Tarot and cyberthreats: a new Trojan for fans of the supernatural

New malware targets magic enthusiasts — sending stolen data to an “astral cloud server”.

Trojan.Arcanum — a new trojan targeting tarot experts, esotericists, and magicians

Imagine what the world would be like if tarot cards could accurately predict any and every event. Perhaps we could have nipped Operation Triangulation in the bud, and zero-day vulnerabilities wouldn’t exist at all, as software developers would receive alerts in advance thanks to tarot readings.

Sounds incredible? Well, our experts actually looked into similar methods in their latest discovery! Read on to learn about the new Trojan we found and how we did it.

The tarot trojan

The new Trojan — Trojan.Arcanum — is distributed through websites dedicated to fortune-telling and esoteric practices, disguised as a “magic” app for predicting the future. At first glance, it looks like a harmless program offering users the chance to lay out virtual tarot cards, calculate astrological compatibility, or even “charge an amulet with the energy of the universe” (whatever that means). But in reality, something truly mystical is unfolding behind the scenes — in the worst possible way.

Once installed on the user’s device, Trojan.Arcanum connects to a cloud C2 server and deploys its payload — the Autolycus.Hermes stealer, the Karma.Miner miner, and the Lysander.Scytale crypto-malware. Having collected user data (logins; passwords; time, date and place of birth; banking information; etc.), the stealer sends it to the cloud. Then the real drama begins: the Trojan starts manipulating its victim in real life using social engineering!

Through pop-up notifications, Trojan.Arcanum sends pseudo-esoteric advice to the user, prompting them to take certain actions. For example, if the Trojan gains access to the victim’s banking apps and discovers significant funds in the account, the attackers send a command to give the victim a false prediction about the favorability of large investments. After this, the victim might receive a phishing email offering to participate in a “promising startup”. Or maybe they won’t — depending on how the cards fall.

In the meantime, the embedded Karma.Miner begins mining KARMA tokens, and the Trojan activates a paid subscription to dubious “esoteric practices” with monthly charges. If the user detects and terminates the KARMA mining, the crypto-malware randomly shuffles segments of the user’s files without any chance of recovery.

How we discovered Trojan.Arcanum

Typically, we hunt for cyberthreats using complex algorithms and data analysis. But what if the threat is too enigmatic? In such cases, trusting a tarot reading is the best approach. That’s exactly what our experts did. When performing divination on the signature of an unknown virus detected through KSN (Kaspersky Sacral Network), several Major Arcana cards appeared — some of them reversed:

  1. The Emperor — A symbol of power, control, and strategic foresight. Meaning: the threat is serious.
  2. The Magician — Able to spot vulnerabilities where no one else does. Clever, proactive, and decisive, the Magician skillfully manipulates people. In reverse, it warns of a loss of control. Meaning: the attackers use social engineering.
  3. The Horse — Represents a bold, decisive, adventurous individual; a symbol of activity, change… and Trojan horses. Reversed, the card indicates errors due to impulsive actions. Meaning: the threat might disguise itself as a randomly downloaded harmless app.
  4. The Wheel — Warns that insurmountable circumstances are beyond the user’s control, and that a favorable resolution will be delayed. Usually indicates a miner or financial scam.
  5. The Tower — Foretells a phase of change initiated not by the person but by fate — falling upon the person with relentless force. A strong predictor of a zero-click vulnerability.
  6. Death — represents transformation, a change of cycles, an ending, a transition to a new level. Indicates the presence of crypto-malware.
How the reading looked on the expert's table

How the reading looked on the expert’s table

How to protect yourself from Arcanum

Protecting yourself from such a virus is nearly impossible — if only because it doesn’t exist. This whole story is a fabrication from start to finish. But what’s stopping it from becoming a reality at any given moment? Trojans and other types of malware do often disguise themselves as legitimate apps and can steal all sorts of data. Miners have long been distributed through links under popular YouTube videos or video games. Ransomware is capable of paralyzing an entire nation’s healthcare insurance system. Moreover, magic themes are certainly popular enough to become a potential target of cybercriminals. Here are some tips to make your digital life safer:

Tips