Month: January 2026

The NJCCIC observed a phishing campaign targeting MetaMask cryptocurrency wallets. The message appears to come from MetaMask, but the actual originating email address can be found in the header information. The threat actor also uses Punycode in the “From” field, likely to evade word-based detection in email protection systems. To prompt quick action, the messages state that funds will be lost if no action is taken, and the subject lines sound urgent, such as:

Don’t Lose Access – Act Now ⚠️ FINAL WARNING: account deletion & permanent fund loss Account On HOLD Final Notice: Review Required

The messages include a URL that directs users to a CAPTCHA-protected fake MetaMask page. When the “Update Now” button is clicked, a prompt requests the user’s recovery phrase to confirm account ownership. If the recovery phrase is shared, the threat actor gains full control of the associated wallet.

The NJCCIC observed a phishing campaign that abused the legitimate Docusign, leading to the installation of the LogMeIn Resolve remote monitoring and management (RMM) tool. The email is not sent from a legitimate Docusign domain, such as docusign[.]com or docusign[.]net. Additionally, it is not valid because a legitimate Docusign email notification contains an alternate signing method  with a unique security code at the bottom of the email. The subject line contains misspellings, and the impersonalized email includes an “ACCESS DOCUMENT” link to review a secure document, supposedly without requiring an account or special tools.

If the link is clicked, the target is directed to a malicious website, hxxps://micronetmx[.]com/Docs, that automatically downloads an executable called “Docx_xlxs-rqs[.]exe.” Clicking on the “Open file” link installs the LogMeIn Resolve RMM tool, allowing threat actors to remotely control the compromised device. Further analysis reveals that the executable file performs various tasks, including establishing persistence, checking the BIOS and system information in the registry, reviewing the system for installed applications, and dropping files into the System32 directory. The malicious use of RMM tools and weak organizational IT policies can lead to unauthorized access, persistent backdoor access, lateral movement to critical systems and cloud accounts, the deployment of other malware and ransomware, and data leakage.

Recommendations

Exercise caution with communications from known senders or legitimate platforms. Confirm requests from senders via contact information obtained from verified and official sources before taking action, such as clicking on links or opening attachments. Navigate directly to legitimate websites and verify before submitting account credentials, providing personal or financial information, or downloading files. Enable multi-factor authentication (MFA) and keep systems and browsers up to date. If victimized, disconnect from the internet and run anti-virus/anti-malware scans. If sensitive information was entered, change passwords for compromised accounts, monitor for unauthorized activity, and review the Identity Theft and Compromised PII NJCCIC Informational Report for additional recommendations and resources, including credit freezes and enabling MFA on accounts. Review Docusign’s webpage for additional security concerns, recommendations, and reporting. Report malicious cyber activity to the NJCCIC and the FBI’s IC3.