5 Malicious NuGet Packages Impersonate Chinese UI Libraries to Distribute Crypto Wallet and Credential Stealer

What Happened

Security researchers found five fake software packages on the NuGet repository that pretend to be legitimate Chinese programming libraries. If a developer downloads and loads one of these packages, it automatically installs a hidden program that steals passwords, documents, and cryptocurrency wallets. This puts software developers and the automated systems they use to build software at serious risk. Anyone who has used these specific packages should immediately consider their systems compromised, change all their passwords, and remove the malicious code.

Key Takeaways

• Five malicious NuGet packages typosquatting Chinese .NET UI libraries have accumulated approximately 65,000 downloads.
• The malware executes automatically via .NET module initializers upon assembly load, requiring no explicit application calls.
• The payload uses .NET Reactor JIT hooking to decrypt and execute an infostealer targeting 12 browsers and multiple cryptocurrency wallets.
• Threat actors actively rotate package versions and unlist old ones to evade hash-based detection.
• Stolen data is staged in a fake OneDrive directory (C:\ProgramData\Microsoft OneDrive\keys.dat) before exfiltration.

Affected Systems

• Developer workstations
• CI/CD build servers
• Windows
• Linux
• macOS

Attack Chain

The attack begins when a victim restores one of the malicious NuGet packages, which contain a .NET module initializer that executes automatically upon assembly load. The initializer uses .NET Reactor to allocate memory, decrypt a stage-2 payload, and hook the CLR JIT compiler (clrjit.dll!getJit). Once hooked, the infostealer payload executes, harvesting credentials from browsers (including Chrome v20 AppBound encryption), cryptocurrency wallets, and local files. The stolen data is staged in a fake OneDrive directory and exfiltrated to a remote C2 server using dynamically generated HTTP headers.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide ready-to-use detection rules, but it outlines specific behavioral indicators and IOCs that security teams can use to build custom alerts.

Detection Engineering Assessment

EDR Visibility: Medium — EDRs can detect the anomalous file creation in the fake OneDrive path and unusual CoCreateInstance calls for Edge IElevator. However, the in-memory JIT hooking and .NET Reactor obfuscation may bypass static analysis and basic memory scanning. Network Visibility: Medium — Network appliances can spot the hardcoded C2 domains/IPs and potentially flag the anomalous X-[a-z]{3} HTTP headers, though the traffic is HTTPS encrypted. Detection Difficulty: Moderate — The malware uses active version rotation to defeat hash-based detection and executes automatically via module initializers without requiring explicit application execution, making it tricky to catch statically.

Required Log Sources

• Process Creation
• File Creation
• DNS Queries
• Network Connections
• COM Object Instantiation

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for file creation events where the path is exactly C:\ProgramData\Microsoft OneDrive\keys.dat, as legitimate OneDrive does not write this file.	File Creation	Collection	Low
Search for processes outside of the Microsoft Edge browser family making CoCreateInstance calls requesting the Edge IElevator interface ({c9c2b807-7731-4f34-81b7-44ff7779522b}).	COM/API Monitoring	Credential Access	Low
Identify outbound HTTP/HTTPS requests originating from developer workstations or CI/CD build servers that contain an HTTP header matching the regex X-[a-z]{3}.	Network Traffic / Proxy Logs	Command and Control	Medium

Control Gaps

• Hash-based blocking (due to version rotation)
• Static analysis of .NET assemblies (due to .NET Reactor packing)

Key Behavioral Indicators

• File creation at C:\ProgramData\Microsoft OneDrive\keys.dat
• Anomalous CoCreateInstance for Edge IElevator
• JIT hooking via clrjit.dll!getJit modification

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Check project files and packages.lock.json for references to IR.DantUI, IR.Infrastructure.Core, IR.Infrastructure.DataService.Core, IR.iplus32, or IR.OscarUI.
• Treat any machine that restored these packages as compromised and rotate all accessible credentials (browser passwords, API keys, SSH keys, crypto wallets).
• Block DNS resolution for dns-providersa2[.]com and outbound connections to 62[.]84[.]102[.]85.

Infrastructure Hardening

• Implement strict egress filtering on CI/CD build servers to prevent unauthorized outbound connections to unknown C2 domains.
• Enforce allow/deny rules for package dependencies in CI pipelines.

User Protection

• Deploy EDR solutions capable of monitoring COM object instantiation and anomalous file writes in ProgramData.
• Educate developers on the risks of typosquatted packages and verify upstream library sources.

Security Awareness

• Train development teams to verify the canonical NuGet identities and publishers of libraries before integration.
• Implement automated dependency scanning in pull requests to flag suspicious or unknown packages before merge.

MITRE ATT&CK Mapping

• T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
• T1027 - Obfuscated Files or Information
• T1055.013 - Process Injection: Process Doppelgänging
• T1497.001 - Virtualization/Sandbox Evasion: System Checks
• T1005 - Data from Local System
• T1071.001 - Application Layer Protocol: Web Protocols
• T1539 - Steal Web Session Cookie
• T1552.001 - Unsecured Credentials: Credentials in Files
• T1560 - Archive Collected Data
• T1082 - System Information Discovery
• T1083 - File and Directory Discovery

Additional IOCs

• Ips:
  • 47[[.]]100[[.]]60[[.]]237 - Operator development infrastructure (Alibaba Cloud Shanghai).
• Domains:
  • git[[.]]justdotrip[[.]]com - Operator development infrastructure repository URL.
  • 1-you[.]njalla[[.]]no - Nameserver used by the threat actor.
  • 2-can[.]njalla[[.]]in - Nameserver used by the threat actor.
  • 3-get[.]njalla[[.]]fo - Nameserver used by the threat actor.
• Urls:
  • hxxps://dns-providersa2[.]com/check - C2 beacon and operator validation endpoint.
  • hxxps://dns-providersa2[.]com/upload - C2 exfiltration upload endpoint.
• File Hashes:
  • 34e2d63b5db7e24c808711c2ca0c0a42afde97a0086d7d81609110c002d18d7c (sha256) - Encrypted Stage-2 Resource for IR.DantUI(v.2.1.55)
  • b8543b2a1ad8862ebfef18924cf5444d2adfee996939963f4fc2748c582cf9a9 (sha256) - Encrypted Stage-2 Resource for IR.Infrastructure.Core(v.2.1.55)
  • b8fa1b2fade45304c003909e375d2519ea447b498b7d93fe7c50db014d30f4fa (sha256) - Encrypted Stage-2 Resource for IR.Infrastructure.DataService.Core(v.2.1.55)
  • 019e6c2cf58386039133981f3377b085fbd70c98ae8613c7c6a4f10a9f2d9824 (sha256) - Encrypted Stage-2 Resource for IR.iplus32(v2.1.55)
  • 596c453c9dbb7240f1ce05cc025496524ce7c538c23a9b2171174bf32b5691a1 (sha256) - Encrypted Stage-2 Resource for IR.OscarUI(v2.1.55)
• File Paths:
  • /proc/self/mem - Linux process memory path accessed by the payload for cross-platform execution.
  • /proc/self/maps - Linux process memory map path accessed by the payload.
• Other:
  • IR.DantUI - Malicious NuGet package name.
  • IR.Infrastructure.Core - Malicious NuGet package name.
  • IR.Infrastructure.DataService.Core - Malicious NuGet package name.
  • IR.iplus32 - Malicious NuGet package name.
  • IR.OscarUI - Malicious NuGet package name.
  • X-[a-z]{3} - Dynamic HTTP header pattern used for C2 communication obfuscation.
  • {c9c2b807-7731-4f34-81b7-44ff7779522b} - Microsoft Edge IElevator IID used to unseal Chromium master keys.
  • zlUkMywGKDNbeJxH - .NET Reactor RSA Modulus Base64 prefix used for attribution.
  • nkbihfbeogaeaoehlefnkodbefgpgknn - Targeted Chromium extension ID (MetaMask).
  • ibnejdfjmmkpcnlpebklmnkoeoihofec - Targeted Chromium extension ID (TronLink).
  • bfnaelmomeimhlpmgjnjophhpkkoljpa - Targeted Chromium extension ID (Phantom).
  • egjidjbpglichdcondbcbdnbeeppgdph - Targeted Chromium extension ID (Trust Wallet).
  • hnfanknocfeofbddgcijnmhnfnkdnaad - Targeted Chromium extension ID (Coinbase Wallet).