1inch-analysis.app — A DPRK Trojan Horse
2025-03-27 • pcaversaccio •
https://hackmd.io/@pcaversaccio/1inch-analysis-app-a-dprk-trojan-horse
Paolo Caversaccio analyzed `1inch-analysis.app`, a malicious macOS bundle sent to 1inch cofounder Anton Bukov by the fake security researcher persona Nick L. Franklin. The source attributes the incident with high confidence to the AppleJeus/Citrine Sleet/UNC4736 DPRK cluster, while noting that the original payload URLs had already been removed. Static analysis found a React Native application that contacted `shelfai.io/api/config`, fetched remote configuration and image resources, wrote files into a temporary path, and executed them through native file utilities. The report documents the bundle structure, file hashes, and ShelfAI-themed masquerade used to deliver the suspected macOS payload.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | 9d116e406f081c0fc6b1cf2c5f1a993… | 2025-03-27 | 2025-03-27 |
| HASH | ee42e36fc2a430e6b254fd7d6c98929… | 2025-03-27 | 2025-03-27 |
| HASH | c6777d3fee8540002b9cf4c1df8b809… | 2025-03-27 | 2025-03-27 |
| HASH | 563a67f8bb12f1bce73b550b0d89ea6… | 2025-03-27 | 2025-03-27 |
| HASH | bacc6033221e91e5f14585574e8aabc0 | 2025-03-27 | 2025-03-27 |
| HASH | f67ae16fa55346f5f0114ec7471c63a9 | 2025-03-27 | 2025-03-27 |
| URL | https://shelfai.io/api/img/fdsa… | 2025-03-27 | 2025-03-27 |
| URL | https://shelfai.io/api/config | 2025-03-27 | 2025-03-27 |
| URL | https://shelfai.io/api/img/1inc… | 2025-03-27 | 2025-03-27 |
| URL | https://shelfai.io/api/config` | 2025-03-27 | 2025-03-27 |
| URL | https://shelfai.io/api/img/1inc… | 2025-03-27 | 2025-03-27 |
| URL | https://shelfai.io/api/img/fdsa… | 2025-03-27 | 2025-03-27 |
| DOMAIN | shelfai.io | 2025-03-27 | 2025-03-27 |