eSentire TRU analyzed a multi-stage supply-chain attack where a weaponized GitHub repository named “ShoeVista” deployed highly obfuscated Node.js and Python stagers to retrieve DEV#POPPER RAT and the OmniStealer payloads from blockchain transactions and remote C2 servers. The campaign—attributed with high confidence to a North Korean state-sponsored APT—focused on developer-targeted credential and crypto-wallet theft; eSentire published tooling (DEV#STOPPER.js), detection guidance, and remediation recommendations. #DEVPOPPER #OmniStealer
Keypoints
- Initial access via a weaponized GitHub repository (“ShoeVista”) that executed a hidden, obfuscated Node.js backdoor in frontend/tailwind.config.js when the frontend was launched.
- Multi-stage loader architecture: Stage 1/2 unpack and fetch additional stages from C2, Stage 3 loads DEV#POPPER RAT and an inline Python loader for OmniStealer, and Stage 4/5 retrieve RAT code from blockchain transaction data.
- DEV#POPPER uses heavy JavaScript obfuscation (custom base64 alphabet, RC4-encrypted strings, shuffling, proxy call chains) and multiple anti-analysis techniques (debugger crashes, self-integrity regex loops, catastrophic backtracking, sandbox/cloud detection).
- Persistence is achieved by injecting stager code into Node.js applications (e.g., VS Code, GitHub Desktop, Discord) so the stager executes when those apps launch across macOS, Windows, and Linux.
- OmniStealer (Python) harvests a broad set of secrets: browser credentials/cookies, numerous crypto wallet extensions and desktop wallets, Git credentials, keychain/GNOME/KDE secrets, environment variables, and cloud storage artifacts, then archives and exfiltrates them (HTTP or Telegram fallback).
- eSentire released automation tooling (DEV#STOPPER.js) to deobfuscate intermediary stagers and final payloads, provided Yara detection for the initial stager, and issued operational recommendations (block crypto APIs, audit repos, isolate dev environments, hardware wallets, PSAT, MDR).
MITRE Techniques
- [— ] No MITRE ATT&CK technique IDs were explicitly mentioned – ‘No MITRE ATT&CK technique identifiers were referenced in the article.’
Indicators of Compromise
- [IP Address ] C2 and staging servers – 23.27.20.143 (stage retrieval), 198.105.127.210 (campaign-specific C2), and other addresses (e.g., 136.0.9.8, 23.27.202.27).
- [Domain / API endpoints ] Crypto-node and C2 endpoints used for payload retrieval – bsc-dataseed.binance.org, bsc-rpc.publicnode.com, and trongrid APIs (and other blockchain RPC endpoints).
- [File path / filename ] Initial stager location in repository – frontend/tailwind.config.js; example output files used during analysis: dump_encrypted.bin, dump_decrypted.js.
- [File hash ] Process/name hash used for anti-analysis – MD5: 9a47bb48b7b8ca41fc138fd3372e8cc0 (process name hash check that causes termination if matched).
- [Blockchain transaction / address ] Payload/source-code storage on chain – Ethereum transaction 0x804b000af7d7e4337ba5db28bb367da64a08391de09ffb07847ac897c5f82954 referenced as containing obfuscated RAT source; Tron/Aptos addresses used to locate tx data.
- [YARA string ] Detection signature indicators for initial stager – sample Yara strings include “global[‘_V’]”, “typeof module=== ‘object’”, “function(){var rms=””, used in provided DEVPOPPER Yara rule.