{"id":28724,"date":"2025-04-01T04:55:19","date_gmt":"2025-04-01T08:55:19","guid":{"rendered":"https:\/\/www.kaspersky.co.in\/blog\/?p=28724"},"modified":"2025-04-01T14:26:57","modified_gmt":"2025-04-01T08:56:57","slug":"tarot-and-cyber-threats","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.in\/blog\/tarot-and-cyber-threats\/28724\/","title":{"rendered":"Tarot and cyberthreats: a new Trojan for fans of the supernatural"},"content":{"rendered":"

Imagine what the world would be like if tarot cards could accurately predict any and every event. Perhaps we could have nipped Operation Triangulation<\/a> in the bud, and zero-day vulnerabilities<\/a> wouldn\u2019t exist at all, as software developers would receive alerts in advance thanks to tarot readings.<\/p>\n

Sounds incredible? Well, our experts actually looked into similar methods in their latest discovery! Read on to learn about the new Trojan we found and how we did it.\n<\/p>\n

The tarot trojan<\/h2>\n

\nThe new Trojan \u2014 Trojan.Arcanum<\/strong> \u2014 is distributed through websites dedicated to fortune-telling and esoteric practices, disguised as a \u201cmagic\u201d app for predicting the future. At first glance, it looks like a harmless program offering users the chance to lay out virtual tarot cards, calculate astrological compatibility, or even \u201ccharge an amulet with the energy of the universe\u201d (whatever that means). But in reality, something truly mystical is unfolding behind the scenes \u2014 in the worst possible way.<\/p>\n

Once installed on the user\u2019s device, Trojan.Arcanum<\/strong> connects to a cloud C2 server and deploys its payload \u2014 the Autolycus.Hermes<\/strong> stealer, the Karma.Miner<\/strong> miner, and the Lysander.Scytale<\/strong> crypto-malware. Having collected user data (logins; passwords; time, date and place of birth; banking information; etc.), the stealer sends it to the cloud. Then the real drama begins: the Trojan starts manipulating its victim in real life using social engineering!<\/p>\n

Through pop-up notifications, Trojan.Arcanum<\/strong> sends pseudo-esoteric advice to the user, prompting them to take certain actions. For example, if the Trojan gains access to the victim\u2019s banking apps and discovers significant funds in the account, the attackers send a command to give the victim a false prediction about the favorability of large investments. After this, the victim might receive a phishing email offering to participate in a \u201cpromising startup\u201d. Or maybe they won\u2019t \u2014 depending on how the cards fall.<\/p>\n

In the meantime, the embedded Karma.Miner<\/strong> begins mining KARMA tokens, and the Trojan activates a paid subscription to dubious \u201cesoteric practices\u201d with monthly charges. If the user detects and terminates the KARMA mining, the crypto-malware randomly shuffles segments of the user\u2019s files without any chance of recovery.\n<\/p>\n

How we discovered Trojan.Arcanum<\/h2>\n

\nTypically, we hunt for cyberthreats using complex algorithms and data analysis. But what if the threat is too enigmatic? In such cases, trusting a tarot reading is the best approach. That\u2019s exactly what our experts did. When performing divination on the signature of an unknown virus detected through KSN (Kaspersky Sacral Network)<\/a>, several Major Arcana cards appeared \u2014 some of them reversed:\n<\/p>\n

    \n
  1. \nThe Emperor<\/strong> \u2014 A symbol of power, control, and strategic foresight. Meaning: the threat is serious.<\/li>\n
  2. \nThe Magician<\/strong> \u2014 Able to spot vulnerabilities where no one else does. Clever, proactive, and decisive, the Magician skillfully manipulates people. In reverse, it warns of a loss of control. Meaning: the attackers use social engineering.<\/li>\n
  3. \nThe Horse<\/strong> \u2014 Represents a bold, decisive, adventurous individual; a symbol of activity, change\u2026 and Trojan horses. Reversed, the card indicates errors due to impulsive actions. Meaning: the threat might disguise itself as a randomly downloaded harmless app.<\/li>\n
  4. \nThe Wheel <\/strong>\u2014 Warns that insurmountable circumstances are beyond the user\u2019s control, and that a favorable resolution will be delayed. Usually indicates a miner or financial scam.<\/li>\n
  5. \nThe Tower <\/strong>\u2014 Foretells a phase of change initiated not by the person but by fate \u2014 falling upon the person with relentless force. A strong predictor of a zero-click vulnerability<\/a>.<\/li>\n
  6. \nDeath<\/strong> \u2014 represents transformation, a change of cycles, an ending, a transition to a new level. Indicates the presence of crypto-malware.<\/li>\n<\/ol>\n
    \"How<\/a>

    How the reading looked on the expert\u2019s table<\/p><\/div>\n

    How to protect yourself from Arcanum<\/h2>\n

    \nProtecting yourself from such a virus is nearly impossible \u2014 if only because it doesn\u2019t exist. This whole story is a fabrication from start to finish. But what\u2019s stopping it from becoming a reality at any given moment? Trojans and other types of malware do often disguise themselves as legitimate apps<\/a> and can steal all sorts of data<\/a>. Miners have long been distributed through links under popular YouTube videos<\/a> or video games<\/a>. Ransomware is capable of paralyzing an entire nation\u2019s healthcare insurance system<\/a>. Moreover, magic themes are certainly popular enough to become a potential target of cybercriminals. Here are some tips to make your digital life safer:\n<\/p>\n