Socket detected a coordinated typosquatting npm campaign dubbed “StegaBin” that published 26 malicious packages which use Pastebin-based character-level steganography to hide Vercel C2 infrastructure and deliver a multi-stage installer that ultimately deploys a RAT and a nine-module infostealer targeting developer artifacts. The activity is consistent with the North Korean-aligned cluster tracked as FAMOUS CHOLLIMA / Contagious Interview and includes a shared loader (vendor/scrypt-js/version.js, SHA256: da1775d0…) and live C2 at 103[.]106[.]67[.]63:1244. #StegaBin #FAMOUS_CHOLLIMA
Search Results for: StegaBin
![Cybersecurity News | Daily Recap [02 Mar 2026]](https://www.hendryadrian.com/tweet/image/DailyRecap.png "Cybersecurity News | Daily Recap [02 Mar 2026]")
Daily Recap, North Korea actors published 26 steganographic npm packages (StegaBin) that pull Vercel-hosted C2s from Pastebin to deploy credential stealers and a RAT, while APT37 expanded tooling with LNKs and implants (Restleaf, ThumbSBD, VirusTask, FootWine) to bridge air-gapped systems via USB and Zoho WorkDrive C2s. CISA warns RESURGE remains dormant on Ivanti Connect Secure devices (CVE-2025-0282) with ECC encryption, forged TLS certs, SSH tunnels and traffic fingerprinting for covert persistence — a malicious campaign delivers a RAT via trojanized gaming utilities (Xeno.exe, RobloxPlayerBeta.exe) connecting to C2 79.110.49.15 for data theft and follow-up payloads, and ClawJacked fixes tighten WebSocket checks to block localhost brute-force abuse. #StegaBin #APT37 #RESURGE #IvantiConnectSecure #CVE20250282 #XenoExe #RobloxPlayerBetaExe #ClawJacked #OpenClaw #VAL4K
Researchers disclosed a new iteration of the Contagious Interview campaign — tracked as StegaBin and attributed to the North Korean Famous Chollima cluster — that published 26 malicious npm packages masquerading as developer tools to deliver a developer-targeted credential stealer and remote access trojan. The packages use install.js to run a…
![Threat Research | Weekly Recap [01 Mar 2026]](https://www.hendryadrian.com/tweet/image/WeeklyRecap.png "Threat Research | Weekly Recap [01 Mar 2026]")
Cybersecurity Threat Research ‘Weekly’ Recap highlights burgeoning risks from agentic AI in SOCs, OpenClaw backdoors, and AI‑augmented malware experiments, spanning supply‑chain abuse, developer‑targeting campaigns, phishing, and OT/edge security implications. It catalogs notable actors and families—OpenClaw, SURXRAT, Moonrise, Winos 4.0, Lazarus/Medusa, APT36, APT37, GRIDTIDE, UNC2814, MuddyWater—and techniques from StegaBin steganography to Go module backdoors and AI‑assisted detection engineering. #OpenClaw #AMOS #SURXRAT #Moonrise #Winos4.0 #Lazarus #Medusa #APT36 #APT37 #GRIDTIDE #MuddyWater #StegaBin #XWorm #DcRAT