Threat Research

5 Malicious NuGet Packages Impersonate Chinese UI Libraries to Distribute Crypto Wallet and Credential Stealer

SocketDev
5 Malicious NuGet Packages Impersonate Chinese UI Libraries to Distribute Crypto Wallet and Credential Stealer
Socket Threat Research identified five malicious NuGet packages under the bmrxntfj account that typosquat Chinese .NET UI and infrastructure libraries, each delivering a .NET Reactor-protected infostealer through a decompiled legitimate library wrapper. The campaign has amassed about 65,000 downloads and steals browser credentials, cryptocurrency wallets, and other sensitive data while exfiltrating to dns-providersa2[.]com. #bmrxntfj #NuGet #AntdUI #IR.DantUI #IR.iplus32 #dns-providersa2.com

Keypoints

  • Five malicious NuGet packages were published under the account bmrxntfj and are still available in NuGet at the time of reporting.
  • The packages impersonate legitimate Chinese .NET libraries such as AntdUI and internal enterprise-style libraries to appear credible to targeted developers.
  • Each package hides a .NET Reactor-protected payload that hooks the CLR JIT pipeline and decrypts malicious code at runtime.
  • The infostealer targets credentials from 12 Chromium-family browsers, Firefox, Mozilla, Thunderbird, browser wallet extensions, and desktop crypto wallets.
  • Stolen data is staged in C:ProgramDataMicrosoft OneDrivekeys.dat and exfiltrated to https://dns-providersa2[.]com/upload.
  • The operator rotated package versions repeatedly, using many unlisted releases to evade hash-based detection and keep install counts growing.
  • Attribution and infrastructure clues include the dns-providersa2[.]com domain, the git[.]justdotrip[.]com repository server, and a shared Reactor RSA modulus across related samples.

MITRE Techniques

  • [T1195.002] Supply Chain Compromise – The attacker distributed trojanized NuGet packages through a trusted package ecosystem to compromise developers and build systems [‘malicious NuGet packages published under the account bmrxntfj’]
  • [T1027] Obfuscated Files or Information – The payload used .NET Reactor/Necrobit protection, encrypted method bodies, string-split API names, and hidden version history to hinder analysis [‘every method body is replaced by a Reactor-Necrobit native decrypt stub’, ‘219 of those versions carry listed: false’]
  • [T1055.013] Process Injection: Process Doppelgänging – The payload patched clrjit.dll!getJit and inserted a hook into the JIT pipeline to control method compilation in-process [‘Patches clrjit.dll!getJit with a 4-byte JMP’]
  • [T1497.001] Virtualization/Sandbox Evasion: System Checks – The malware used anti-analysis checks and blocklists to avoid sandboxes and analyst systems [’22 hardcoded uppercase SHA-256 hex strings form an internal blocklist’]
  • [T1005] Data from Local System – The stealer harvested browser databases, wallet files, SSH keys, Outlook profiles, Steam data, and user documents from the host [‘Browser credential harvesting’, ‘full file tree under Documents, Desktop, and Downloads are harvested’]
  • [T1071.001] Application Layer Protocol: Web Protocols – Exfiltration occurred over HTTPS POST requests to the C2 upload endpoint [‘The staged archive is POSTed to https://dns-providersa2[.]com/upload’]
  • [T1539] Steal Web Session Cookie – The payload targeted browser cookies and session tokens stored in Chromium-family browsers [‘browser saved passwords, browser cookies and session tokens’]
  • [T1552.001] Unsecured Credentials: Credentials in Files – The malware collected SSH private keys and other stored secrets from files on disk [‘SSH private keys (id_rsa)’]
  • [T1560] Archive Collected Data – Harvested files were staged into a single archive-like location before exfiltration [‘All harvested material is staged under C:ProgramDataMicrosoft OneDrivekeys.dat’]
  • [T1082] System Information Discovery – The malware enumerated system and user context details, including hostnames, usernames, and architecture-specific process targets [‘hostname NEW-4V, username oljwe4y98’]
  • [T1083] File and Directory Discovery – The stealer walked directories and browser/wallet paths to locate sensitive files [‘the full file tree under Documents, Desktop, and Downloads are harvested’]

Indicators of Compromise

  • [Malicious package names ] NuGet typosquat packages used in the campaign – IR.DantUI, IR.Infrastructure.Core, and other IR.* packages
  • [Threat actor / publisher ] malicious NuGet publisher account – bmrxntfj
  • [C2 domain / endpoints ] command-and-control and exfiltration – dns-providersa2[.]com, https://dns-providersa2[.]com/upload, and https://dns-providersa2[.]com/check
  • [IP address ] primary C2 hosting – 62[.]84[.]102[.]85, and operator infrastructure at 47[.]100[.]60[.]237
  • [File path ] staging location on affected systems – C:ProgramDataMicrosoft OneDrivekeys.dat
  • [File names / binaries ] recovered malicious artifacts and memory dump – s4.exe, we4ftg.exe
  • [File hashes ] sample and payload hashes – s4.exe : e1869d6571894f058dd4ab2b66f060628dc364ee8e29afbd2323c95e5002fb8e, we4ftg.exe : 8f7aa15c77bde94087bb74dfc072e25212797b313731b4cad0ded3e152268dcf, and 2 more hashes
  • [Encrypted stage-2 resource hashes ] package payload hashes for v2.1.55 – 34e2d63b5db7e24c808711c2ca0c0a42afde97a0086d7d81609110c002d18d7c, b8543b2a1ad8862ebfef18924cf5444d2adfee996939963f4fc2748c582cf9a9, and 3 more hashes
  • [Browser extension IDs ] hardcoded wallet extensions targeted by the stealer – nkbihfbeogaeaoehlefnkodbefgpgknn, ibnejdfjmmkpcnlpebklmnkoeoihofec, and other 3 IDs
  • [Name servers ] delegated DNS infrastructure – 1-you.njalla[.]no, 2-can.njalla[.]in, and 3-get.njalla[.]fo
  • [Repository URL / development host ] operator infrastructure referenced in package metadata – git[.]justdotrip[.]com / 47[.]100[.]60[.]237

Read more: https://socket.dev/blog/5-malicious-nuget-packages-impersonate-chinese-ui-libraries

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint