![\"Fake](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2025\/11\/21212331\/syncro-remote-admin-tool-on-AI-generated-fake-websites-1.png\")
<\/a>Looking through Google search results, you can sometimes catch a bunch of Pok\u00e9mon fake sites masquerading as legitimate ones. In this case, we\u2019re looking at Polymarket clones.<\/p><\/div>\n
Second, they employ malicious email campaigns as an alternative. In this scenario, the attack kicks off with the user receiving an email that contains a link to a fake website. The content might look something like this:<\/p>\n
Some of the malicious pages we discovered in this campaign masquerade as the websites of antivirus or password management applications. Their content is clearly designed to scare the user with fake warnings about some kind of security issue.<\/p>\n A fake Avira website warns of a vulnerability and advises downloading its \u201cupdate\u201d<\/p><\/div>\n So, the attackers are also leveraging a well-known tactic known as scareware<\/a>: foisting an unsafe application on users under the guise of protection against an imaginary threat.<\/p>\n A fake Dashlane page warns of a \u201chigh-severity encryption-metadata exposure affecting cloud relay synchronization\u201d \u2014 whatever that\u2019s supposed to mean. And of course, you can\u2019t fix it unless you download something<\/p><\/div>\n Despite differences in content, the fake websites involved in this malicious campaign share several common features. For starters, most of their addresses are constructed according to the formula {popular app name} + desktop.com<\/em>\u00a0\u2014 an URL that closely matches an obviously common search query.<\/p>\n Besides, the fake pages themselves look quite professional. Interestingly, the appearance of the fake sites doesn\u2019t exactly replicate the design of the originals\u00a0\u2014 these aren\u2019t direct clones. Rather, they\u2019re very convincing variations on a theme. As an example, we can look at some fake versions of the Lace crypto wallet page. One of them looks like this:<\/p>\n The first variant of the fake Lace website<\/p><\/div>\n Another looks like this:<\/p>\n The second variant of the fake Lace website<\/p><\/div>\n These fakes look a lot like the original Lace website, but they still differ from it in many obvious ways:<\/p>\n The fake versions are similar in some ways to the genuine Lace website, while dissimilar in others. Source<\/a><\/p><\/div>\n It turns out the attackers have weaponized an AI-powered web builder to create fake pages. Because the attackers cut corners and inadvertently left a few tell-tale artifacts, we managed to identify the exact service they are leveraging: Lovable.<\/p>\n Using an AI tool allowed them to significantly reduce the time required to create a fake site \u2014 and churn out forgeries on an industrial scale.<\/p>\n Another common feature of the fake sites involved in this campaign is that they all distribute the exact same payload. The malicious actor neither created their own Trojan nor bought one off the black market. Instead, they are using their own build of a perfectly legitimate remote access tool, Syncro.<\/p>\n The original app facilitates centralized monitoring and remote access for corporate IT support teams and managed service providers (MSPs). Syncro services are relatively inexpensive, starting at $129 per month with an unlimited number of managed devices.<\/p>\n Fake Yoroi crypto wallet site<\/p><\/div>\n At the same time, the tool possesses serious capabilities: in addition to screen sharing, the service also provides remote command execution, file transfer, log analysis, registry editing, and other background actions. However, Syncro\u2019s main appeal is a simplified installation and connection process. The user\u00a0\u2014 or, in this case, the victim\u00a0\u2014 only has to download and run the installation file.<\/p>\n From that point, the installation runs completely in the background, secretly loading a malicious Syncro build onto the computer. Because this build has the attacker\u2019s CUSTOMER_ID hardcoded, they instantly gain full control over the victim\u2019s machine.<\/p>\n The Syncro installer window flashes on the screen for mere seconds, and only a keen-eyed user might notice that the wrong software is being set up.<\/p><\/div>\n Once Syncro is installed on the victim\u2019s device, the attackers gain full access and can use it to achieve their objectives. Given the context, these appear to be stealing crypto wallet keys from victims and siphoning off funds to the attackers\u2019 own accounts.<\/p>\n Another fake site, this time for the Liqwid DeFi protocol. Although Liqwid offers only a web application, the fake site allows users to download versions for Windows, macOS, and even Linux<\/p><\/div>\n This malicious campaign poses a heightened threat to users for two main reasons. First, the fake sites crafted with the AI service look quite professional, and their URLs aren\u2019t overly suspicious. Of course, both the design of the fake pages and the domains used differ noticeably from the real ones, but this only becomes apparent in direct comparison. At a glance, however, it\u2019s easy to mistake the fake for the original.<\/p>\n Second, the attackers are using a legitimate remote access tool to infect users. This means that detecting the infection can be difficult.<\/p>\n Our security solution<\/a> has a special verdict, Not-a-virus<\/a>, for cases like this. This verdict is assigned, among other things, when various remote access tools \u2014 including the legitimate Syncro \u2014 are detected on the device. As for Syncro builds used for malicious purposes, our security solution<\/a> detects them as HEUR:Backdoor.OLE2.RA-Based.gen<\/em>.<\/p>\n It\u2019s important to remember that an antivirus won\u2019t block all legitimate remote administration tools by default to avoid interfering with intentional usage. Therefore, we recommend that you pay close attention to notifications from your security solution. If you see a warning that Not-a-virus<\/strong> software has been detected on your device, take it seriously and, at the very least, check which application triggered it.<\/p>\n If you have Kaspersky Premium<\/a> installed, use the Remote Access Detection feature<\/a>, and, if necessary, the app removal option, that come with your premium subscription. This feature detects around 30 of the most popular legitimate remote access applications, and if you know you didn\u2019t install any of them yourself, that\u2019s cause for concern.<\/p>\nDear $DOP holders,
\nThe migration window from DOP-v1 to DOP-v2 has officially closed, with over 8B+ tokens successfully migrated.
\nWe're excited to announce that the DOP-v2 Claim Portal is now OPEN!
\nAll $DOP holders can now visit the portal to securely claim their tokens and step into the next phase of the ecosystem.
\nClaim Your DOP-v2 Tokens Now\u00a0https:\/\/migrate-dop[dot]org\/
\nWelcome to DOP-v2\u00a0\u2014 a stronger, smarter, and more rewarding chapter begins today.
\nThank you for being part of this journey.
\nThe DOP Team<\/code><\/p>\n<\/a><\/a>Fake websites built with Lovable<\/h2>\n
<\/a><\/a><\/a>Syncro remote administration tool<\/h2>\n
<\/a><\/a><\/a>How to protect yourself against these attacks<\/h2>\n