Lazarus hits cryptocurrency exchange with fake installer and macOS malware 10277

Kaspersky Lab has been assisting with incident response efforts. While investigating a cryptocurrency exchange attacked by Lazarus, we made an unexpected discovery. The victim had been infected with the help of a trojanized cryptocurrency trading application, which had been recommended to the company over email. It turned out that an unsuspecting employee of the company had willingly downloaded a third-party application from a legitimate looking website and their computer had been infected with malware known as Fallchill, an old tool that Lazarus has recently switched back to. There have been multiple reports on the reappearance of Fallchill, including one from US-CERT.

To ensure that the OS platform was not an obstacle to infecting targets, it seems the attackers went the extra mile and developed malware for other platforms, including for macOS. A version for Linux is apparently coming soon, according to the website. It’s probably the first time we see this APT group using malware for macOS.

The fact that the Lazarus group has expanded its list of targeted operating systems should be a wake-up call for users of non-Windows platforms.

Trojanized cryptocurrency trading application

Thanks to Kaspersky Lab’s malicious-behavior detection technology, implemented in its endpoint security software, we were able to reassemble the stages of infection and trace them back to their origin. This helped us understand that one of Lazarus’ victims was infected with malware after installing a cryptocurrency trading program. We also confirmed that the user installed this program via a download link delivered over email.

Trojanized trading application for Windows

Including malicious code into distributed software and putting that on a website would be too obvious. Instead, the attackers went for a more elaborate scheme: the trojan code was pushed out in the form of an update for a trading application.

A legitimate-looking application called Celas Trade Pro from Celas Limited showed no signs of malicious behaviour and looked genuine. This application is an all-in-one style cryptocurrency trading program developed by Celas.

Screenshot of Celas Trade Pro

When we started this research, any user could download the trading application from the Celas website. Checking the installation package downloaded from the website confirmed the presence of a very suspicious updater.

Installation package download page

We have analyzed the following Windows version of the installation package:

MD5: 9e740241ca2acdc79f30ad2c3f50990a
File name: celastradepro_win_installer_1.00.00.msi
File type: MSI installer
Creation time: 2018-06-29 01:16:00 UTC

At the end of the installation process, the installer immediately runs the Updater.exe module with the “CheckUpdate” parameter. This file looks like a regular tool and most likely will not arouse the suspicion of system administrators. After all, it even contains a valid digital signature, which belongs to the same vendor. But the devil is in the detail, as usual.

The code writer developed this project under the codename “jeus”, which was discovered in a PDB path included in the updater and used as unique HTTP multipart message data separator string. Because of this, and the fact that the attacked platforms include Apple macOS, we decided to call this Operation AppleJeus.

Properties of the shady updater tool included in the package are:

MD5: b054a7382adf6b774b15f52d971f3799
File Type: PE32 executable (GUI) Intel 80386, for MS Windows
Known file name: %Program Files%\CelasTradePro\Updater.exe
Link Time: 2018-06-15 10:56:27 UTC
Build path: Z:\jeus\downloader\downloader_exe_vs2010\Release\dloader.pdb

The main purpose of Updater.exe is to collect the victim’s host information and send it back to the server. Upon launch, the malware creates a unique string with the format string template “%09d-%05d” based on random values, which is used as a unique identifier of the infected host. This malware collects process lists, excluding “[System Process]” and “System” processes and gets the exact OS version from the registry value at “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion”. It seems that such values only exist from Windows 10, so we assume that the author developed and tested it on Windows 10.

  • ProductName: Windows OS version
  • CurrentBuildNumber: Windows 10 build version
  • ReleaseID: Windows 10 version information
  • UBR: Sub version of Windows 10 build
  • BuildBranch: Windows 10 build branch information

The code encrypts the collected information with the hardcoded XOR key (“Moz&Wie;#t/6T!2y“) before uploading it to the server.

Data encryption routine

The code sends the victim’s information to a webserver using HTTP and the following URL:
www.celasllc[.]com/checkupdate.php

The server is a legitimate looking website owned by the developer of the program: Celas LLC. At this point we were not able to conclude with high confidence whether the server was compromised by the threat actor or had belonged to the threat actor from the beginning. To learn more about the server, please read the “Infrastructure” section below.

The malware used a hardcoded User-Agent string “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)” and fixed a multipart form data separator string “jeus“.

Using encryption, the custom separator string wouldn’t be a red flag for a legitimate application, but sending a request with the context-irrelevant string “get_config”, as well as uploading collected system information as “temp.gif”, mimicking a GIF image with a magic number in the header, definitely made us raise our eyebrows.

Communication with the C2 server

After successfully uploading data, the updater checks the server response. If the server responds with HTTP code 300, it means the updater should keep quiet and take no action. However, if the response is HTTP code 200, it extracts the payload with base64 and decrypts it using RC4 with another hardcoded key (“W29ab@ad%Df324V$Yd“). The decrypted data is an executable file that is prepended with the “MAX_PATHjeusD” string.

During our research, we found other similar files. One was created on August 3rd and another on August 11th. The PDB path shows that the author keeps improving this updater tool, apparently forked from some stable version released on July 2, 2018 according to the internal directory name.

Additional trojanized sample #1 Additional trojanized sample #1
Installation package MD5 4126e1f34cf282c354e17587bb6e8da3 0bdb652bbe15942e866083f29fb6dd62
Package creation date 2018-08-03 09:57:29 2018-08-13 0:12:10
Dropped updater MD5 ffae703a1e327380d85880b9037a0aeb bbbcf6da5a4c352e8846bf91c3358d5c
Updater creation date 2018-08-03 09:50:08 2018-08-11 7:28:08
Updater Build path H:\DEV\TManager\DLoader\20180702\dloader\WorkingDir\Output\00000009\Release\dloader.pdb H:\DEV\TManager\DLoader\20180702\dloader\WorkingDir\Output\00000006\Release\dloader.pdb

Note the TManager directory in the PDB path from the table. It will pop up again in another unexpected place later.

Trojanized trading program for macOS

For macOS users, Celas LLC also provided a native version of its trading app. A hidden “autoupdater” module is installed in the background to start immediately after installation, and after each system reboot. It keeps contacting the command and control (C2) server in order to download and run an additional executable from the server. The communication conforms to the Windows version of the updater and is disguised as an image file upload and download, while carrying encrypted data inside.

We have analyzed the following installation file:

MD5: 48ded52752de9f9b73c6bf9ae81cb429
File Size: 15,020,544 bytes
File Type: DMG disk image
Known file name: celastradepro_mac_installer_1.00.00.dmg
Date of creation: 13 July 2018

Once the Cellas Trade Pro app is installed on macOS, it starts the Updater application on the system load via a file named “.com.celastradepro.plist” (note that it starts with a dot symbol, which makes it unlisted in the Finder app or default Terminal directory listing). The “Updater” file is passed the “CheckUpdate” parameter on start.

Celas Trade Pro app plist file (Apple Property List)

The command-line argument “CheckUpdate” looks redundant from a code analysis perspective: there is no other argument that the application expects. In the absence of all arguments, it doesn’t do anything and quits. This may or may not be way to trick sandboxes that could automatically execute this trojan updater, with no suspicious activity produced without such a “secret” extra argument. The choice of a benign string such as “CheckUpdate” helps it to hide in plain sight of any user or administrator looking into running processes.

The trojanized updater works similar to the Windows version in many ways. Both applications are implemented using a cross-platform QT framework. Upon launch, the downloader creates a unique identifier for the infected host using a “%09d-%06d” format string template. Next, the app collects basic system information, which for macOS is done via dedicated QT classes:

  • Host name
  • OS type and version
  • System architecture
  • OS kernel type and version

The process of encrypting and transferring data is the same as in the Windows version. This information is XOR-encrypted with hardcoded 16-byte static key “Moz&Wie;#t/6T!2y”, prepended with GIF89a header and uploaded to the C2 server via HTTP POST and the following URL:

https://www.celasllc[.]com/checkupdate.php

POST request template strings

The module relies on a hardcoded User-Agent string for macOS:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36

Once the server replies, it checks the HTTP response code. HTTP response code 300 indicates that the server has no task for the updater and the application terminates immediately. If the HTTP response is code 200, then the updater gets the data in the response, decodes it from base64 encoding and decrypts it using RC4 with the hardcoded static key “W29ab@ad%Df324V$Yd“. It calculates the MD5 of the decoded and decrypted data, which is compared to a value stored inside, to verify the integrity of the transferred file. After that, the payload is extracted and saved to a hardcoded file location “/var/zdiffsec“, sets executable permissions for all users and starts the app with another secret hardcoded command-line argument “bf6a0c760cc642“. Apparently the command-line argument is the way to prevent the detection of its malicious functionality via sandboxes or even reverse engineering. We have previously seen this technique adopted by Lazarus group in 2016 in attacks against banks. As of 2018, it is still using this in almost every attack we investigated.

Downloaded payload

According to data from Kaspersky Security Network, the threat actor delivered the malicious payload using one of the shadowy updaters described above. We found a malicious file created at the same host:

MD5: 0a15a33844c9df11f12a4889ae7b7e4b
File Size: 104,898,560 bytes
File Type: PE32+ executable (GUI) x86-64, for MS Windows
Known file name: C:\Recovery\msn.exe
Link time: 2018-04-19 13:30:19

Note the unusually large size for an executable file. We believe that it was inflated with junk data on purpose to prevent easy download or transfer over the internet.

Searching for the reason for the malware’s appearance on the system revealed that there was an additional process responsible for producing several files before this malware was launched, suggesting a trojan dropper in action. The main function of this malware is to implant the Fallchill backdoor loader linked to several files. Upon launch, the malware checks one of the command-line arguments passed to it. The malware chooses one of the service names located in the following registry value as a disguise:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs

This value includes a list of several dozen standard system service names.

The randomly chosen service name is used to name the dropped file and newly registered Windows service. Let’s refer to this randomly chosen service name as [service]. The malware contains references to several files inside:

  • The file passed as argument: contains a 16-byte key
  • msncf.dat: Encrypted configuration data
  • msndll.tmp: Encrypted Fallchill loader
  • msndll.dat: Encrypted Fallchill backdoor (payload for the loader)
  • [service]svc.dll: Fallchill backdoor loader
  • [service].dat: Copy of msndll.dat

A mix of the above-mentioned files produces the final backdoor known as Fallchill. A more detailed procedure for technical specialists is as follows:

  1. Check whether the command-line argument points to a file of 16 byte size.
  2. Read the file passed via the command-line argument. The contents of this file contains a crypto key, which we will call the main key.
  3. Open the msncf.dat file (configuration file). If the file size equals 192 bytes, read the content of the file.
  4. Open msndll.tmp file and decrypt it using the main key.
  5. Create the [service]svc.dll file and fill it with pseudo-random data.
    1. The malware fills the file with 10,240 bytes of pseudo-random data, and iterates (rand() % 10 + 10240) times. This is why it produces files which are at least 104,851,000 bytes.
  6. Copy the 16-byte main key at the end of the [service]svc.dll file.
  7. Encrypt the [service].dat file name with the main key and append it at the end of [service]svc.dll.
  8. Overwrite the beginning of [service]svc.dll with data decrypted from msndll.tmp.
  9. Move msndll.dat file to [service].dat.
  10. Delete temporary files: msndll.tmp, msncf.dat, msndll.log.
  11. Timestamp [service]svc.dll and [service].dat files.
  12. Register [service]svc.dll as a Windows service.
  13. Save a copy of data from msncf.dat file in the following registry value
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskConfigs\Description.

Infection process diagram

Fallchill backdoor loader

We confirmed that the following malware was created on the infected host using the method described above:

Fallchill backdoor loader:

MD5: e1ed584a672cab33af29114576ad6cce
File Size: 104,878,356 bytes
File Type: PE32+ executable (DLL) (console) x86-64, for MS Windows
Known file name: C:\Windows\system32\uploadmgrsvc.dll
Link time: 2018-01-18 01:56:32

Encrypted Fallchill backdoor:

MD5: d8484469587756ce0d10a09027044808
File Size: 143,872 bytes
File Type: encrypted data
Known file name: C:\Windows\system32\uploadmgr.dat

Upon starting, uploadmgrsvc.dll reads 276 bytes from the end of its own executable file. The first 16 bytes of this 276-byte data are used as a decryption key, and the remaining 260 bytes contain the encrypted file path used by the backdoor.

Data at the end of the loader module

After decryption of the last 260-bytes, the malware retrieves the name or path of the file that contains the actual backdoor body in encrypted form.

Decrypted file name in the end of loader module

The malware reads the specified file and decrypts it using the same decryption routine. This is how the executable code of the backdoor is produced in memory and executed by the loader. Below is the meta information about the decrypted final payload in memory:

MD5: d7089e6bc8bd137a7241a7ad297f975d
File Size: 143,872 bytes
File Type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Link Time: 2018-03-16 07:15:31

We can summarize the Fallchill backdoor loading process as follows:

Loading the Fallchill backdoor

As mentioned previously, the final payload belongs to a Fallchill malware cluster formerly attributed to the Lazarus APT group. Upon launching, this malware resolves the API function addresses at runtime, and reads the C2 server address from the registry value created during the installation stage:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskConfigs\Description

If there is no configuration value, the malware falls back to a default C2 server address.

  • 196.38.48[.]121
  • 185.142.236[.]226

This is a full-featured backdoor that contains enough functions to fully control the infected host. Some of its network protocol commands are described below.

Command ID Description
0x8000 Write current time and configuration data to registry key
0x8001 Send configuration data
0x8002 Replace configuration data in the fixed registry value
0x8003 Execute Windows command, store output in temp file and upload contents to C2
0x8006 Show current working directory
0x8007 Change current working directory
0x8008 Collect process information
0x8009 Terminate process
0x8010 Start new process
0x8011 Create process with security context of the current user
0x8012 Connect to specified host/port
0x8013 Get drive information
0x8014 Directory listing
0x8015 Search a file
0x8019 Write data to a specified file
0x8020 Read contents of specified file and upload to C2 server
0x8021 Compress multiples files to a temp file (name start with ZD) and upload to C2
0x8023 Wipe specific file
0x8025 Copy file time from another file time (timestamping)
0x8026 Shutdown malware service and self-delete
0x8043 Send “Not Service” unicode string to C2 server (communication test?).

This set of capabilities is very common for many Lazarus backdoors, which have been seen in other attacks against banks and financial industry in the past years.

Infrastructure

While working on the incident of the cryptocurrency company’s breach, we were curious about the legal status of the Celas LLC company that developed this trojanized trading application.

Celas LLC main homepage.

The website had a valid SSL certificate issued by Comodo CA. However, note that the certificate from this webserver mentions “Domain Control Validated”, which is a weak security verification level for a webserver. It does not mean validation of the identity of the website’s owner, nor of the actual existence of the business. When certification authorities issue this kind of certificate they only check that the owner has a certain control over the domain name, which can be abused in certain ways.

Below is the WHOIS record of the “celasllc.com” domain. The domain name was registered by an individual named “John Broox” with registrant email address “johnbroox200@gmail[.]com”.

The same name of “John Broox” was used inside the installation package of the macOS version of the trading application. The Info.plist properties file describes the package as follows:

It looks at first sight like a legitimate WHOIS record, but something doesn’t really add up here. The domain celasllc.com was the only domain registered with this email address and was exclusively used for domain registration.

The registrant used the Domain4Bitcoins service to register this domain, apparently paying with cryptocurrency. According to open-source intelligence, the address of the WHOIS information is fake, unless it’s the owner of a ramen shop running a cryptocurrency exchange software development studio on the side.

View of the location referred in the WHOIS record. Image source: Google Maps.

The server hosting celasllc.com (185.142.236.213) belongs to the Blackhost ISP in the Netherlands.

WHOIS record of cellasllc.com server

Coincidentally, the Fallchill malware authors also preferred to use the same hosting company to host their C2 server. Moreover, the Celas LLC web server and one of the C2 servers of the Fallchill malware are located in the same network segment of this ISP:

  • Celas LLC infrastructure:
    • 185.142.236.213Netherlands Blackhost Ltd. AS174 COGENT-174
  • Fallchill malware C2 server:
    • 196.38.48[.]121: South Africa Internet Solutions AS3741
    • 185.142.236[.]226: Netherlands Blackhost Ltd. AS174 COGENT-174
  • Additional attacker’s server from telemetry
    • 80.82.64[.]91: Seychelles Incrediserve Ltd AS29073
    • 185.142.239[.]173: Netherlands Blackhost Ltd. AS174 COGENT-174

However, when you look into Celas Trading Pro application’s digital signature, including its “Updater”, you will find that this certificate was also issued by Comodo CA, which refers to a company address in the United States.

According to open-source data, this address doesn’t belong to a real business, and looks on maps like a meadow with a small forest and small real estate offering nearby.

Location of Cellas LLC, according to its digital certificate

Real estate history of that address

Pivoting the infrastructure a little further brings up some more suspicious things. It appears that the domain referred to two IPs, one of which was linked to a few other suspicious domains, according to PassiveDNS.

Cellas LLC linked infrastructure

The owners of the linked infrastructural elements preferred to use several interesting services for hosting domain registration. All these service providers offer a certain level of anonymity to their customers. Most of them accept Bitcoins as a main payment method to keep their customers anonymous. This is very uncommon for companies running a legitimate business.

Hosting services linked to Celas LLC:

  • Blackhost (https://black.host/)
  • Liberty VPS (https://libertyvps.net/)

Domain registration services linked to Celas LLC:

  • Domains4Bitcoins (https://www.domains4bitcoins.com/)
  • NameCheap (https://www.namecheap.com/)
  • ChangeIP (https://www.changeip.com/)
  • Njalla (https://njal.la/)

All the facts above can make the more sceptical among us doubt the intentions of Celas LLC and the legitimacy of this business. Of course, these facts alone would not be enough to accuse Celas LLC of committing a crime.

Attribution

Kaspersky Lab has previously attributed the Fallchill malware cluster to Lazarus group when it attacked the financial sector around the world. It was also confirmed by other security vendors, and the national CERT of US.

RC4 key from the older Fallchill

Fallchill malware uses a RC4 algorithm with a 16-byte key to protect its communications. The key extracted from the Fallchill variant used in the current attack is DA E1 61 FF 0C 27 95 87 17 57 A4 D6 EA E3 82 2B.

Current RC4 key of Fallchill

We were able to confirm that some of older Fallchill malware variants used exactly the same RC4 key. Below are Fallchill malware samples that used the same key (the compilation timestamp may indicate the date of malware creation).

MD5 Timestamp
81c3a3c5a0129477b59397173fdc0b01 2017-05-26 23:37:04
6cb34af551b3fb63df6c9b86900cf044 2017-06-09 17:24:30
21694c8db6234df74102e8b5994b7627 2017-11-07 17:54:19
5ad7d35f0617595f26d565a3b7ebc6d0 2015-10-24 01:52:11
c501ea6c56ba9133c3c26a7d5ed4ce49 2017-06-09 03:59:43
cafda7b3e9a4f86d4bd005075040a712 2017-11-07 17:54:33
cea1a63656fb199dd5ab90528188e87c 2017-06-12 19:25:31
6b061267c7ddeb160368128a933d38be 2017-11-09 17:18:06
56f5088f488e50999ee6cced1f5dd6aa 2017-06-13 08:17:51
cd6796f324ecb7cf34bc9bc38ce4e649 2016-04-17 03:26:56

Same C2 server with older Fallchill

We have confirmed that the C2 server addresses (196.38.48[.]121, 185.142.236[.]226) used in this attack have been used by the older variant of Fallchill.

MD5 Timestamp
94dfcabd8ba5ca94828cd5a88d6ed488 2016-10-24 02:31:18
14b6d24873f19332701177208f85e776 2017-06-07 06:41:27
abec84286df80704b823e698199d89f7 2017-01-18 04:29:29

Overlap of C2 infrastructure

Apparently, the attackers using the Fallchill malware continue to reuse code and C2 server infrastructure over and over again.

According to Kaspersky Security Network, Fallchill was not the only malware used in this attack. There was another backdoor that was used by the threat actor. We omit a full description of this backdoor in the current report to keep the write-up to an acceptable length, but we would like to highlight two important things discovered in it. First, this backdoor was created on 2018-07-12 and revealed an already familiar directory, “TManager”, which we previously saw in the Updater.exe application from the Cellas Trading Pro suite:

H:\DEV\TManager\all_BOSS_troy\T_4.2\T_4.2\Server_\x64\Release\ServerDll.pdb

Second, what is probably one of the most interesting findings to come from this additional backdoor was discovered hidden in hardcoded headers used to communicate with C2 server. The Accept-Language HTTP header string revealed a language code associated with North Korea. In our experience, this is something we normally don’t see in malware.

Accept-Language: ko-kp,ko-kr;q=0.8,ko;q=0.6,en-us;q=0.4,en;q=0.2

Accept-Language HTTP header value in the body of the backdoor

Conclusions

The Lazarus APT group’s continuous attacks on the financial sector are not much of a surprise to anyone. A lot of research has been done and published about such attacks. However, we think this case makes a difference. Recent investigation shows how aggressive the group is and how its strategies may evolve in the future.

First of all, Lazarus group has entered a new platform: macOS. There is steadily growing interest in macOS from ordinary users, especially in IT companies. Many developers and engineers are switching to using macOS. Apparently, in the chase after advanced users, software developers from supply chains and some high profile targets, threat actors are forced to have macOS malware tools. We believe that in the future Lazarus is going to support all platforms that software developers are using as a base platform, because compromising developers opens many doors at once.

We cannot say with full certainty whether Celas LLC was compromised and the threat actor abused it to push malware through an update mechanism. However, the multiple successful Lazarus attempts to compromise supply chain companies suggest that it will keep exploring this infection method. From all angles, the Celas LLC story looks like the threat actor has found an elaborate way to create a legitimate looking business and inject a malicious payload into a “legitimate looking” software update mechanism. Sounds logical: if one cannot compromise a supply chain, why not to make fake one?

This should be a lesson to all of us and a wake-up call to businesses relying on third-party software. Do not automatically trust the code running on your systems. Neither good looking website, nor solid company profile nor the digital certificates guarantee the absence of backdoors. Trust has to be earned and proven. Stay safe!

Previous ArticleNext Article

Discover the rise of Surf Protocol: Becoming the top perpetual Dex on Bitcoin Layer 2 4308

Surf Protocol has achieved significant milestones, with its total trading volume exceeding $200 million and its Total Value Locked (TVL) surpassing $30 million in May, making it the largest perpetual DEX on Bitcoin Layer 2.

As the largest Perp Dex on BTC L2, Surf Protocol distinguishes itself by being selected for Binance’s prestigious Most Valuable Builder (MVB) Season 7 program. This recognition by Binance Labs highlights Surf Protocol’s innovative approach and its contribution to the blockchain ecosystem, particularly in enhancing Bitcoin native on-chain leverage trading and offering single-currency liquidity provision yield solutions that eliminate impermanent losses.

The competition within the Perp DEX arena is fierce and dynamic. Historically, platforms like dYdX have dominated the scene, capturing a substantial 59.7% of the 30-day trading volume as of October 2023. However, the DeFi ecosystem is inherently fluid, with Hyperliquid clinching the top spot by February 2024, showcasing the market’s evolving preferences and the shifting dynamics that new entrants like Surf Protocol are adeptly navigating.

Despite the competition, Surf Protocol distinguishes itself through a relentless pursuit of innovation tailored to meet the changing needs of its users. As the first to introduce a Bitcoin-denominated vault with zero impermanent loss and to allow BTC as collateral for trades, Surf Protocol has not only addressed key market gaps but has also set new benchmarks for what on-chain traders can expect. This innovative streak has propelled Surf towards a trajectory of rapid growth, with the platform nearing an average of 1000 daily users and aiming for higher total value locked (TVL) and volume.

Moreover, Surf’s acknowledgment of the competitive landscape doesn’t detract from its vision; rather, it fuels its drive to innovate. In a market where Perp DEXes like GMX have captivated users with sustainable fees and earning mechanisms, and where dYdX has pushed the envelope towards complete decentralization and scalability, Surf Protocol has carved its niche. It has done so by not only matching the pace of innovation but by also introducing unique features that resonate with a broad spectrum of users.

In a bid to further energize its community and incentivize trading activities, Surf Protocol has launched a series of campaigns that are setting the platform apart in the competitive DeFi landscape. These initiatives not only reward active traders but also provide lucrative opportunities for liquidity providers (LPs) and early supporters of the platform.

Surf Protocol’s innovative campaigns and focus on user rewards demonstrate its commitment to building a thriving DeFi ecosystem. Highlighting this commitment, Surf airdropped 100,000 USD value of award tokens to the first two weeks’ traders after the mainnet launch, showcasing a tangible effort to reward early adopters. By prioritizing community engagement and fostering a culture of inclusion, Surf Protocol is well-positioned to play a leading role in the future of decentralized trading.

Surf Protocol’s vision has garnered the support of industry leaders. In October 2023, Surf secured $5 million in funding from prominent investors including ABCDE Capital and Amber Group. This vote of confidence underscores the potential of Surf Protocol to bridge the gap between traditional finance and DeFi, catering to a diverse user base.

Surf Protocol invites traders, liquidity providers, and DeFi enthusiasts to join its mission of revolutionizing the trading landscape.

For more information, visit https://surf.one/
X: https://twitter.com/surf_protocol
Telegram: https://t.me/surf_protocol
Discord: https://discord.com/invite/Ma2NjR9uMs
Medium: https://medium.com/@surf.protocol

Sarson Funds Announces Official Launch of csprUSD Stablecoin on Casper Network Mainnet 4703

Sarson Funds, in partnership with the Casper Association, is thrilled to unveil the official launch of the csprUSD stablecoin on the Casper Network mainnet.

Following successful testing on the Casper Network testnet, csprUSD enters the digital currency landscape as a robust fiat-backed stablecoin, echoing recent innovations from industry leaders like Ripple and Cardano. Crafted with precision to pre-comply with anticipated U.S. regulatory standards including dollar-for-dollar collateral deposits held in with a U.S. banking partner, csprUSD mirrors the functionality of established industry titan USDC.

“We’re excited to see the culmination of our collaborative efforts with the launch of csprUSD on the Casper Network mainnet,” remarks Alizee Carli, Head of Ecosystem at the Casper Association. “This milestone underscores the growing momentum of applications and partners committed to leveraging stablecoins for critical infrastructure development.”

During its testnet phase, Sarson Funds witnessed a surge in user engagement and network expansion within the Casper ecosystem, indicative of a growing demand for stablecoins. Designed to foster growth while adhering to current and forthcoming US regulatory frameworks, csprUSD offers a stable, fiat-backed digital currency ideal for transactions on American exchanges.

The impending stablecoin legislation in the US highlights the need for robust regulatory measures to safeguard the cryptocurrency market. Sarson Funds CEO John Sarson emphasizes, “The launch of csprUSD marks a pivotal moment as stablecoin issuers seek to comply with the evolving U.S.regulatory landscape. Our rigorous testing during the testnet phase positions csprUSD as a compliant and trustworthy stablecoin.”

Sarson Funds, a leading asset manager specializing in the blockchain sector, has forged strategic alliances with industry stalwarts WeaveChain for development, BlockPass for compliance solutions, and Custodia Bank for secure banking services, ensuring the integrity and reliability of the csprUSD stablecoin.

For further details about csprUSD and its launch on the Casper Network mainnet, please visit [Stablecoin Index, LP official website] (https://www.stablecoinindex.io/).

KIP Protocol Announces Strategic Partnership with Aethir to Propel Decentralized AI and GPU Infrastructure 5269

KIP Protocol, the Web3 base layer for AI, is thrilled to announce its strategic partnership with Aethir, the premier provider of decentralized GPU cloud infrastructure. This collaboration combines KIP’s tested decentralized AI deployment and monetisation solutions with Aethir’s large pool of computing power. This is set to enhance and expand the capabilities of decentralized AI applications significantly.

A Strategic Alliance for Accelerating AI Development

Under this partnership, KIP Protocol will be established as Aethir’s Preferred Deployment Partner, enhancing Aethir’s AI ecosystem with essential data and payment infrastructures. Concurrently, Aethir will become KIP’s Preferred Compute Partner, supplying over 40,000 GPUs and 3,000 NVIDIA H100s to support KIP’s AI product ecosystems with enterprise-grade, decentralized GPU power.

This partnership not only reinforces KIP Protocol’s standing as a key player in the decentralized AI space but also significantly boosts its backend capabilities. Aethir will integrate KIP’s robust data and payment infrastructures, further strengthening their AI ecosystem.

Revolutionizing AI with Robust Decentralized Solutions

The strategic alliance aims to create synergy between KIP Protocol’s innovative decentralized AI deployment solutions and Aethir’s state-of-the-art GPU infrastructure. This collaboration will combine KIP’s robust data and payment rails and Aethir’s decentralized compute infrastructure, both essential for a thriving deAI ecosystem, challenging the dominance of centralized AI technologies.

Key benefits of this partnership include:

  • Decentralized AI Deployment: As Aethir’s Preferred AI Deployment Partner, KIP will enhance Aethir’s AI offerings with its suite of deployment and monetisation solutions (including its pioneering decentralised retrieval augmented generation (d/RAG) framework and battle-tested KnowledgeFi platform) ensuring seamless operation and integration across various platforms.
  • Enhanced Computational Power: With substantial GPU resources from Aethir as KIP’s Preferred Compute Partner, KIP can accelerate the development and deployment of advanced AI solutions.
  • Strengthening Web3 Foundations: As the Web3 Base Layer for AI, KIP will secure transactions and enable effective monetization for developers and data owners within Aethir’s ecosystem.
  • Scaling New Heights: The KnowledgeFi framework will significantly expand, backed by Aethir’s cutting-edge GPU support.

A Future of Collaborative AI Innovation

Julian Peh, Co-Founder and CEO of KIP Protocol, stated, “Our partnership with Aethir reflects our strategic alignment — KIP democratizes the tools for AI asset deployment & monetisation, while Aethir decentralizes the scarce resources of compute that are critical in AI. Together, we hope to dismantle the monopolistic hold of centralized systems to pave the way for a future where we can have true digital ownership in the AI powered future.”

Mark Rydon, CEO of Aethir, added, “Teaming up with KIP Protocol empowers us to redefine the infrastructure landscape for AI. Their leadership in end-to-end decentralized AI solutions makes KIP an ideal partner to advance our goal of broadening access and enhancing profitability within the AI community across Web3.”

KIP Protocol and Aethir are committed to reshaping the landscape of AI development, fostering a decentralized ecosystem that is more accessible, secure, and profitable. Stay tuned as these industry leaders continue to drive innovation and transform the AI ecosystem by leveling the playing field and empowering AI value creators.

About KIP Protocol

KIP Protocol builds Web3 infrastructure for AI app developers, model makers and data owners, empowering easy deployment and monetisation of AI assets while maintaining full ownership rights.

KIP was a pioneer in decentralized Retrieval Augmented Generation (d/RAG), being a winner of the Chainlink Hackathon in 2023. That expertise in d/RAG was built out into a full platform named KnowledgeFi, currently used by leading Web3 companies to monetise Knowledge Assets using AI

KIP solves mission-critical challenges faced in decentralized AI deployments, with an aim to jumpstart wholly new business ecosystems, and ensure the economic benefits brought about by AI can be enjoyed by all.

Founded and helmed by veteran AI PhDs and tech business veterans, KIP aims to be a catalyst for the widespread adoption of decentralized AI.

To learn more, visit www.kip.pro or follow them on X @KIPprotocol

About Aethir

Aethir is the leading provider of decentralized GPU cloud infrastructure, dedicated to delivering enterprise-grade solutions that empower the AI community.

OriginTrail Decentralized Knowledge Graph for trusted cross-organization real-time data integration in EU-funded DMaaST 6055

Trace Labs, the core developers of OriginTrail, has joined the European Union’s initiative to foster a resilient and adaptive manufacturing ecosystem through the DMaaST project. Collaborating with partners from Slovenia, Spain, Germany, Portugal, Turkey, Serbia, Belgium, Lithuania, France, Denmark, and Switzerland, the initiative will leverage the OriginTrail Decentralized Knowledge Graph (DKG) and Knowledge Assets (KA) to encapsulate all pertinent information regarding products, processes, facilities, and human expertise. This comprehensive approach will facilitate the precise mapping of data flows and knowledge interconnections, laying the groundwork for comprehensive information mapping within the manufacturing ecosystem using OriginTrail DKG. Consequently, this will ensure trustworthy cross-organizational real-time data integration.

Once more, attention has been drawn to challenges within the aeronautic and manufacturing industries following a January incident in which a Boeing 737 MAX 9 door plug blew out in the middle of an Alaska Airlines flight. If the company had established reliable cross-organizational communication, it could have prevented this incident. Such communication would enhance the value chain’s responsiveness to external and unforeseen events, as well as improve operability and production planning capacity.

Effective, transparent, and reliable data exchange are the most important points for fostering sustainability, resilience, and energy efficiency in the manufacturing industry. However, over the past years, various challenges have come to the forefront within this sector.

  • Supply Chain Disruptions: The COVID-19 pandemic highlighted existing vulnerabilities in global supply chains, leading to disruptions in the flow of materials and components. Issues such as raw material shortages, transportation bottlenecks, and labor shortages have persisted, impacting manufacturing operations worldwide.
  • Cybersecurity Risks: With the increasing digitization of manufacturing processes through technologies like the Internet of Things (IoT) and Industry 4.0, cybersecurity threats have become a significant concern. Manufacturing facilities are increasingly vulnerable to cyberattacks that can disrupt operations, steal sensitive data, or compromise product quality and safety.
  • Data Silos: Manufacturing organizations often operate with fragmented data systems, leading to isolated data silos across departments or functions. This fragmentation inhibits seamless data interoperability and hampers comprehensive insights that could drive operational efficiency and innovation.
  • Lack of Standards: The absence of standardized data formats and protocols complicates data exchange and integration efforts within and across manufacturing enterprises. Without universally accepted standards, interoperability becomes a significant challenge, impeding the flow of data between different systems and stakeholders.
  • Data Privacy Concerns: With the proliferation of data collection and sharing practices in manufacturing, ensuring data privacy and protection is paramount. Manufacturers must navigate complex regulatory landscapes, safeguarding sensitive information from unauthorized access or misuse while balancing the need for data-driven decision-making.
  • Ownership and Control: Determining ownership rights and control over manufacturing data can be contentious, especially in collaborative environments or supply chain networks. Disputes may arise regarding data ownership, usage rights, and intellectual property, complicating data sharing agreements and hindering collaborative initiatives.
  • Legacy Systems Integration: Many manufacturing facilities still rely on legacy systems that were not designed with interoperability in mind. Integrating these outdated systems with modern data platforms and technologies poses significant challenges, requiring extensive customization, retrofitting, and investments in interoperability solutions.

DMaaST aims to enhance manufacturing ecosystem resilience and adaptability by employing a Smart Manufacturing Platform comprising four layers. The data layer establishes a foundation for real-time data integration across organizations using ontologies and OriginTrail Decentralized Knowledge Graph. Following this, a two-level cognitive digital twin is deployed to model both manufacturing services production lines and value chain stages. It incorporates human expertise, data-driven algorithms, and physical modeling. An algorithm for multi-objective distributed decision support systems leverages this data to facilitate optimal production decisions. Outcomes will be communicated via user-friendly interfaces and timely scoreboards, assessing circularity, sustainability, and product traceability. Over the four-year period, DMaaST ensures scalability and innovation by providing insights for replicating and improving manufacturing processes, advancing technologies in aerospace and electronics sectors.

Trace Labs will lead the data working group to develop and validate technologies aimed at facilitating data understanding, interoperability, and secure cross-organization integration. With integration of OriginTrail DKG for the electronic and aeronautical sector, creating a new powerful knowledge base with artificial intelligence capabilities. The DKG will establish a decentralized database accessible to all participants in a manufacturing value chain, including manufacturers, suppliers, distributors, retailers, regulatory bodies, research institutes, and others. This will enhance the manufacturing ecosystem’s ability to autonomously withstand and adapt to external events.

OriginTrail DKG has been widely utilized to foster trust and transparency in enterprise knowledge exchange across various industries. Now, it is evolving to facilitate global knowledge connectivity, powering the Decentralized Retrieval Augmented Generation (dRAG) framework for more precise and inclusive AI. Given the challenges of verifying AI-generated results, OriginTrail DKG, with Knowledge Assets as its primary resource, represents a pivotal innovation in this context. It offers a robust framework for ensuring the ownership, discoverability, and verifiability of information utilized by AI systems for the manufacturing industry.

Besa Gaming: Revolutionizing the Gaming Industry with Blockchain 6230

In a world where pixels collide with possibility, the blockchain gaming industry stands as a testament to the transformative power of technology. According to Grand View Research, The global blockchain in gaming market size was valued at USD 4.83 billion in 2022 and is expected to expand at a compound annual growth rate (CAGR) of 68.3% from 2023 to 2030. With its unique blend of decentralized networks and digital assets, blockchain gaming has transcended traditional boundaries, offering players unparalleled opportunities for ownership, creativity, and reward. Blockchain technology has revolutionized the gaming experience for businesses and players, allowing them to use cryptocurrencies and Non-fungible Tokens (NFTs) to purchase in-game assets. At the forefront of this revolution stands Besa Gaming—a pioneering force committed to reshaping the gaming landscape with its innovative approach to blockchain integration and utilization of cryptocurrency and NFTs. As the industry continues to evolve, Besa Gaming stands poised to lead the charge, offering players an immersive gaming experience unlike any other.

The Besa Gaming Company represents a paradigm shift in the gaming industry, offering an innovative fusion of entertainment and cryptocurrency. Positioned on the blockchain, Besa Gaming provides users with an exhilarating gaming experience where they can not only enjoy captivating gameplay but also earn real money in the process. Through their Play-to-Earn (P2E) options, players have the opportunity to engage with friends and the global gaming community, all while reaping rewards for their efforts. The platform’s unique approach emphasizes rewarding token holders, ensuring that investors are incentivized to hold onto their $BESA tokens for the long term. With a mission to create accessible and enjoyable games for all, Besa Gaming is committed to establishing itself as a leader in the gaming space while providing lucrative benefits for its dedicated supporters.

Delving into Besa Gaming’s diverse portfolio of captivating games, each offering a unique and immersive experience, we find:

  1. Gold Rush Racer: Gold Rush Racer is the ultimate endless arcade racing game, offering thrilling gameplay where players navigate through highway traffic, earn coins, and upgrade their cars to dominate global leaderboards. With stunning 3D graphics and smooth car handling, it promises non-stop excitement across various environments and game modes. Gold Rush Racer is available in android and apple app stores.
  2. Crypto Bros: Crypto Bros is the blockchain adaptation of a familiar gameplay format. Featuring 15 levels and a choice of 2 characters, it also supports in-game advertising. Currently, the company is diligently working on a new update to deploy it to app stores.
  3. Bullet Storm Reloaded: Bullet Storm Reloaded is a thrilling bottle shooting game that puts your gun skills to the test. With stunning 3D graphics and a diverse selection of 24 new guns, including pistols, revolvers, and assault rifles, this game offers an immersive experience for target shooting enthusiasts. Bullet Storm Reloaded is available on Android and currently waiting for approval for IOS.
  4. Besa Crypto Slot Machine: Besa Crypto Slot Machine integrates crypto into the thrilling universe of slot gaming. It also allows the company to incorporate various blockchain & cryptocurrency logos into the game and reward top players every week. As Besa Gaming expands their partnerships, more options and rewards will be available to players and holders.

Besa Gaming’s team of developers will continuously update and improve our existing games while adding even more games and utilities to our ever-expanding ecosystem. In the pipeline, we have our Drift Fury 3D game, our Besa Online Casino, and more! Besa Gaming is the first project to offer in-game space for advertising. It utilizes the game environment to incorporate ads and information that can be constantly updated to keep it fresh and exciting.

Besa Gaming is strategically positioned to revolutionize the gaming industry with its innovative business plan.

  • NFTs: Introducing four levels of NFTs, including OG, Gold, Silver, and Normal, Besa Gaming offers exclusive benefits to NFT owners, including participation in a private group and the board of directors.
  • Advertising: Leveraging in-game advertising, Besa Gaming generates revenue to benefit all token holders by purchasing and distributing tokens, fostering community support and growth.
  • Staking: With plans for staking implementation, Besa Gaming aims to utilize a portion of the selling tax to fund staking rewards, empowering token holders and ensuring project sustainability under the guidance of the board of directors.
  • Multi-Token Expansion: Besa Gaming plans to expand its presence across different markets, enhancing the BESA brand and utilities to reach a broader audience of crypto holders while maintaining transparency and community engagement. Besa Gaming is currently available on Binance and Solana networks.

Tokenomics Overview:

Besa Gaming implements a comprehensive tokenomics to ensure the sustainability and growth of its ecosystem. With zero tax on the Solana version and a 4% buy tax on the Binance Smart Chain (BSC) version, rewards are distributed to holders, NFT owners, and liquidity providers automatically. Additionally, the liquidity is locked for one year on Solana and ten years on BSC, safeguarding the stability of the platform.

The breakdown:

Solana Version:

  • Zero tax structure.
  • Rewards distributed to Solana holders multiple times a week.
  • Exclusive airdrops and income from partnerships for Solana holders.

BSC Version:

  • 4% buy tax distributed to holders, NFT owners, and liquidity pool.
  • 6% sell tax with 3% going to all holders and 3% for team development and advertising.
  • Liquidity locked for 10 years on Pinksale.

OG NFTs:

  • Limited edition NFTs available with exclusive benefits.
  • Rewards through buy tax implemented on BSC version.
  • Owners gain access to a private group for voting on Besa-related decisions and share in 10% of the profit sent directly to them profits generated by the platform’s utilities.

In addition to that, Solana, BCS, and NFT holders also receive rewards from the company’s buyback program, which is funded by the income generated through Besa Gaming’s in-game advertising, as well as Google and Facebook ads within the games.

Empowering Change Beyond Gaming

Besa Gaming goes beyond entertainment, embracing a mission to make a positive impact on the world. Founded on principles of compassion and community, we’ve launched the Finhope foundation to uplift communities, support vital causes, and amplify efforts to find missing people. Driven by passion and collaboration, we’re more than just a gaming community—we’re a movement. Leveraging the power of technology, the company amplifies the voices of the missing, allowing them to share their stories. Their images are integrated into the games and shared across company social media platforms. Additionally, Besa Gaming provides donations to aid in the search for the missing. Visit https://www.findhopefoundation.org to learn more.

Besa Gaming Team

Besa Gaming boasts a fully transparent and doxxed team, ensuring trust and accountability at every level. Led by Founder & CEO Gabriel Navarro, the team comprises industry experts dedicated to driving innovation and excellence. With Gerardo Ramirez as the Tech Lead, Darius Oravec overseeing hardware development, and Mukesh serving as the Sr. Software Developer, Besa Gaming combines technical prowess with creative vision. Chris Burns leads the marketing efforts, while Ronnin handles social media engagement, ensuring a cohesive and dynamic approach to building and promoting the Besa Gaming brand. Together, this talented team is committed to delivering cutting-edge gaming experiences and driving Besa Gaming’s success in the industry.

Through their diverse portfolio of immersive games and promising roadmap, community friendly tokenomics, Besa Gaming not only captivates audiences but also empowers them to participate in a gaming ecosystem unlike any other. Moreover, Besa Gaming’s dedication to social impact, demonstrated through the Find Hope Foundation, underscores their broader mission to effect positive change beyond the realm of entertainment. As the company continues to expand its reach and influence, supported by a transparent and skilled team, Besa Gaming invites enthusiasts to join their movement, gaming with purpose and transforming lives one play at a time.

Besa Gaming Socials:

Website: https://www.besagaming.com
Telegram: https://t.me/GamingUmbrella
Facebook: https://bit.ly/besa-facebook
Twitter: https://bit.ly/besa-twitter
Instagram: https://bit.ly/besa-instagram
Discord: https://bit.ly/besa-discord
Tiktok: https://bit.ly/besa-tiktok

Introducing BitBonus: Revolutionizing Crypto with 4% Tax and 5 Unique Utilities 6397

BitBonus emerges as a groundbreaking addition to the crypto sphere, offering investors a unique opportunity to participate in a project with unparalleled potential. With a distinctive 4% tax structure, BitBonus is poised to redefine the landscape of decentralized finance, prioritizing rewards for holders and fueling strategic marketing initiatives.

The BitBonus Advantage:

At the core of BitBonus lies a 4% tax mechanism, where 2% of every transaction is distributed to holders in BTC, fostering a culture of passive income generation. The remaining 2% is allocated to the marketing wallet, ensuring continuous growth and visibility for the project.

Five Dynamic Utilities:

  1. Fashion Forward: BitBonus unveils a cutting-edge clothing brand that not only exudes style but also offers convenience through online purchasing and pop-up stores worldwide.
  2. Luxury Experiences: Experience the epitome of extravagance with BitBonus’ booking website, curated to provide access to exclusive luxury experiences around the globe.
  3. Venture Capital: BitBonus Ventures champions visionary entrepreneurs aligned with the mission of advancing economic freedom globally. Holders of BitBonus tokens will enjoy rewards from this initiative, with more details to follow soon.
  4. Alpha Club: The BitBonus Alpha Club welcomes Diamond holders and select influencers into an exclusive realm of privileges, including token rewards and exclusive contests.
  5. Secret Utility: Stay tuned for an exciting announcement regarding BitBonus’ undisclosed utility, set to elevate the project’s impact and utility within the crypto community.

NFT Collection and Future Integration:

BitBonus is proud to unveil an exclusive NFT collection, poised to complement and enhance its diverse range of utilities in the near future, promising unique and rewarding experiences for holders.

Upcoming Milestones:

BitBonus marks its inception with a fair launch on PinkSale, offering transparency and accessibility to all investors. Witness the journey unfold from start to finish at: PinkSale Launchpad https://www.pinksale.finance/launchpad/bsc/0xFb7725242a891220105C02d67ba62CD3d4368b09

Following the launch, BitBonus is set to make its debut on PancakeSwap, providing liquidity and accessibility to investors on one of the most popular decentralized exchanges.

Connect with BitBonus:

Website: https://bitbonusbsc.com/
Twitter: https://twitter.com/BitBonusBSC
Telegram: https://t.me/BitBonusbsc_official

About BitBonus:

BitBonus is a revolutionary project dedicated to maximizing value for its holders through innovative utilities, strategic partnerships, and a dynamic tax structure. With a commitment to transparency, sustainability, and community empowerment, BitBonus is poised to redefine the future of decentralized finance.