Fake TradingClaw AI Tool Delivers Needle Stealer Malware Targeting Crypto Wallets and Browser Sessions

A malicious campaign discovered by Malwarebytes researchers is using a fake website (tradingclaw[.]pro) that impersonates an AI-powered trading tool called TradingClaw to deliver a sophisticated modular infostealer known as Needle Stealer. The website claims to be an AI assistant for TradingView, a legitimate financial analysis platform, but is actually a lure to trick traders into downloading malware. The same stealer has also been observed being distributed by other malware families including Amadey, GCleaner, and CountLoader/DeepLoad.

Needle Stealer is written in Golang and built as a modular framework, allowing attackers to enable or disable specific data-theft features depending on their targets. The malware's core components include form grabbing, clipboard hijacking, and the ability to take screenshots of infected systems. It can steal browser history, cookies, saved credentials, and extract data from applications like Telegram and FTP clients. The stealer also targets cryptocurrency wallet apps including Ledger, Trezor, and Exodus, as well as browser-based wallets like MetaMask and Coinbase, with attempts to extract seed phrases.

The infection chain begins when a victim downloads a ZIP file from the fake TradingClaw website. The attack relies on DLL hijacking, where the malware disguises itself as a legitimate file (iviewers.dll) that a trusted program will load automatically. Once executed, the DLL loader loads a second-stage DLL that ultimately injects the Needle Stealer into a legitimate Windows process (RegAsm.exe) using process hollowing, a technique that replaces the memory of a legitimate process with malicious code.

One of the most concerning features of Needle Stealer is its ability to install malicious browser extensions that give attackers near full control over the victim's browser. The malware unpacks a hidden ZIP archive containing extension files and a configuration file (cfg.json) that specifies the command-and-control server, API key, and which features to enable. The extensions are dropped in a random folder under %LOCALAPPDATA%\Packages\Extensions and have been observed with Google-related names to appear legitimate.

Once installed, the malicious browser extensions can connect to a remote server using a built-in API key, generate a unique ID to track infected users, collect full browsing history, and monitor visited websites in real time. The extensions can apply attacker-controlled redirect rules, silently sending victims to different websites or altering page content. The configuration panel also shows a "coming soon" feature to generate fake Google or Cloudflare-style pages, suggesting the attackers plan to expand into more advanced phishing techniques.

The TradingClaw website behaves selectively, sometimes showing the fake TradingClaw page and other times redirecting visitors to a different site (studypages[.]com). This filtering is commonly used by attackers to avoid detection and only show malicious content to intended targets, while search engines see the benign version. The campaign highlights the growing trend of attackers using AI-themed lures to target cryptocurrency users and traders, combining social engineering with modular malware that can adapt its capabilities based on the attacker's objectives.

Organizations and individuals should exercise caution when downloading software from unverified websites, particularly those promising AI-powered trading tools. The modular nature of Needle Stealer and its ability to install persistent browser extensions make it a significant threat that can maintain long-term access to compromised systems. Users should verify the legitimacy of any trading tool before downloading, and security teams should monitor for the indicators of compromise associated with this campaign, including the tradingclaw[.]pro domain and the specific DLL hijacking technique using iviewers.dll.