Blog
/
Cloud
/
June 12, 2024

Meeten Malware: A Cross-Platform Threat to Crypto Wallets on macOS and Windows

Cado Security Labs (now part of Darktrace) identified a "Meeten" campaign deploying a cross-platform (macOS/Windows) infostealer called Realst. Threat actors create fake Web3 companies with AI-generated content and social media to trick targets into downloading malicious meeting applications.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Tara Gould
Threat Researcher
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
12
Jun 2024

Introduction: Meeten malware

Researchers from Cado Security Labs (now part of Darktrace) have identified a new sophisticated scam targeting people who work in Web3. The campaign includes cryptostealer Realst that has both macOS and Windows variants, and has been active for around four months. Research shows that the threat actors behind the malware have set up fake companies using AI to make them increase legitimacy. The company, which is currently going by the name “Meetio”, has cycled through various names over the past few months. In order to appear as a legitimate company, the threat actors created a website with AI-generated content, along with social media accounts. The company reaches out to targets to set up a video call, prompting the user to download the meeting application from the website, which is Realst info stealer. 

Meeten

Screenshot of fake company homepage
Figure 1: Fake company homepage

“Meeten” is the application that is attempting to scam users into downloading an information stealer. The company regularly changes names, and has also gone by Clusee[.]com, Cuesee, Meeten[.]gg, Meeten[.]us, Meetone[.]gg and is currently going by the name Meetio. In order to gain credibility, the threat actors set up full company websites, with AI-generated blog and product content and social media accounts including Twitter and Medium.

Based on public reports from targets (withheld from this post for privacy), the scam is conducted in multiple ways. In one reported instance, a user was contacted on Telegram by someone they knew who wanted to discuss a business opportunity and to schedule a call. However, the Telegram account was created to impersonate a contact of the target. Even more interestingly, the scammer sent an investment presentation from the target’s company to him, indicating a sophisticated and targeted scam. Other reports of targeted users report being on calls related to Web3 work, downloading the software and having their cryptocurrency stolen.

After initial contact, the target would be directed to the Meeten website to download the product. In addition to hosting information stealers, the Meeten websites contain Javascript to steal cryptocurrency that is stored in web browsers, even before installing any malware. 

Script
Figure 2: Script

Technical analysis

macOS version

Name: CallCSSetup.pkg

Meeten downloads page
Figure 3: Downloads page on Meeten

Once the victim is directed to the “Meeten” website, the downloads page offers macOS or Windows/Linux. In this iteration of the website, all download links lead to the macOS version. The package file contains a 64-bit binary named “fastquery”, however other versions of the malware are distributed as a DMG with a multi-arch binary. The binary is written in Rust, with the main functionality being information stealing. 

When opened, two error messages appear. The first one states “Cannot connect to the server. Please reinstall or use a VPN.” with a continue button. Osascript, the macOS command-line tool for running AppleScript and JavaScript is used to prompt the user for their password, as commonly seen in macOS malware. [1]

Pop up
Figure 4: Popup that requests users password
Code
Figure 5

The malware iterates through various data stores, grabs sensitive information, creates a folder where the data is stored, and then exfiltrates the data as a zip. 

Folders
Figure 6: Folders and files created by Meeten

Realst Stealer looks for and exfiltrates if available:

  • Telegram credentials
  • Banking card details
  • Keychain credentials
  • Browser cookies and autofill credentials from Google Chrome, Opera, Brave, Microsoft Edge, Arc, CocCoc and Vivaldi
  • Ledger Wallets
  • Trezor Wallets

The data is sent to 139[.]162[.]179.170:8080/new_analytics with “log_id”, “anal_data” and “archive”. This contains the zip data to be exfiltrated along with analytics that include build name, build version, with system information. 

System information
Figure 7: System information that is sent as a log

Build information is also sent to 139[.]162[.]179.170:8080/opened along with metrics sent to /metrics. Following the data exfiltration, the created temporary directories are removed from the system. 

Windows version

Name: MeetenApp.exe

Meeten Setup Install
Figure 8: Meeten Setup install

While analyzing the macOS version of Meeten, Cado Security Labs identified a Windows version of the malware. The binary, “MeetenApp.exe” is a Nullsoft Scriptable Installer System (NSIS) file, with a legitimate signature from “Brys Software” that has likely been stolen.

Digital signature details
Figure 9: Digital Signature of Meeten

After extracting the files from the installer, there are two folders $PLUGINDIR and $R0. Inside $PLUGINDIR is a 7zip archive named “app-64” that contains resources, assets, binaries and an app.asar file, indicating this is an Electron application. Electron applications are built on the Electron framework that is used to develop cross-platform desktop applications with web languages such as Javascript. App.asar files are used by Electron runtime, and is a virtual file system containing application code, assets, and dependencies.

File structure
Figure 10: Electron application meeten structure
Meeten's app .asar file
Figure 11: Structure of Meeten's App.asar file
package.json
Figure 12: Package.json

After extracting the contents of app.asar, we can see the main script points to index.js containing:

"use strict"; 
require("./bytecode-loader.cjs"); 
require("./index.jsc"); 

Both of these are Bytenode Compiled Javascript files. Bytenode is a tool that compiles JavaScript code into V8 bytecode, allowing the execution of JavaScript without exposing the source code. The bytecode is a low-level representation of the JavaScript code that can be executed by the V8 JavaScript engine which powers Node.js. Since the Javascript is compiled, reverse engineering of the files is more difficult, and less likely to be detected by security tools. 

While the file is compiled, there is still some information we can see as plain text. Similarly to the macOS version, a log with system information is sent to a remote server. A secondary password protected archive , “AdditionalFilesForMeet.zip” is retrieved from deliverynetwork[.]observer into a temporary directory “temp03241242”.

URL
Figure 13

From AdditionalFilesForMeet.zip is a binary named “MicrosoftRuntimeComponentsX86.exe” This binary gathers system information including HWID, geo IP, hostname, OS, users, cores, RAM, disk size and running processes. 

Exfiltrated system information
Figure 14: System information exfiltrated by Meeten

This data is sent to 172[.]104.133.212/opened, along with the build version of Meeten. 

Data
Figure 15

An additional payload is retrieved “UpdateMC.zip” from “deliverynetwork[.]observer/qfast” into AppData/Local/Temp. The archive file extracts to UpdateMC.exe. 

UpdateMC

UpdateMC.exe is a Rust-based binary, with similar functionality to the macOS version. The stealer searches in various data stores to collect and exfiltrate sensitive data as a zip. Meeten has the ability to steal data from:

  • Telegram credentials
  • Banking card details
  • Browser cookies, history and autofill credentials from Google Chrome, Opera, Brave, Microsoft Edge, Arc, CocCoc and Vivaldi
  • Ledger Wallets
  • Trezor Wallets
  • Phantom Wallets
  • Binance Wallets

The data is stored inside a folder named after the users’ HWID inside AppData/Local/Temp directory before being exfiltrated to 172[.]104.133.212. 

Domains.txt
Figure 16

For persistence, a registry key is added to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to ensure that the stealer is run each time the machine is started. 

Code
Figure 17: Disassembled code where 0xFFFFFFFF80000001 = HKEY_CURRENT_USER
Code
Figure 18: Meeten uses RegSetValueExW call to set registry key
Computer folder
Figure 19

Key takeaways 

This blog highlights a sophisticated campaign that uses AI to social engineer victims into downloading low detected malware that has the ability to steal financial information. Although the use of malicious Electron applications is relatively new, there has been an increase of threat actors creating malware with Electron applications. [2] As Electron apps become increasingly common, users must remain vigilant by verifying sources, implementing strict security practices, and monitoring for suspicious activity.

While much of the recent focus has been on the potential of AI to create malware, threat actors are increasingly using AI to generate content for their campaigns. Using AI enables threat actors to quickly create realistic website content that adds legitimacy to their scams, and makes it more difficult to detect suspicious websites. This shift shows how AI can be used as a powerful tool in social engineering. As a result, users need to exercise caution when being approached about business opportunities, especially through Telegram. Even if the contact appears to be an existing contact, it is important to verify the account and always be diligent when opening links. 

Indicators of compromise (IoCs)

http://172[.]104.133.212:8880/new_analytics

http://172[.]104.133.212:8880/opened

http://172[.]104.133.212:8880/metrics

http://172[.]104.133.212:8880/sede

139[.]162[.]179.170:8080

deliverynetwork[.]observer/qfast/UpdateMC.zip

deliverynetwork[.]observer/qfast/AdditionalFilesForMeet.zip

www[.]meeten.us

www[.]meetio.one

www[.]meetone.gg

www[.]clusee.com

199[.]247.4.86

File / md5

CallCSSetup.pkg  9b2d4837572fb53663fffece9415ec5a  

Meeten.exe  6a925b71afa41d72e4a7d01034e8501b  

UpdateMC.exe  209af36bb119a5e070bad479d73498f7  

MicrosoftRuntimeComponentsX64.exe d74a885545ec5c0143a172047094ed59  

CluseeApp.pkg 09b7650d8b4a6d8c8fbb855d6626e25d

MITRE ATT&CK

Technique name / ID

T1204  User Execution  

T1555.001  Credentials From Password Stores: Keychain  

T1555.003 Credentials From Password Stores: Credentials from Web Browsers  

T1539  Steal Web Session Cookie  

T1217 Browser Information Discovery  

T1082  System Information Discovery  

T1016 System Network Configuration Discovery  

T1033  System Owner/User Discovery  

T1005 Data from Local System

T1074  Local Data Staging  

T1071.001 Application Layer Protocol: Web Protocols  

T1041 Exfiltration Over C2 Channel  

T1657 Financial Theft  

T1070.004 File Deletion  

T1553.001 Subvert Trust Controls: Gatekeeper Bypass  

T1553.002  Subvert Trust Controls: Code Signing  

T1547.001 Boot or Logon Autostart Execution: Registry Run Folder  

T1497.001  Virtualization/Sandbox Evasion: System Checks  

T1058.001 Command and Scripting Interpreter: Powershell  

T1016 Network Configuration Discovery  

T1007 System Service Discovery

References

  1. https://www.darktrace.com/blog/from-the-depths-analyzing-the-cthulhu-stealer-malware-for-macos
  2. https://research.checkpoint.com/2022/new-malware-capable-of-controlling-social-media-accounts-infects-5000-machines-and-is-actively-being-distributed-via-gaming-applications-on-microsofts-official-store/  
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Tara Gould
Threat Researcher

More in this series

No items found.

Blog

/

AI

/

September 26, 2025

One-Person Security Team, Enterprise-Wide Protection: A Utility Company’s Darktrace Success Story

Default blog imageDefault blog image

A critical mission: Securing public utility systems

This company manages essential utility infrastructure across more than 100 distributed sites, resulting in a wide attack surface spanning both information technology (IT) and operational technology (OT). With attacks on critical infrastructure rising, the company wanted to strengthen defenses.

The limits of traditional tools

The existing mix of conventional tools for visibility and security monitoring posed numerous limitations:

  • Fragmented tools required switching between dashboards to piece together insights
  • Multiple tools were required to both identify and take action on potential incidents
  • Integration between IT, OT, cloud and email required heavy manual effort
  • Existing cybersecurity investments were failing to deliver favorable ROI

A security team of one

For the company’s one-person security team and Vice President of IT, juggling multiple tools and switching between platforms were drains on his time and impacted threat detection and response times. “If an unknown actor attempts to connect to our networks, I need to know immediately and have the ability to stop them before they can do damage.”

Unified, AI-driven defense with Darktrace

The company wanted to unify IT and OT security, reduce manual workload and deliver actionable intelligence in real time. “Darktrace offered the visibility and autonomous capabilities we needed for a proactive defense, including the ability to both see incidents and take action through a single-pane-of-glass.”

Today, the company is using the Darktrace ActiveAI Security Platform™ as the cornerstone of its defense strategy, including:

Real-time protection without the overhead

When compared to a security operations center, the VP said Darktrace is faster, more efficient and more accurate – delivering holistic protection without the high cost or risk of human error.

Darktrace’s Autonomous Response has been a game changer for a shop our size. It stops attacks in real time, before they can move laterally. As a team of one, I can adjust Darktrace’s autonomous actions, ensuring the AI automatically takes stronger actions during off hours to contain threats.”

A single platform for holistic visibility and resilience

Initially licensed under an OT-only pricing model, the company quickly recognized the broader value of Darktrace Self-Learning AI – extending deployment across its IT, cloud, email and endpoint environments and consolidating multiple tools. This holistic visibility is also helping the company to meet ISO and SEC compliance requirements.

A rapid, guided and streamlined deployment

The VP described the Darktrace rollout as smooth and highly collaborative, noting that Darktrace, “Held our hand throughout the process and was genuinely interested in making sure our experience with the platform and the company was top notch.” Despite the complexity of managing multi-connectivity for 100 sites, rollout took less than one week, guided by a clear plan from the Darktrace implementation team.

From barriers to breakthroughs

A seamless security ecosystem

With Darktrace, the company now operates a seamless, AI-driven security ecosystem that combines deep threat validation, intuitive user experience, and a single pane of glass for holistic cyber defense. What began as an OT-focused deployment has grown into a platform that unifies IT, OT, cloud, email and endpoint visibility, delivering comprehensive protection without the overhead of managing multiple tools.

From false positives to real-time, autonomous precision

Since using Darktrace, the company’s false positives have decreased to single digits per day. Within three months, Darktrace conducted 1,470 total investigations, resolving 92% of those autonomously. And Darktrace consistently catches threats that other tools miss:

  • When a remote call center agent landed on a malware-laden site using their company device, the company’s endpoint solution failed to catch it. But Darktrace / ENDPOINT detected the malicious traffic in real time, immediately cutting the connection and blocking the machine from the home network – stopping the attack before it could spread.
  • Darktrace / EMAIL has consistently flagged suspicious messages other tools missed, including credential harvesters or malware disguised as legitimate emails. “Occasionally users request the release of a legitimate email, whether it’s a blocked link or a message diverted to junk. But 10% of those messages could have caused real harm,” said the VP. “And because Darktrace AI is always learning and adapting, it will identify similar legitimate emails in the future, reducing false positives. That tradeoff is well worth it.”

Time saved, confidence gained

For the VP, one of the biggest benefits is time. In less than one month, Darktrace saved the company 264 analyst hours spent on investigations, only escalating 8% of suspected threats for further review. And with Darktrace’s unified dashboard and real-time monitoring, the VP said, “I no longer have to spend time verifying each security tool is working because I can see everything in one location. And, if there is an issue, Darktrace will let me know. That gives me confidence to let the system handle threats while I focus on other priorities.”

Strengthening OT without complexity

The VP said Darktrace / OT has become one of the most valuable aspects of the deployment. Darktrace / OT provides visibility into firmware levels, PLC communications and unusual device interactions that even dedicated OT tools miss. And using Darktrace, the company can segment OT networks securely while still monitoring them through a single interface, strengthening resilience without adding complexity.

Turning cybersecurity into a business catalyst

By reducing tool sprawl, automating responses, and adapting to the unique rhythms of the organization, Darktrace has transformed the company’s cybersecurity from a constant worry into a reliable foundation.

For us, cybersecurity isn’t just about blocking threats, it’s about building resilience that frees us to focus on growth and innovation. With Darktrace as a trusted partner, we’re no longer stuck reacting to problems; we’re shaping a future where security is a catalyst, not a constraint.”
Continue reading
About the author
The Darktrace Community

Blog

/

Cloud

/

September 25, 2025

Announcing Unified Real-Time CDR and Automated Investigations to Transform Cloud Security Operations

Default blog imageDefault blog image

Fragmented Tools are Failing SOC Teams in the Cloud Era

The cloud has transformed how businesses operate, reshaping everything from infrastructure to application delivery. But cloud security has not kept pace. Most tools still rely on traditional models of logging, policy enforcement, and posture management; approaches that provide surface-level visibility but lack the depth to detect or investigate active attacks.

Meanwhile, attackers are exploiting vulnerabilities, delivering cloud-native exploits, and moving laterally in ways that posture management alone cannot catch fast enough. Critical evidence is often missed, and alerts lack the forensic depth SOC analysts need to separate noise from true risk. As a result, organizations remain exposed: research shows that nearly nine in ten organizations have suffered a critical cloud breach despite investing in existing security tools [1].

SOC teams are left buried in alerts without actionable context, while ephemeral workloads like containers and serverless functions vanish before evidence can be preserved. Point tools for logging or forensics only add complexity, with 82% of organizations using multiple platforms to investigate cloud incidents [2].

The result is a broken security model: posture tools surface risks but don’t connect them to active attacker behaviors, while investigation tools are too slow and fragmented to provide timely clarity. Security teams are left reactive, juggling multiple point solutions and still missing critical signals. What’s needed is a unified approach that combines real-time detection and response for active threats with automated investigation and cloud posture management in a single workflow.

Just as security teams once had to evolve beyond basic firewalls and antivirus into network and endpoint detection, response, and forensics, cloud security now requires its own next era: one that unifies detection, response, and investigation at the speed and scale of the cloud.

A Powerful Combination: Real-Time CDR + Automated Cloud Forensics

Darktrace / CLOUD now uniquely unites detection, investigation, and response into one workflow, powered by Self-Learning AI. This means every alert, from any tool in your stack, can instantly become actionable evidence and a complete investigation in minutes.

With this release, Darktrace / CLOUD delivers a more holistic approach to cloud defense, uniting real-time detection, response, and investigation with proactive risk reduction. The result is a single solution that helps security teams stay ahead of attackers while reducing complexity and blind spots.

  • Automated Cloud Forensic Investigations: Instantly capture and analyze volatile evidence from cloud assets, reducing investigation times from days to minutes and eliminating blind spots
  • Enhanced Cloud-Native Threat Detection: Detect advanced attacker behaviors such as lateral movement, privilege escalation, and command-and-control in real time
  • Enhanced Live Cloud Topology Mapping: Gain continuous insight into cloud environments, including ephemeral workloads, with live topology views that simplify investigations and expose anomalous activity
  • Agentless Scanning for Proactive Risk Reduction: Continuously monitor for misconfigurations, vulnerabilities, and risky exposures to reduce attack surface and stop threats before they escalate.

Automated Cloud Forensic Investigations

Darktrace / CLOUD now includes capabilities introduced with Darktrace / Forensic Acquisition & Investigation, triggering automated forensic acquisition the moment a threat is detected. This ensures ephemeral evidence, from disks and memory to containers and serverless workloads can be preserved instantly and analyzed in minutes, not days. The integration unites detection, response, and forensic investigation in a way that eliminates blind spots and reduces manual effort.

Figure 1: Easily view Forensic Investigation of a cloud resource within the Darktrace / CLOUD architecture map

Enhanced Cloud-Native Threat Detection

Darktrace / CLOUD strengthens its real-time behavioral detection to expose early attacker behaviors that logs alone cannot reveal. Enhanced cloud-native detection capabilities include:

• Reconnaissance & Discovery – Detects enumeration and probing activity post-compromise.

• Privilege Escalation via Role Assumption – Identifies suspicious attempts to gain elevated access.

• Malicious Compute Resource Usage – Flags threats such as crypto mining or spam operations.

These enhancements ensure active attacks are detected earlier, before adversaries can escalate or move laterally through cloud environments.

Figure 2: Cyber AI Analyst summary of anomalous behavior for privilege escalation and establishing persistence.

Enhanced Live Cloud Topology Mapping

New enhancements to live topology provide real-time mapping of cloud environments, attacker movement, and anomalous behavior. This dynamic visibility helps SOC teams quickly understand complex environments, trace attack paths, and prioritize response. By integrating with Darktrace / Proactive Exposure Management (PEM), these insights extend beyond the cloud, offering a unified view of risks across networks, endpoints, SaaS, and identity — giving teams the context needed to act with confidence.

Figure 3: Enhanced live topology maps unify visibility across architectures, identities, network connections and more.

Agentless Scanning for Proactive Risk Reduction

Darktrace / CLOUD now introduces agentless scanning to uncover malware and vulnerabilities in cloud assets without impacting performance. This lightweight, non-disruptive approach provides deep visibility into cloud workloads and surfaces risks before attackers can exploit them. By continuously monitoring for misconfigurations and exposures, the solution strengthens posture management and reduces attack surface across hybrid and multi-cloud environments.

Figure 4: Agentless scanning of cloud assets reveals vulnerabilities, which are prioritized by severity.

Together, these capabilities move cloud security operations from reactive to proactive, empowering security teams to detect novel threats in real time, reduce exposures before they are exploited, and accelerate investigations with forensic depth. The result is faster triage, shorter MTTR, and reduced business risk — all delivered in a single, AI-native solution built for hybrid and multi-cloud environments.

Accelerating the Evolution of Cloud Security

Cloud security has long been fragmented, forcing teams to stitch together posture tools, log-based monitoring, and external forensics to get even partial coverage. With this release, Darktrace / CLOUD delivers a holistic, unified approach that covers every stage of the cloud lifecycle, from proactive posture management and risk identification to real-time detection, to automated investigation and response.

By bringing these capabilities together in a single AI-native solution, Darktrace is advancing cloud security beyond incremental change and setting a new standard for how organizations protect their hybrid and multi-cloud environments.

With Darktrace / CLOUD, security teams finally gain end-to-end visibility, response, and investigation at the speed of the cloud, transforming cloud defense from fragmented and reactive to unified and proactive.

[related-resource]

Sources: [1], [2] Darktrace Report: Organizations Require a New Approach to Handle Investigations in the Cloud

Continue reading
About the author
Adam Stevens
Senior Director of Product, Cloud | Darktrace
Your data. Our AI.
Elevate your network security with Darktrace AI