FakeWallet Crypto Stealer Spreading Through iOS Apps in the App Store

    Tuesday, April 28, 2026 In: Threat Research Print

    Date: 04/28/2026 

    Severity: High

    Summary

    In March 2026, we identified over twenty phishing apps on the Apple App Store posing as well-known crypto wallets. After being opened, these apps redirect users to web pages that mimic the App Store and deliver tampered versions of legitimate wallet applications. These malicious apps are deliberately built to capture recovery phrases and private keys. Malware metadata indicates the campaign may have been operating undetected since at least late 2025.

    Indicators of Compromise (IOC) List

    Domains/URLs :

    https://www.gxzhrc.cn/download/

    https://appstoreios.com/DjZH?key=646556306F6Q465O313L737N3332939Y353I830F31

    https://crypto-stroe.cc/

    https://yjzhengruol.com/s/3f605f

    https://6688cf.jhxrpbgq.com/6axqkwuq

    https://139.180.139.209/prod-api/system/confData/getUserConfByKey/

    https://xz.apps-store.im/s/iuXt?key=646Y563Y6F6H465J313X737U333S9342323N030R34&c=

    https://xz.apps-store.im/DjZH?key=646B563L6F6N4657313B737U3436335E3833331737

    https://xz.apps-store.im/s/dDan?key=646756376F6A465D313L737J333993473233038L39&c=

    https://xz.apps-store.im/CqDq?key=646R563V6F6Y465K313J737G343C3352383R336O35

    https://ntm0mdkzymy3n.oukwww.com/7nhn7jvv5YieDe7P?0e7b9c78e=686989d97cf0d70346cbde2031207cbf

    https://ntm0mdkzymy3n.oukwww.com/jFms03nKTf7RIZN8?61f68b07f8=0565364633b5acdd24a498a6a9ab4eca

    https://nziwytu5n.lahuafa.com/10RsW/mw2ZmvXKUEbzI0n

    https://zdrhnmjjndu.ulbcl.com/7uchSEp6DIEAqux?a3f65e=417ae7f384c49de8c672aec86d5a2860

    https://zdrhnmjjndu.ulbcl.com/tWe0ASmXJbDz3KGh?4a1bbe6d=31d25ddf2697b9e13ee883fff328b22f

    https://api.npoint.io/153b165a59f8f7d7b097

    https://mti4ywy4.lahuafa.com/UVB2U/mw2ZmvXKUEbzI0n

    https://mtjln.siyangoil.com/08dT284P/1ZMz5Xmb0EoQZVvS5

    https://odm0.siyangoil.com/TYTmtV8t/JG6T5nvM1AYqAcN

    https://mgi1y.siyangoil.com/vmzLvi4Dh/1Dd0m4BmAuhVVCbzF

    https://mziyytm5ytk.ahroar.com/kAN2pIEaariFb8Yc

    https://ngy2yjq0otlj.ahroar.com/EpCXMKDMx1roYGJ

    https://ngy2yjq0otlj.ahroar.com/17pIWJfr9DBiXYrSb

    https://kkkhhhnnn.com/api/open/postByTokenpocket

    https://helllo2025.com/api/open/postByTokenpocket

    https://sxsfcc.com/api/open/postByTokenpocket

    https://iosfc.com/ledger/ios/Rsakeycatch.php

    https://nmu8n.com/tpocket/ios/Rsakeyword.php

    https://zmx6f.com/btp/ios/receiRsakeyword.php

    https://api.dc1637.xyz

    Hash : 

    4126348d783393dd85ede3468e48405d

    b639f7f81a8faca9c62fd227fef5e28c

    d48b580718b0e1617afc1dec028e9059

    bafba3d044a4f674fc9edc67ef6b8a6b

    79fe383f0963ae741193989c12aefacc

    8d45a67b648d2cb46292ff5041a5dd44

    7e678ca2f01dc853e85d13924e6c8a45

    be9e0d516f59ae57f5553bcc3cf296d1

    fd0dc5d4bba740c7b4cc78c4b19a5840

    7b4c61ff418f6fe80cf8adb474278311

    8cbd34393d1d54a90be3c2b53d8fc17a

    d138a63436b4dd8c5a55d184e025ef99

    5bdae6cb778d002c806bb7ed130985f3

    84c81a5e49291fe60eb9f5c1e2ac184b

    19733e0dfa804e3676f97eff90f2e467

    8f51f82393c6467f9392fb9eb46f9301

    114721fbc23ff9d188535bd736a0d30e

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://ngy2yjq0otlj.ahroar.com/17pIWJfr9DBiXYrSb" or url like "https://ngy2yjq0otlj.ahroar.com/17pIWJfr9DBiXYrSb" or siteurl like "https://ngy2yjq0otlj.ahroar.com/17pIWJfr9DBiXYrSb" or domainname like "https://ntm0mdkzymy3n.oukwww.com/jFms03nKTf7RIZN8?61f68b07f8=0565364633b5acdd24a498a6a9ab4eca" or url like "https://ntm0mdkzymy3n.oukwww.com/jFms03nKTf7RIZN8?61f68b07f8=0565364633b5acdd24a498a6a9ab4eca" or siteurl like "https://ntm0mdkzymy3n.oukwww.com/jFms03nKTf7RIZN8?61f68b07f8=0565364633b5acdd24a498a6a9ab4eca" or domainname like "https://helllo2025.com/api/open/postByTokenpocket" or url like "https://helllo2025.com/api/open/postByTokenpocket" or siteurl like "https://helllo2025.com/api/open/postByTokenpocket" or domainname like "https://api.dc1637.xyz" or url like "https://api.dc1637.xyz" or siteurl like "https://api.dc1637.xyz" or domainname like "https://odm0.siyangoil.com/TYTmtV8t/JG6T5nvM1AYqAcN" or url like "https://odm0.siyangoil.com/TYTmtV8t/JG6T5nvM1AYqAcN" or siteurl like "https://odm0.siyangoil.com/TYTmtV8t/JG6T5nvM1AYqAcN" or domainname like "https://zmx6f.com/btp/ios/receiRsakeyword.php" or url like "https://zmx6f.com/btp/ios/receiRsakeyword.php" or siteurl like "https://zmx6f.com/btp/ios/receiRsakeyword.php" or domainname like "https://ngy2yjq0otlj.ahroar.com/EpCXMKDMx1roYGJ" or url like "https://ngy2yjq0otlj.ahroar.com/EpCXMKDMx1roYGJ" or siteurl like "https://ngy2yjq0otlj.ahroar.com/EpCXMKDMx1roYGJ" or domainname like "https://sxsfcc.com/api/open/postByTokenpocket" or url like "https://sxsfcc.com/api/open/postByTokenpocket" or siteurl like "https://sxsfcc.com/api/open/postByTokenpocket" or domainname like "https://xz.apps-store.im/s/iuXt?key=646Y563Y6F6H465J313X737U333S9342323N030R34&c=" or url like "https://xz.apps-store.im/s/iuXt?key=646Y563Y6F6H465J313X737U333S9342323N030R34&c=" or siteurl like "https://xz.apps-store.im/s/iuXt?key=646Y563Y6F6H465J313X737U333S9342323N030R34&c=" or domainname like "https://yjzhengruol.com/s/3f605f" or url like "https://yjzhengruol.com/s/3f605f" or siteurl like "https://yjzhengruol.com/s/3f605f" or domainname like "https://mgi1y.siyangoil.com/vmzLvi4Dh/1Dd0m4BmAuhVVCbzF" or url like "https://mgi1y.siyangoil.com/vmzLvi4Dh/1Dd0m4BmAuhVVCbzF" or siteurl like "https://mgi1y.siyangoil.com/vmzLvi4Dh/1Dd0m4BmAuhVVCbzF" or domainname like "https://api.npoint.io/153b165a59f8f7d7b097" or url like "https://api.npoint.io/153b165a59f8f7d7b097" or siteurl like "https://api.npoint.io/153b165a59f8f7d7b097" or domainname like "https://xz.apps-store.im/s/dDan?key=646756376F6A465D313L737J333993473233038L39&c=" or url like "https://xz.apps-store.im/s/dDan?key=646756376F6A465D313L737J333993473233038L39&c=" or siteurl like "https://xz.apps-store.im/s/dDan?key=646756376F6A465D313L737J333993473233038L39&c=" or domainname like "https://mziyytm5ytk.ahroar.com/kAN2pIEaariFb8Yc" or url like "https://mziyytm5ytk.ahroar.com/kAN2pIEaariFb8Yc" or siteurl like "https://mziyytm5ytk.ahroar.com/kAN2pIEaariFb8Yc" or domainname like "https://mtjln.siyangoil.com/08dT284P/1ZMz5Xmb0EoQZVvS5" or url like "https://mtjln.siyangoil.com/08dT284P/1ZMz5Xmb0EoQZVvS5" or siteurl like "https://mtjln.siyangoil.com/08dT284P/1ZMz5Xmb0EoQZVvS5" or domainname like "https://nziwytu5n.lahuafa.com/10RsW/mw2ZmvXKUEbzI0n" or url like "https://nziwytu5n.lahuafa.com/10RsW/mw2ZmvXKUEbzI0n" or siteurl like "https://nziwytu5n.lahuafa.com/10RsW/mw2ZmvXKUEbzI0n" or domainname like "https://appstoreios.com/DjZH?key=646556306F6Q465O313L737N3332939Y353I830F31" or url like "https://appstoreios.com/DjZH?key=646556306F6Q465O313L737N3332939Y353I830F31" or siteurl like "https://appstoreios.com/DjZH?key=646556306F6Q465O313L737N3332939Y353I830F31" or domainname like "https://crypto-stroe.cc/" or url like "https://crypto-stroe.cc/" or siteurl like "https://crypto-stroe.cc/" or domainname like "https://nmu8n.com/tpocket/ios/Rsakeyword.php" or url like "https://nmu8n.com/tpocket/ios/Rsakeyword.php" or siteurl like "https://nmu8n.com/tpocket/ios/Rsakeyword.php"

    Detection Query 2 :

    domainname like "https://iosfc.com/ledger/ios/Rsakeycatch.php" or url like "https://iosfc.com/ledger/ios/Rsakeycatch.php" or siteurl like "https://iosfc.com/ledger/ios/Rsakeycatch.php" or domainname like "https://xz.apps-store.im/DjZH?key=646B563L6F6N4657313B737U3436335E3833331737" or url like "https://xz.apps-store.im/DjZH?key=646B563L6F6N4657313B737U3436335E3833331737" or siteurl like "https://xz.apps-store.im/DjZH?key=646B563L6F6N4657313B737U3436335E3833331737" or domainname like "https://xz.apps-store.im/CqDq?key=646R563V6F6Y465K313J737G343C3352383R336O35" or url like "https://xz.apps-store.im/CqDq?key=646R563V6F6Y465K313J737G343C3352383R336O35" or siteurl like "https://xz.apps-store.im/CqDq?key=646R563V6F6Y465K313J737G343C3352383R336O35" or domainname like "https://kkkhhhnnn.com/api/open/postByTokenpocket" or url like "https://kkkhhhnnn.com/api/open/postByTokenpocket" or siteurl like "https://kkkhhhnnn.com/api/open/postByTokenpocket" or domainname like "https://ntm0mdkzymy3n.oukwww.com/7nhn7jvv5YieDe7P?0e7b9c78e=686989d97cf0d70346cbde2031207cbf" or url like "https://ntm0mdkzymy3n.oukwww.com/7nhn7jvv5YieDe7P?0e7b9c78e=686989d97cf0d70346cbde2031207cbf" or siteurl like "https://ntm0mdkzymy3n.oukwww.com/7nhn7jvv5YieDe7P?0e7b9c78e=686989d97cf0d70346cbde2031207cbf" or domainname like "https://zdrhnmjjndu.ulbcl.com/7uchSEp6DIEAqux?a3f65e=417ae7f384c49de8c672aec86d5a2860" or url like "https://zdrhnmjjndu.ulbcl.com/7uchSEp6DIEAqux?a3f65e=417ae7f384c49de8c672aec86d5a2860" or siteurl like "https://zdrhnmjjndu.ulbcl.com/7uchSEp6DIEAqux?a3f65e=417ae7f384c49de8c672aec86d5a2860" or domainname like "https://6688cf.jhxrpbgq.com/6axqkwuq" or url like "https://6688cf.jhxrpbgq.com/6axqkwuq" or siteurl like "https://6688cf.jhxrpbgq.com/6axqkwuq" or domainname like "https://zdrhnmjjndu.ulbcl.com/tWe0ASmXJbDz3KGh?4a1bbe6d=31d25ddf2697b9e13ee883fff328b22f" or url like "https://zdrhnmjjndu.ulbcl.com/tWe0ASmXJbDz3KGh?4a1bbe6d=31d25ddf2697b9e13ee883fff328b22f" or siteurl like "https://zdrhnmjjndu.ulbcl.com/tWe0ASmXJbDz3KGh?4a1bbe6d=31d25ddf2697b9e13ee883fff328b22f" or domainname like "https://mti4ywy4.lahuafa.com/UVB2U/mw2ZmvXKUEbzI0n" or url like "https://mti4ywy4.lahuafa.com/UVB2U/mw2ZmvXKUEbzI0n" or siteurl like "https://mti4ywy4.lahuafa.com/UVB2U/mw2ZmvXKUEbzI0n" or domainname like "https://www.gxzhrc.cn/download/" or url like "https://www.gxzhrc.cn/download/" or siteurl like "https://www.gxzhrc.cn/download/" or domainname like "https://139.180.139.209/prod-api/system/confData/getUserConfByKey/" or url like "https://139.180.139.209/prod-api/system/confData/getUserConfByKey/" or siteurl like "https://139.180.139.209/prod-api/system/confData/getUserConfByKey/"

    Detection Query 3 :

    md5hash IN ("114721fbc23ff9d188535bd736a0d30e","4126348d783393dd85ede3468e48405d","b639f7f81a8faca9c62fd227fef5e28c","d48b580718b0e1617afc1dec028e9059","bafba3d044a4f674fc9edc67ef6b8a6b","79fe383f0963ae741193989c12aefacc","8d45a67b648d2cb46292ff5041a5dd44","7e678ca2f01dc853e85d13924e6c8a45","be9e0d516f59ae57f5553bcc3cf296d1","fd0dc5d4bba740c7b4cc78c4b19a5840","7b4c61ff418f6fe80cf8adb474278311","8cbd34393d1d54a90be3c2b53d8fc17a","d138a63436b4dd8c5a55d184e025ef99","5bdae6cb778d002c806bb7ed130985f3","84c81a5e49291fe60eb9f5c1e2ac184b","19733e0dfa804e3676f97eff90f2e467","8f51f82393c6467f9392fb9eb46f9301")

    Reference:    

    https://securelist.com/fakewallet-cryptostealer-ios-app-store/119474/                   


    Tags

    MalwarePhishingCrypto wallets

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.