--- title: "New DoubleFinger Malware Threatens Crypto Wallets with Advanced Multi-Stage Attack | Phish Protection" description: "New DoubleFinger Malware Threatens Crypto Wallets with Advanced Multi-Stage Attack: With cryptocurrencies soaring in value and popularity, crypto wallets." image: "https://phishprotection.com/og/blog/crypto-wallets-face-advanced-multi-stage-double-finger-threat.png" canonical: "https://phishprotection.com/blog/crypto-wallets-face-advanced-multi-stage-double-finger-threat/" --- Quick Answer With cryptocurrencies soaring in value and popularity, crypto wallets have been a lucrative target of \[malicious actors\](/phishing/malicious-actors-exploit-commenting-feature-in-google-docs-to-send-phishing-emails). The new \*\*“DoubleFinger” threat\*\* that targets cryptocurrency wallets has prompted security experts to remain on high alert. Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fcrypto-wallets-face-advanced-multi-stage-double-finger-threat%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=New%20DoubleFinger%20Malware%20Threatens%20Crypto%20Wallets%20with%20Advanced%20Multi-Stage%20Attack&url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fcrypto-wallets-face-advanced-multi-stage-double-finger-threat%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fphishprotection.com%2Fblog%2Fcrypto-wallets-face-advanced-multi-stage-double-finger-threat%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fcrypto-wallets-face-advanced-multi-stage-double-finger-threat%2F&title=New%20DoubleFinger%20Malware%20Threatens%20Crypto%20Wallets%20with%20Advanced%20Multi-Stage%20Attack "Share on Reddit") [ ](mailto:?subject=New%20DoubleFinger%20Malware%20Threatens%20Crypto%20Wallets%20with%20Advanced%20Multi-Stage%20Attack&body=Check out this article: https%3A%2F%2Fphishprotection.com%2Fblog%2Fcrypto-wallets-face-advanced-multi-stage-double-finger-threat%2F "Share via Email") ![Phish Protection blog post image](https://media.mailhop.org/phishprotection/images/2023/06/phishing-attack-prevention-9000.jpg) With cryptocurrencies soaring in value and popularity, crypto wallets have been a lucrative target of [malicious actors](/phishing/malicious-actors-exploit-commenting-feature-in-google-docs-to-send-phishing-emails). The new **“DoubleFinger” threat** that targets cryptocurrency wallets has prompted security experts to remain on high alert. A leading [cybersecurity](/content/cybersecurity-in-a-nutshell) organization recently unveiled the emergence of a new and highly sophisticated **malware** called “DoubleFinger” that targets cryptocurrency wallets. The DoubleFinger malware deploys a unique **multi-stage attack** mechanism resembling an advanced persistent threat (APT). The malicious operation starts with sending an email attachment that contains a [PIF file](https://docs.fileformat.com/executable/pif/). Potential victims trigger a chain of detrimental events upon accessing the file. While analyzing the nature of the multi-stage attack, cybersecurity experts have highlighted the exceptional proficiency of the cryptocurrency stealer group. This group developed the DoubleFinger loader and GreetingGhoul malware, which marks the growing sophistication of [cyberattacks](https://edition.cnn.com/2023/05/10/politics/north-korean-missile-program-cyberattacks/index.html). ### How Does the DoubleFinger Cyberattack Work? In the initial stage, the DoubleFinger malware downloads **encrypted components** from the popular image-sharing platform Imgur. The [malware](/content/protection-against-malware/types-of-malware) is advanced enough to disguise itself as a PNG file. These components consist of a loader for the subsequent stage. _It includes a legitimate **java.exe file** and another PNG file for the following stages._ ![Phishing attack prevention](https://media.mailhop.org/phishprotection/images/2023/06/phishing-attack-prevention-9000.jpg) Then DoubleFinger successfully executes its loader, evading security software with agility. It subsequently commences the further stages of the malicious attack. The DoubleFinger malware, in the fourth stage, uses the [Doppelgänging](https://encyclopedia.kaspersky.com/glossary/process-doppelganging/#:~:text=Process%20Doppelganging%20is%20a%20cyber,injects%20malicious%20code%20into%20it.) technique to replace a legitimate process with a modified one, which contains the **payload for the fifth stage**. The approach seems advanced enough and has been designed to bypass security measures . Finally, it installs the GreetingGhoul crypto stealer in the wallet. The miscreants program it to run daily, stealing information from the wallets. Technical analysis carried out by cybersecurity experts reveals two critical components in[GreetingGhoul](https://usa.kaspersky.com/about/press-releases/2023%5Fdoublefinger-multi-stage-malware-targets-cryptowallets). The first component is used to **identify** crypto-wallet applications within the system. It steals valuable data like [seed phrases](https://worldcoin.org/articles/what-is-seed-phrase) and private keys. The next segment **covers the interface** of cryptocurrency apps and thereby intercepts user inputs. Thus, it grants control over funds to the cryptocurrency stealers and allows them to withdraw the same from the wallet. Malicious actors have also revealed that some variants of the DoubleFinger malware can install the [remote access Trojan](https://thehackernews.com/2023/05/new-gobrat-remote-access-trojan.html)\*\* Remcos\*\* in the system. That grants online adversaries complete control of the affected wallets. ### How Can Investors Secure Their Crypto Wallets? > “Zero-day phishing URLs have an average lifespan of just 12 hours before they’re added to blocklists. During that window, traditional signature-based filters are blind. Our real-time behavioral analysis catches these threats by pattern, not by signature - which is how we detect attacks that no database has seen yet.” - **Adam Lundrigan**, CTO, DuoCircle Cybersecurity experts recommend several proactive measures to secure the crypto wallets of investors. They include **diversifying wallet usage**, maintaining vigilance against potential scams, and staying up-to-date about [cold wallet](https://www.wallstreetmojo.com/cold-wallet/) vulnerabilities. \_ Moreover, they recommend crypto investors acquire their hardware wallets only from official sources.\_ Here’s a look at these measures in detail. - **_Purchase hardware from official sources:_**Cybersecurity experts recommend crypto investors purchase their hardware from official and trusted sources. Sticking to reputable vendors like authorized resellers or, preferably, the manufacturer’s website is wise. Remember, [hardware wallet](https://www.ledger.com/academy/crypto-hardware-wallet) providers don’t require you to enter your **recovery seed** into the system. - **_Check for signs of tampering:_** Carefully examine a new hardware wallet before using it. It might have signs of tampering, glue residue, scratches, or mismatched components. All these are **signs of a compromised device**. Make sure to use secure hardware wallets without any of these signs. - **_Verify the firmware:_** Always **validate the legitimacy** and currency of the firmware installed on your hardware wallet. You will find the latest version of the wallet on the manufacturer’s website. Make sure to run an updated and genuine [firmware](https://www.cpomagazine.com/cyber-security/firmware-backdoor-discovered-in-gigabyte-motherboards-hundreds-of-models-affected/). - **_Secure your seed phrase:_** While setting up your hardware wallet, record and securely store the seed phrase accurately. It is a critical piece of information that serves as a **backup to restore** your wallet in case of loss or theft. _Cybersecurity experts recommend using a reliable security solution to secure the crypto details stored on your PC or mobile device._ - **_Use a strong password:_** It’s wise to create a strong and unique password if your hardware wallet supports password protection. Refrain from using generic or easily guessable passwords. Neither should you reuse passwords from other accounts. By using a strong password, you can **bolster the security** of your [digital wallets](https://www.enisa.europa.eu/news/trust-services-digital-wallets-moving-to-the-cloud-and-remote-identity-proofing). ### Final Words Cybersecurity news involving compromised [crypto wallets](https://therecord.media/steac-malware-targets-crypto-wallets-web-browsers-email-clients) has been frequent in recent years. Recently, two Russian nationals were accused of stealing millions from Mt Gox, a crypto exchange that is currently dysfunctional. ![Phishing definition](https://media.mailhop.org/phishprotection/images/2023/06/phishing-definition-7643.jpg) Securing crypto wallets requires **collective responsibility** among individuals, wallet providers, and the broader [cryptocurrency](/phishing/cryptocurrency-phishing-scams-2022s-top-latest-threat-revealed-security-regulators) community. The DoubleFinger discovery by cybersecurity experts serves as a vital reminder regarding the various pressing threats for crypto investors. By remaining vigilant and having proper [phishing protection](/) measures, investors can draw their **line of defense** against these risks. This way, they can secure their digital assets from unauthorized access and theft. ## Topics [ Phishing Awareness ](/tags/phishing-awareness/) ![Brad Slavin](https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg) [ Brad Slavin ](/authors/brad-slavin/) General Manager Founder and General Manager of DuoCircle. Product strategy and commercial lead across DuoCircle's 2,000+ customer base. [LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) ## Protect your inbox from phishing attacks Real-time email security with 60-day free trial. No credit card required. [Start Free Trial](https://portal.duocircle.com/cart.php?a=add&pid=101&brand=phishprotection) [View Pricing](/pricing/) ## Related Articles [ Foundational 5m 0ktapus, Okta Breach Helps Attackers Launch Sophisticated Supply Chain Attacks Sep 5, 2022 ](/blog/0ktapus-okta-breach-helps-attackers-launch-sophisticated-supply-chain-attacks/)[ Foundational 14m 12 Real-World Spear Phishing Examples And The Red Flags You Missed Feb 4, 2026 ](/blog/12-real-world-spear-phishing-examples-and-the-red-flags-you-missed/)[ Foundational 2m 8 million Android users fell prey to SpyLoan malware on Google Play Store Dec 5, 2024 ](/blog/8-million-android-users-fell-prey-to-spyloan-malware-on-google-play-store/)[ Foundational 1m A Big Part of the Phishing Problem is You Sep 17, 2019 ](/blog/a-big-part-of-the-phishing-problem-is-you/) ```json {"@context":"https://schema.org","@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"Phish Protection","url":"https://phishprotection.com","description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json {"@context":"https://schema.org","@type":"BlogPosting","headline":"New DoubleFinger Malware Threatens Crypto Wallets with Advanced Multi-Stage Attack","description":"New DoubleFinger Malware Threatens Crypto Wallets with Advanced Multi-Stage Attack: With cryptocurrencies soaring in value and popularity, crypto wallets.","url":"https://phishprotection.com/blog/crypto-wallets-face-advanced-multi-stage-double-finger-threat/","datePublished":"2023-06-28T04:09:49.000Z","dateModified":"2026-04-17T15:43:10.000Z","dateCreated":"2023-06-28T04:09:49.000Z","author":{"@type":"Person","@id":"https://phishprotection.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://phishprotection.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://phishprotection.com/blog/crypto-wallets-face-advanced-multi-stage-double-finger-threat/"},"articleSection":"foundational","keywords":"Phishing Awareness","wordCount":800,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/phishprotection/images/2023/06/phishing-attack-prevention-9000.jpg","caption":"Phish Protection blog post image","width":1200,"height":630},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}} ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://phishprotection.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://phishprotection.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://phishprotection.com/foundational/"},{"@type":"ListItem","position":4,"name":"New DoubleFinger Malware Threatens Crypto Wallets with Advanced Multi-Stage Attack","item":"https://phishprotection.com/blog/crypto-wallets-face-advanced-multi-stage-double-finger-threat/"}]} ```