Malware Found in Trending Hugging Face Repository

SOC Prime Team

Malware Found in Trending Hugging Face Repository

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

HiddenLayer researchers discovered malicious code hosted in the Hugging Face repository Open-OSS/privacy-filter that mimics a legitimate OpenAI project. The repo contained a loader.py script that fetched a PowerShell command from jsonkeeper.com, which downloaded a second‑stage batch file and a Rust‑based infostealer. The payload exfiltrates credentials, browser data, cryptocurrency wallet files and screenshots, then self‑deletes after a one‑shot scheduled task execution.

Investigation

The analysis identified six stages from the initial lure to the final Rust infostealer, including a hidden PowerShell execution, a downloader that retrieves update.bat from api.eth-fastscan.org, and a batch file that creates a temporary runner script and a transient scheduled task. Network traffic was observed to a C2 domain recargapopular.com and a related domain welovechinatown.info. Multiple Hugging Face repositories under the user anthfu were found reusing the same loader and C2 URL.

Mitigation

Block the listed malicious domains and URLs at the network perimeter, and disable execution of unsigned PowerShell scripts on endpoints. Remove any files downloaded from the compromised repositories and revoke any credentials that may have been harvested. Implement strict monitoring for the creation of suspicious scheduled tasks and for abnormal PowerShell command lines.

Response

Isolate any host that executed the loader or start.bat, treat it as fully compromised and rebuild the system. Rotate all stored passwords, session cookies, OAuth tokens and cryptocurrency wallet credentials. Hunt for historic connections to the malicious domains and for the presence of the indicated file paths and scheduled task names.

"graph TB %% Class Definitions classDef action fill:#99ccff classDef tool fill:#cccccc classDef file fill:#ffcc99 classDef process fill:#ff9966 classDef malware fill:#ff6666 classDef credential fill:#ccffcc classDef exfil fill:#c0c0c0 classDef operator fill:#ff9900 %% Node definitions malicious_repo["Resource – Hugging Face Repository Contains malicious start.bat and loader.py"] class malicious_repo file action_user_execution_link["Action – T1204.001 User Execution: Malicious Link Victim clicks a link to the malicious repository"] class action_user_execution_link action file_start_bat["File – start.bat Batch script invoked by the victim"] class file_start_bat file file_loader_py["File – loader.py Python loader that verifies checksum and disables SSL verification"] class file_loader_py file action_user_execution_file["Action – T1204.002 User Execution: Malicious File Victim runs loader.py"] class action_user_execution_file action action_proxy_execution["Action – T1127 Trusted Developer Utilities Proxy Execution loader.py launches PowerShell with bypass and hidden window"] class action_proxy_execution action process_powershell["Process – PowerShell Executes remote command line"] class process_powershell process action_taint_shared_content["Action – T1080 Taint Shared Content PowerShell oneu2011liner downloads update.bat from api.ethu2011fastscan.org"] class action_taint_shared_content action file_update_bat["File – update.bat Batch script that adds Defender exclusions and creates scheduled task"] class file_update_bat file action_hide_artifacts["Action – T1564.012 Hide Artifacts: File/Path Exclusions Adds Microsoft Defender exclusions for payload files"] class action_hide_artifacts action action_hijack_execution["Action – T1574 Hijack Execution Flow Creates oneu2011shot scheduled task MicrosoftEdgeUpdateTaskCore to run payload as SYSTEM"] class action_hijack_execution action process_scheduled_task["Process – Scheduled Task Runs Rust payload with SYSTEM privileges"] class process_scheduled_task process malware_rust_payload["Malware – Rust Payload Performs antiu2011analysis checks and disables AMSI/ETW"] class malware_rust_payload malware action_credential_collection["Action – T1555 Credentials from Password Stores Infostealer extracts Chromium, Firefox, Discord and wallet credentials"] class action_credential_collection credential action_credential_files["Action – T1552.001 Unsecured Credentials: Credentials In Files Collects SSH, FTP, VPN and wallet seed files"] class action_credential_files credential action_os_credential_dump["Action – T1003 OS Credential Dumping Retrieves encrypted browser keys"] class action_os_credential_dump credential action_screen_capture["Action – T1113 Screen Capture Captures screenshots from multiple monitors"] class action_screen_capture malware action_data_encoding["Action – T1132 Data Encoding Packages data into gzip compressed JSON"] class action_data_encoding malware action_exfiltration["Action – T1567.002 Exfiltration Over Web Service Posts encoded data via HTTPS to recargapopular.com"] class action_exfiltration exfil %% Connections malicious_repo –>|contains| file_start_bat malicious_repo –>|contains| file_loader_py action_user_execution_link –>|leads_to| file_start_bat action_user_execution_link –>|leads_to| file_loader_py file_start_bat –>|executed_by| action_user_execution_file file_loader_py –>|executed_by| action_user_execution_file action_user_execution_file –>|triggers| action_proxy_execution action_proxy_execution –>|launches| process_powershell process_powershell –>|downloads| file_update_bat file_update_bat –>|executes| action_hide_artifacts action_hide_artifacts –>|creates| action_hijack_execution action_hijack_execution –>|spawns| process_scheduled_task process_scheduled_task –>|runs| malware_rust_payload malware_rust_payload –>|performs| action_credential_collection malware_rust_payload –>|performs| action_credential_files malware_rust_payload –>|performs| action_os_credential_dump malware_rust_payload –>|performs| action_screen_capture malware_rust_payload –>|encodes| action_data_encoding action_data_encoding –>|exfiltrates| action_exfiltration "

Attack Flow

Attack Narrative & Commands:
The attacker has obtained a foothold on a Windows workstation and wishes to execute a malicious payload with elevated rights while remaining invisible to the user. They:
1. Craft a PowerShell one‑liner that spawns a hidden CMD shell (/k) and immediately escalates it using Start-Process -Verb RunAs.
2. Execute this one‑liner from an existing PowerShell session, ensuring the process tree contains both a hidden PowerShell instance and a CMD instance launched with /k.
3. The elevated CMD can then be used to download and execute the final payload.

Regression Test Script:

# ---------------------------------------------------------
# Simulated adversary script – Hidden PowerShell + RunAs CMD
# ---------------------------------------------------------
$maliciousCmd = "cmd.exe /k echo Attacker has escalated && ping -n 5 127.0.0.1"
$psCommand   = "-ExecutionPolicy Bypass -WindowStyle Hidden -Command `"Start-Process -FilePath 'powershell.exe' -ArgumentList `"$maliciousCmd`" -Verb RunAs`""
# Launch hidden PowerShell that in turn runs the elevated CMD
Start-Process -FilePath "powershell.exe" -ArgumentList $psCommand -WindowStyle Hidden

Cleanup Commands:

# Terminate any lingering elevated CMD processes spawned by the test
Get-Process -Name "cmd" -ErrorAction SilentlyContinue | Where-Object {
    $_.StartInfo.Arguments -match "/k echo Attacker has escalated"
} | Stop-Process -Force

# Optionally remove any temporary files if created (none in this simple demo)

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free