cryptocurrency wallets.
This is a sophisticated new type of RAT (Remote Access Trojan), which makes it possible for attackers to take over an infected device remotely.
RatOn combines various attack techniques from various malware families, which makes it more dangerous than run-of-the-mill banking trojans.
How it works
The new malware was first seen in June 2025, and it became increasingly active throughout August.
It supports applications in multiple languages on top of English, including Czech and Slovak. This, of course, allows malicious actors to substantially maximize their reach.
It lures potential victims by displaying fake long and transaction screens on top of legitimate apps.
What makes RatOn increasingly dangerous is that this sort of malware is not widely detected by multivirus engines.
Are crypto holders at risk?
Notably, RatOn is specifically targeting popular cryptocurrency wallets, such as MetaMask, Trust Wallet, Phantom, and Blockchain.com.
The new malware automates the steps that are needed for hijacking a new cryptocurrency wallet.
It launches the wallet app on the victim's phone and uses stolen PINs that were captured earlier with keylogging or overlays.
The malware then helps the attacker to automatically navigate the interface of the app and reveal the secret recovery phrase. This phrase, which gets sent to the command-and-control server of the attacker, is then used to steal the funds of the unfortunate victim.
Dan Burgin
Vladislav Sopov
U.Today Editorial Team