Home Cyber Security Malicious NuGet Packages Caught Distributing SeroXen RAT Malware

Malicious NuGet Packages Caught Distributing SeroXen RAT Malware

Malicious NuGet Packages Caught Distributing SeroXen RAT Malware


Oct 31, 2023NewsroomSoftware program Safety / Malware

Malicious NuGet Packages

Cybersecurity researchers have uncovered a brand new set of malicious packages printed to the NuGet package deal supervisor utilizing a lesser-known technique for malware deployment.

Software program provide chain safety agency ReversingLabs described the marketing campaign as coordinated and ongoing since August 1, 2023, whereas linking it to a host of rogue NuGet packages that have been noticed delivering a distant entry trojan referred to as SeroXen RAT.

“The menace actors behind it are tenacious of their need to plant malware into the NuGet repository, and to repeatedly publish new malicious packages,” Karlo Zanki, reverse engineer at ReversingLabs, mentioned in a report shared with The Hacker Information.


The names of among the packages are under –

  • Pathoschild.Stardew.Mod.Construct.Config
  • KucoinExchange.Web
  • Kraken.Change
  • DiscordsRpc
  • SolanaWallet
  • Monero
  • Trendy.Winform.UI
  • MinecraftPocket.Server
  • IAmRoot
  • ZendeskApi.Shopper.V2
  • Betalgo.Open.AI
  • Forge.Open.AI
  • Pathoschild.Stardew.Mod.BuildConfig
  • CData.NetSuite.Web.Framework
  • CData.Salesforce.Web.Framework
  • CData.Snowflake.API

These packages, which span a number of variations, imitate well-liked packages and exploit NuGet’s MSBuild integrations function as a way to implant malicious code on their victims, a function referred to as inline duties to realize code execution.

Malicious NuGet Packages

“That is the primary recognized instance of malware printed to the NuGet repository exploiting this inline duties function to execute malware,” Zanki mentioned.

The now-removed packages exhibit comparable traits in that the menace actors behind the operation tried to hide the malicious code by making use of areas and tabs to maneuver it out of view of the default display screen width.

As beforehand disclosed by Phylum, the packages even have artificially inflated downloaded counts to make them seem extra authentic. The last word aim of the decoy packages is to behave as a conduit for retrieving a second-stage .NET payload hosted on a throwaway GitHub repository.

“The menace actor behind this marketing campaign is being cautious and taking note of particulars, and is set to maintain this malicious marketing campaign alive and lively,” Zanki mentioned.

Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we publish.



Please enter your comment!
Please enter your name here