A new malware campaign is tricking traders into downloading a data-stealing tool by impersonating the popular financial platform TradingView.
Attackers set up a fake website promoting something called TradingClaw, which they describe as an AI-powered trading assistant.
Once a visitor downloads and runs what they believe is a helpful trading tool, they unknowingly install Needle Stealer, a piece of malware built to silently harvest sensitive information from the infected device.
TradingView is a widely used and trusted platform among retail traders, analysts, and investors for charting and market analysis.
That trust is precisely what the attackers are banking on. The fake site, operating at the domain tradingclaw[.]pro, closely mimics the appearance of a legitimate AI trading product and is entirely unrelated to the genuine startup tradingclaw[.]chat.
By wrapping a dangerous payload inside what looks like a legitimate tool, the attackers are exploiting both financial curiosity and the growing hype around AI-powered trading applications.
Researchers at Malwarebytes identified this campaign during routine threat hunting, linking it to a previously documented malware loader that was now being used to deliver a different and more capable payload.
The discovery revealed that the attackers had evolved their approach, reusing an existing infection framework while swapping in Needle Stealer as the final stage.
A fake TradingView AI agent site is delivering Needle Stealer malware via a fake trading agent called TradingClaw that can take over your browser, steal your accounts and financial data, and open the door to further attacks. pic.twitter.com/ZQkVZlLbzM— Malwarebytes (@Malwarebytes) April 22, 2026
This kind of modular strategy makes the operation easier to scale and harder to attribute, since defenders may already recognize the loader but miss the new payload hiding behind it.
The threat is serious for anyone active in financial markets or crypto trading. Needle Stealer is built to pull browser cookies, saved passwords, login sessions, and cryptocurrency wallet credentials off infected machines.
It also installs malicious browser extensions that give attackers ongoing control over the victim’s browser long after the initial infection. The financial damage can be severe, as the malware is specifically designed to empty crypto wallets and intercept account activity across platforms.
The fake TradingClaw site also uses a filtering technique to avoid getting caught. When a search engine or security scanner visits the page, the site redirects to an unrelated and harmless website.
Only specific visitors, likely those fitting the profile of a real target, are shown the malicious content. This selective behavior helps the campaign stay active longer by staying below the radar of automated security tools.
How the Infection Works
Once a visitor on the fake TradingClaw site decides to proceed, they are prompted to download a ZIP file that contains the first stage of the infection chain.
This is where the attack gets technically sophisticated. The downloaded archive contains files set up for a technique known as DLL hijacking, where malware disguises itself as a legitimate library file that a trusted Windows program is expected to load automatically.
When that trusted program runs, it loads the fake library instead of the real one, and the malicious code executes without the user seeing anything unusual.
In this particular campaign, the trusted Windows process being abused is RegAsm.exe, a legitimate .NET component used for registering assemblies.
The first-stage executable runs, loads a second-stage DLL, and that DLL uses a technique called process hollowing to inject Needle Stealer directly into the RegAsm.exe process. By hiding inside a trusted system process, the malware makes it much harder for security tools to flag the activity as suspicious.
Needle Stealer itself is written in Golang and built in a modular structure, meaning different components can be switched on or off depending on what the attacker wants to target.
Its core module can capture screenshots, steal browser data, extract data from apps like Telegram and FTP clients, and collect text files and wallet data.
‘ext’ package (Source – X)
A separate extension module installs a malicious browser add-on that connects to a remote server, tracks the infected user with a unique ID, intercepts web traffic, and can even replace legitimate file downloads with malicious ones.
A desktop wallet spoofer targets applications like Ledger and Exodus, while a browser wallet spoofer goes after MetaMask and Coinbase, including attempts to steal seed phrases.
Users who trade online or manage crypto holdings should avoid downloading tools from unofficial sources, regardless of how convincing the website looks.
Always verify software through official developer channels, keep endpoint security tools updated, and be cautious of any platform claiming AI-enhanced trading capabilities without a verifiable track record.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Fake TradingView AI Agent Site is Delivering Needle Stealer Malware via Fake TradingClaw appeared first on Cyber Security News.
