EXECUTIVE SUMMARY:
The attackers delivered a modular information-stealing malware family through deceptive software distribution and social engineering to obtain high-value credentials and cryptocurrency artifacts. The attack vector relied on trojanized developer software and companion tooling presented as legitimate onboarding or application code; victims executed code from a cloned repository or an installed package in a development environment. Compromised hosts ran Node.js modules that executed child processes and installed third-party Node packages to capture input, images, and system metadata. The payloads targeted browser-stored credentials, wallet-related files and browser extension artifacts, and also collected clipboard content, typed input, and periodic screenshots. Collected artifacts and remotely executed commands were staged and sent to remote infrastructure over web-based application layer channels. The overall business impact observed in the analysis includes theft of account access and cryptocurrency funds, loss of confidentiality for sensitive documents, and exposure of credential material that can enable follow-on account takeover and financial loss.
A modular Node.js-based toolset that combines file-harvesting, remote shell functionality, credential harvesting, and input/capture modules. Initial compromise paths included installation of trojanized packages and installation/execution of a supplied codebase; a malicious code loader mechanism dynamically constructs modules from strings and executes them as child processes. Modules observed include an input-capture module that uses Node packages to record keystrokes and capture clipboard content, a screen-capture pipeline that transforms screenshots into web-friendly images, a file-harvester that enumerates drives and applies inclusion/exclusion patterns for targeted filenames and extensions, a browser-wallet/extension harvester that extracts extension files and saved browser data, and a remote shell that reports host attributes and then maintains a socket-based connection to receive commands. Communications employ application-layer web protocols on non-standard ports and use explicit upload endpoints for stolen artifacts. Anti-analysis features include virtualization/sandbox checks and anti-logging/anti-debugging logic inside modules.
The campaign blends supply-chain and social-engineering vectors with modular Node.js tooling focused on data theft and remote command execution. The convergence of several previously separate tool sets produced a combined capability set able to capture live input, extract browser secrets, persist remote command functionality, and stage files for upload. Use of trojanized development packages and a code-execution loader increases the probability of infection within development and crypto-centric user communities where running repository code and installing dependencies is routine. The toolset’s C2 pattern of switching from HTTP to WebSocket and using application-layer protocols for both commanding and data uploads positions it as a data-theft-centric threat that can be reused across multiple targets. The observed evolution into additional modules demonstrates expanding focus on high-value financial artifacts and on techniques to evade sandbox analysis.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub Technique Name |
| Resource Development | T1588.002 | Obtain Capabilities | Tool |
| T1583.001 | Acquire Infrastructure | Domains | |
| T1584.005 | Compromise Infrastructure | Botnets | |
| Initial Access | T1189 | Drive-by Compromise | - |
| Execution | T1059.003 | Command and Scripting Interpreter | Windows Command Shell |
| T1059.007 | Command and Scripting Interpreter | JavaScript | |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defense Evasion | T1036.005 | Masquerading | Match Legitimate Name or Location |
| T1027.010 | Obfuscated Files or Information | Command Obfuscation | |
| T1070.006 | Indicator Removal | Timestomp | |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Discovery | T1082 | System Information Discovery | - |
| Collection | T1119 | Automated Collection | - |
| T1213.002 | Data from Information Repositories | Web Analytics Data | |
| Command and Control | T1090.004 | Proxy | Domain Fronting |
| T1071.001 | Application Layer Protocol | Web Protocols | |
| Impact | T1445 | Generate Fraudulent Advertising Revenue | - |
MBC MAPPING:
| Objective | Behavior ID | Behavior |
| Initial Access | E1204 | User Execution |
| Execution | E1059 | Command and Scripting Interpreter |
| Persistence | F0012 | Registry Run Keys |
| F0013 | Scheduled Tasks | |
| Defense Evasion | E1027 | Obfuscated Files/Information |
| B0003 | Dynamic Analysis Evasion | |
| Discovery | E1082 | System Information Discovery |
| Credential Access | E1055 | Process Injection |
| Collection | E1083 | File/Directory Discovery |
| E1113 | Screen Capture | |
| E1510 | Clipboard Modification | |
| Command & Control | B0031 | Domain Name Generation |
| C0002 | HTTP Communication | |
| Lateral Movement | E1105 | Ingress Tool Transfer |
| Exfiltration | E1020 | Automated Exfiltration |
REFERENCES:
The following reports contain further technical details: