close

Undetectable ‘Nepse AI’ Malware Steals Millions from Nepali Stock Investors

Hikmat Acharya Hikmat Acharya

भदौ १, २०८२ १५:१४

Undetectable ‘Nepse AI’ Malware Steals Millions from Nepali Stock Investors

 

Kathmandu: Mahendra Sharma (name changed), a 29-year-old stock trader from the capital, lost more than six hundred thousand rupees in an instant after clicking on an attractive Facebook advertisement. A regular in the stock market, he was lured by the ad promising that “with the help of AI, you can trade automatically by getting all the information of NEPSE.”

“Nowadays it is the time of AI, everything will be automated, so I got tempted and sent a message to learn more,” Mahendra recalled. Immediately after, he received a link asking him to install a file. Believing the promise that “AI will do all the trading,” he downloaded the file with the “.msi” extension onto his computer. While installing, he granted all permissions requested by the app, assuming it was a normal process. That was his mistake.

As soon as he installed and opened the app, a message appeared on his screen saying “Windows Update in progress.” “I didn’t pay much attention because my computer often updates itself,” he said. “But I was surprised that the update appeared suddenly, without the usual prior notice. Still, I ignored it.”

While waiting for the update to finish and the new app to run, he suddenly began receiving notifications on his phone. Large sums of money were being withdrawn from his bank account. Within minutes, more than six lakh rupees disappeared. Soon after, his computer returned to normal but the “Nepse AI” app had vanished. Realizing he had been cheated, he rushed to the police’s Cyber Bureau and filed a complaint.

Although this incident happened about a month ago, the dangerous nature of this malware came to light only recently. Following the discovery, the Central Bureau of Investigation (CIB) issued a statement on Tuesday warning the public against installing unknown or unnecessary apps. According to CIB, another victim lost more than 28 lakh rupees in a similar scam.

The Cyber Bureau confirmed that 15 victims have already filed complaints this fiscal year alone, claiming losses from the same app. Victims are also reaching out to the Kathmandu Valley Crime Investigation Office.

What is ‘Nepse AI’ malware and how does it steal money?

Before this incident surfaced, TechPana, in collaboration with cybersecurity researchers, had already begun investigating this malware. Here is what the investigation revealed.

The fraud starts with attractive online ads. Promotions for a software called “Nepse Meet AI” are boosted on platforms like Facebook and YouTube. The ads promise benefits such as “AI-powered stock trading,” “automating short-term and long-term trades,” and “earning profits without much research.”

Drawn in by such claims, users visit a website called nepsemeetai.com and download the software. However, what they install is not an AI trading tool, it is a trap that gives hackers complete control over their computer.

Phase 1: Technical Analysis

The attackers used the domain nepsemeetai.com, registered through Namecheap, a service often used to hide the registrant’s identity. The domain was created only on June 28, 2025, about a month and a half ago.

When examining the metadata of the downloaded file nepsemeetai.msi, researchers found that its author was listed as “ScreenConnect Software”, not “Nepse Meet AI.” ScreenConnect is a legitimate remote desktop software, similar to AnyDesk or TeamViewer. Shockingly, the malware carried the alias of this legitimate company.

Our investigation team was shocked to see the author name of a legitimate company appear in the malware file created for fraud. In such cases, it is very rare for hackers to use the name of an authentic company. The discovery made the process of tracing its network even more interesting.

This revealed that the hacker was distributing legitimate software under the name “Nepse Meet AI.” “This method is extremely clever,” said one of our researchers involved in the case. “Because ScreenConnect is an official and digitally signed software, Windows Defender and other antivirus programs do not recognize it as malware and allow it to be installed easily.”

At the critical stage of the investigation, it became clear that the NepseMeetAI.msi file was a Windows Installer Package linked to nepsemeetai.com. A Windows Installer Package is essentially a database containing all the necessary files and instructions to install, manage, and uninstall software. In this case, it was being exploited to silently hand over control of the victim’s computer to hackers.

After installing the file, the research team uploaded both the domain and the desktop application to VirusTotal, a platform used to detect whether links or files contain malware. The tool flags suspicious items after users or antivirus companies report them. But in this case, both the app and website appeared safe. “It was only operated in Nepal and not widely used. When we checked, the site appeared clean and safe,” the research team said.

However, the app was flagged as dangerous by Tencent and Julia. Since even legitimate software is sometimes mistakenly flagged, this alert was initially taken for granted.

Metadata Check

The researchers then examined the file’s metadata. They discovered the author was listed as “Screen Connect Software.” In other words, the Windows Installer Package of “Nepse Meet AI” was created using ScreenConnect’s platform. Normally, hackers use pseudonyms, but here the name of a legitimate company appeared.

To confirm, the team compared the MD5 hash value of nepsemeetai.msi with that of the official ScreenConnect client. Using the md5sum utility, they found the two files matched, indicating the attacker had repackaged the legitimate software.

Dynamic Analysis

After a basic static analysis, the team ran the file in a sandbox environment with Windows 10 to observe its behavior. Even in the sandbox, the app displayed suspicious activity.

Monitoring the network traffic with Wireshark, they found the app was communicating with a domain called admin.nepfinance.space. This appeared to be the attacker’s command-and-control server, giving them remote access to the victim’s computer. The site seemed to be either copied from or built using ScreenConnect’s own features. Although nepsemeetai.com is now offline, the command center at admin.nepfinance.space remains active, putting users who already installed the malware at continued risk.

“Only the website distributing the malware has been shut down,” a researcher explained. “The real platform that controls victim devices is still online. Once installed, the attacker can run everything even if the computer is turned off or rebooted.”

This means all information on the victim’s computer or phone including saved passwords remains in the attacker’s hands. While initial cases involve money theft, there is also a strong risk of social media accounts being hacked.

So far, three different foreign domains have been linked to the malware. Once exposed, the attacker shifts to new ones.

How the Hacker Operates

Once installed, the attacker gains full access to the victim’s computer. To hide activity, the malware displays a fake Windows Update screen, giving users the illusion of a normal update. Meanwhile, the attacker logs in to admin.nepfinance.space, gaining unrestricted control of the system.

The most exploited weakness has been Connect IPS. The platform allows OTPs (One-Time Passwords) for transaction verification to be sent not only to a mobile number but also to email. With full access, the attacker opens the victim’s email in the browser, intercepts the OTP, and transfers money while the victim never receives the OTP on their phone.

Since ScreenConnect can also run on smartphones, researchers believe the attacker likely gained access to victims’ phones in the same way.

Digital Footprints

During the investigation, researchers found a YouTube video showing how to install the software. The browser location of the uploader pointed to Mumbai, India. A victim had commented on the same video, saying: “After installing this software, the mouse would move on its own and the computer would auto-restart.”

“ScreenConnect is a reliable company. But here, the hacker abused its full-access feature,” the researcher said. “By using ScreenConnect’s authorship, the malware tricked even antivirus programs. Windows Defender didn’t detect it either.”

In this way, the attacker tricked security systems on computers and phones, gaining access to users’ devices and stealing money.

During the investigation carried out with open-source intelligence methods, some serious clues were found. “If you search for this on Google and Facebook, you will find a lot of information,” said a member of the investigation team. “That is why it is possible to identify who created and spread it. We have also found some signs.”

According to the team, the person behind the malware is not technically sophisticated. Their conclusion is that the attacker likely created it by following a simple tutorial available online.

For those who have already installed the software, researchers advise using an uninstaller such as Geek Uninstaller to remove it. Through this tool, users must go to Services in Windows, disable the ScreenConnect Client service, and then delete hidden files linked to the program.

What do the police say?

CIB spokesperson Superintendent of Police Yubaraj Khadka said fraudsters exploited people’s psychology toward the stock market. “Nowadays, from tea shops to public transport, we hear people talking about shares everywhere,” Khadka said. “Fraudsters understood this psychology and targeted those who invest in stocks. They spread the illusion that people can instantly become rich by analyzing shares through apps like ‘Nepse AI.’”

Khadka described this method of fraud as more dangerous and planned than other online scams. “After clicking on the fraudsters’ link, a ‘downloading’ appears on the mobile, and during that time, they do all the work,” he explained. “They not only steal money from the victim’s bank account but also wipe out important data and evidence, including photos and Google accounts stored on the phone.”

He warned that this kind of fraud could escalate to an extremely large scale. “If we are not careful, losses could reach billions of rupees. Stock market investors generally have more money, and fraudsters are targeting this group to maximize their profit,” he added.

Khadka urged the public to remain vigilant against such ‘digital ambushes.’ “This is a form of digital ambush, where you are lured into a trap by being shown exactly what you want,” he said. “You should never trust links or applications sent by strangers that promise instant wealth. If we stay one step ahead of the fraudsters, we can easily avoid falling victim to such crimes.”


 

पछिल्लो अध्यावधिक: भदौ १, २०८२ १५:१४

टिप्पणीहरू
सम्बन्धित समाचार
NTA Cancels Internet License of Simple Media Network Over Failure to Renew on Time

NTA Cancels Internet License of Simple Media Network Over Failure to Renew on Time

RSP to Use Electronic Voting Machines in First National Convention to Speed Up Election Process

RSP to Use Electronic Voting Machines in First National Convention to Speed Up Election Process

Dozer Tracking App to Be Introduced for Faster Landslide Response, Home Minister Claims

Dozer Tracking App to Be Introduced for Faster Landslide Response, Home Minister Claims

Seven Chinese Nationals Arrested in Butwal for Illegal Cryptocurrency Trading

Seven Chinese Nationals Arrested in Butwal for Illegal Cryptocurrency Trading

ट्रेन्डिङ समाचार
पछिल्ला अपडेट