A fake TradingView AI agent website is delivering Needle Stealer malware through a bogus “TradingClaw” assistant that can hijack victims’ browsers, drain financial accounts, and enable follow‑on attacks.

The campaign targets traders seeking automated strategies on TradingView, capitalizing on the current hype around AI trading bots and browser‑based investing tools.

The site imitates legitimate trading tooling with polished UI, “Download for Windows” buttons, and claims of no coding or API setup , but it is not affiliated with TradingView or any known trading startup.

When potential victims click the download link, instead of receiving a trading assistant, they execute a malware loader reused from a previous campaign.

Once launched, the loader deploys the Needle Stealer payload by injecting a second‑stage DLL into a trusted Windows process to reduce detection chances.

Researchers uncovered a malicious website that advertises “TradingClaw” as a personal TradingView AI agent able to run trading strategies 24/7.

The installation chain runs silently in the background, giving users the impression that the TradingClaw app either failed to install or is still “configuring” itself while the malware establishes persistence.

Needle Stealer is an information‑stealing malware family designed to harvest browser data, login sessions, and cryptocurrency wallet information from compromised systems.

Its core component can capture screenshots, collect browser history, cookies, and saved form data, and exfiltrate files such as text documents and wallet databases.

The malware specifically targets popular communication and file‑transfer tools as well, including applications like Telegram and FTP clients, to widen the scope of stolen credentials.

A dedicated browser extension module allows Needle Stealer to control browsers, redirect traffic, and inject scripts into web pages.

This effectively gives attackers remote control over the victim’s web sessions, enabling account takeover on trading platforms, exchanges, and banking sites without repeatedly prompting for passwords.

Needle Stealer’s wallet‑focused components are built to monetize access quickly. A desktop wallet spoofer targets standalone applications such as Ledger, Trezor, and Exodus, while a browser wallet spoofer focuses on extensions like MetaMask and Coinbase Wallet, attempting to capture seed phrases and private keys.

With these secrets, attackers can transfer cryptocurrency out of victims’ wallets with no way to reverse the transactions.

The command‑and‑control panel observed by researchers includes a “coming soon” feature for auto‑generating fake Google or Cloudflare‑style pages , suggesting plans to blend malware with phishing flows for even more convincing account theft scenarios.

Combined with TradingClaw’s trading‑bot lure, this positions the campaign squarely at active traders who often reuse browsers for banking, brokerage, and exchange logins.

Traders should treat any “TradingView AI agent” or “auto‑trading bot” that requires a standalone Windows installer with extreme caution.

Always download tools directly from official vendor domains or from verifiable marketplace integrations within TradingView rather than from ads, DMs, or YouTube video descriptions.

Security teams should blockaccess to known malicious TradingClaw domains, inspect endpoints for suspicious DLL sideloading behavior , and monitor for abnormal browser extensions being added without user interaction.

Endpoint protection with robust infostealer detection, strict browser‑extension policies, and hardened multi‑factor authentication on trading and exchange accounts can significantly limit the impact of this campaign.

For individuals, if you installed any TradingClaw‑branded tool, disconnect the device from the network, run a full malware scan, revoke sessions on trading, email, and exchange accounts, and move crypto funds to new wallets with fresh seed phrases generated on uncompromised hardware.

Follow us on Google News , LinkedIn , and X to Get Instant Updates and Set GBH as a Preferred Source in Google .

Mayura Kathir is a cybersecurity reporter at GBHackers News, covering daily incidents including data breaches, malware attacks, cybercrime, vulnerabilities, zero-day exploits, and more.

GitLab has released emergency security patches addressing 11 vulnerabilities across its Community Edition (CE) and Enterprise…

The Harvester APT group has quietly expanded its espionage arsenal with a new Linux variant…

Malicious npm package js-logger-pack is now abusing Hugging Face not just as a malware CDN, but also…

A newly discovered Linux variant of the GoGra backdoor is being used by the Harvester…

A critical Server-Side Request Forgery (SSRF) vulnerability in LMDeploy's vision-language module was exploited in active…

North Korean threat actors are once again leveraging deceptive remote work schemes to infiltrate global…