The graphalgo campaign uses fake job interviews, cloned GitHub organizations, typo‑squatted repositories and crafted GitHub release artifacts to deliver an encrypted multi-stage downloader and a RAT to targeted crypto developers. Evidence including GMT+9 commit timestamps, reused RAT payloads, Git history rewriting and the creation of a Florida LLC indicate a highly organized, likely North Korean state-sponsored operation. #graphalgo #NorthKorea
Keypoints
- Threat actors lure crypto developers with fake job interviews and coding tasks hosted by fake GitHub organizations (e.g., veltrix-capital, Blockmerce, Bridgers Finance) to get victims to run project setup scripts that install malicious dependencies.
- Attackers migrated from publishing malicious packages to OSS registries (npm/PyPI) to hosting malicious dependencies as GitHub release artifacts referenced in package-lock.json, reducing detection risk.
- Typosquatting of repository and maintainer names (e.g., Ijharb vs ljharb), creation of fake company websites and social profiles, and even filing a Florida LLC (Blockmerce) were used to build trust and credibility.
- Malicious release artifacts contain an encrypted, multi-stage downloader that fetches a RAT; successful infections are reported via encrypted Telegram/Slack channels and by writing generated wallet addresses to a Sepolia testnet smart contract.
- Attack infrastructure and artifacts show GMT+9 timestamps, reuse of the same RAT and release patterns from the original graphalgo activity, supporting attribution to North Korean state-sponsored actors.
- Detected IOCs include the huvaret[.]art domain, Sepolia contract address 0x7526aCdC…, SHA1 hashes of staged JavaScript, and numerous malicious npm packages (graph-dynamic, graphbase-js variants, graphcore-js, graphlib-js), prompting RL to recommend sandboxed testing and dedicated package verification tools.
MITRE Techniques
- [T1566 ] Phishing – fake job interviews and social posts were used to lure developers into installing malicious project dependencies (‘fake job interviews’, ‘fake job offering posts’).
- [T1195.002 ] Compromise Software Dependencies and Packages – attackers embedded references to malicious dependencies that resolved to GitHub release artifacts instead of monitored OSS registries (‘dependency to a malicious package hosted on open source package repositories like npm or PyPI’ and moved to GitHub releases).
- [T1105 ] Ingress Tool Transfer – multi-stage downloaders and RATs were retrieved from attacker-controlled URLs and GitHub releases (‘download the final malicious payload: a RAT’, ‘second stage downloader payload is then downloaded from https://huvaret[.]art/public/startup.js’).
- [T1036 ] Masquerading – typo‑squatted repositories and impersonated maintainer names and organizations were used to appear legitimate (‘typo-squatted the maintainers’ names’, ‘a typo-squatted package imitating ljharb/side-channel-weakmap’).
- [T1071 ] Application Layer Protocol – compromised hosts reported successful infections via encrypted Telegram and Slack channels and interacted with a blockchain smart contract for status reporting (‘a notification is sent to hardcoded and encrypted telegram and slack channels’ and ‘addAddress function defined in a smart contract identified by 0x7526aCdC…’).
- [T1027 ] Obfuscated Files or Information – the campaign used obfuscated JavaScript downloaders to hide malicious behavior (‘That obfuscated javascript downloader fetches the last stage RAT’).
- [T1070 ] Indicator Removal on Host – attackers rewrote Git history in cloned repositories to present commits as coming from attacker-controlled accounts and remove provenance (‘rewrote their entire git history to make them look like they were conducted from attacker controlled accounts’).
Indicators of Compromise
- [Domain ] malware hosting and download infrastructure – huvaret[.]art, www[.]veltrixcap[.]org (malicious JavaScript stages and campaign landing domains).
- [Blockchain address ] smart contract and creator used for reporting – 0x7526aCdCF0B22f9B8F790CF069E5dD16CC414B0e (Sepolia contract), 0x87BF60FB6657d5E5CD425E36FF18aa7Bb5a8FcF4 (creator address).
- [File hash (SHA1) ] downloaded staged JavaScript files – 5c30d58dc44182f959c8035e990153b3553deace, f1487451933a05a680e71dde7a2b11560d2d33a7 (obfuscated downloader and index.js RAT stages).
- [Package name / repository ] malicious npm packages and release artifacts – graph-dynamic 1.0.0 (eea702eb…), graph-dynamic 1.0.1 (e3a71d70…), and multiple graph*-themed packages (and other package versions listed in RL report).
- [GitHub org / repo ] typo-squatted or attacker-owned repositories used as delivery points – swft-blockchain/party-bridges-common (copy of parity-bridges-common), Ijharb/side-channel-weakmap (typo-squat of ljharb/side-channel-weakmap).
- [Company / identity ] fake companies and personas used in front-end social engineering – Blockmerce LLC (Florida filing), Bridgers Finance and fake LinkedIn recruiter profile ‘Gnanika Thumba’ used to publish job offerings.
Read more: https://www.reversinglabs.com/blog/graphalgo-campaign-respawned