This RAT Is Interested in Your Crypto-Related PC Usage Not Food

Siamak Masnavi

The ThreatLabZ team of cybersecurity firm Zscalar published a blog post on Thursday (August 8) that said that they had come across a new piece of malware—in this case, a remote-access trojan (RAT) currently available for sale on the internet—that targets cryptocurrency users.

The team defines a RAT as "a type of malware that includes a backdoor for remote administrative control of the targeted computer," and says that RATs usually get downloaded automatically "as a result of a user opening an email attachment or downloading an application or a game that has been infected." 

Since a RAT can have administrative control of the infected computer, it allows the "intruder" to do pretty much anything he/she wants on this machine, e.g. monitoring the user's keystrokes, activating the computer's microphone/webcam, and formatting drives.

This particular RAT is called Saefko, and it has multiple functions.

The ThreatLabZ team says that after the target computer has been successfully infected, the Saefko RAT does the following:

  • "stays in the background and executes every time the user logs in";
  • "fetches the chrome browser history looking for specific types of activities, such as those involving credit cards, business, social media, gaming, cryptocurrency, shopping, and more";
  • "sends the data it has collected to its command-and-control (C&C) server and requests for further instructions"; and
  • starts collecting "a range of data including screenshot,videos, keystroke logs and more" once instructed by the C&C to "provide system information" (of course, the C&C can also "instruct the malware to download additional payload onto the infected system").

RATs can steal a lot of user data without being noticed, and can "spread to other systems across the network." 

The  ThreatLabZ team decided to fully understand the Saefko RAT's capabilities by detonating it in the Zscaler Cloud Sandbox.

They discovered that this RAT determines if the infected computer has any interesting information by examining Chrome browser history and looking for various webites across multiple categories. 

The list of activities it is interested in includes but is not limited to crypto: credit card use; gaming activity; activities related to checking crypto news and using crypto exchanges; Instagram; Facebook; Google+; Gamil; shopping; and checking financial/business news.

In the crypto category, a few examples of the 72 websites that the RAT scans for in the browser history are "", "", "", and "".

The RAT records the number of sites that match against its complete list of websites. The attacker can then use this information to "determine which systems it should target first from all the infected systems."

Finally, Zscalar's blog post says that in order to minimize the risk of infection by a RAT, PC users "must refrain from downloading programs or opening attachments that aren't from a trusted source."

Featured Image Credit: Photo via

Bitcoin Investors Reportedly Lose Millions in South African Exit Scam

Michael LaVere
  • VaultAge Solutions CEO Willie Breedt is being accused of making off with millions in investor bitcoin.
  • Breedt allegedly fled the country for Mozambique and has not communicated with investors since December 2019. 

South African cryptocurrency investors are accusing the CEO of VaultAge Solutions of stealing millions in crypto before going on the run. 

According to a report by AllAfrica, Willie Breedt, the CEO of cryptocurrency investment firm VaultAge Solutions, is presumed to be on the run after not making public communications since December 2019. The report claims Breedt was speculated to be staying near the town of Jeffrey’s Bay and that his whereabouts where being looked into by the country’s criminal investigation unit. 

However, South Africans who invested cryptocurrency with the now-defunct firm fear the CEO may have fled the country for Mozambique. 

Breedt is accused of stealing millions from bitcoin investors. The report claims VaultAge Solutions is not registered as a legitimate financial institution with the Financial Services Conduct Authority (FSCA), despite having more than 2000 investors. 

The report quoted investor Lettie Engelbrecht from Krugersdrop, 

We are pensioners and invested R200 000. From December until April, we received payments on the growth of our investment. Since then, we never got any money. We are desperate and living on a shoestring budget.

One South African investor reportedly had deposited more than R6 million ($342,000) with Breedt’s company. 

Breedt delivered a written reply to local outlet News24, explaining, 

I am busy attending to the commitments I have made to members. The commitment is to have all the initial capital paid back by 31 May.

Colonel Katlego Mogale of the Directorate for Priority Crime Investigation (DPCI) said authorities are investigating the case but cannot reveal any more information “at this stage.”

Featured Image Credit: Photo via