Cross-Chain TxDataHiding Crypto Heist: A Very Chainful Process (Part 1)

2025-10-20 • Ransom ISAC •

https://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-3/

#EtherHiding

Thumbnail for Cross-Chain TxDataHiding Crypto Heist: A Very Chainful Process (Part 1)

Ransom-ISAC and Bridewell examined infrastructure from a suspected DPRK-linked cryptocurrency and data theft attempt that began with a weaponized private GitHub repository and used blockchain-based command-and-control. The intrusion involved a Python dropper using an HTTP API C2 channel over port 27017 and a Loader/RAT using HTTP API and socket.io channels over ports 27017 and 443. Four C2 IPs were tied to the activity, including 23.27.20[.]143, 136.0.9[.]8, 166.88.4[.]2, and 23.27.202[.]27, with shared traits such as EmbedIO/3.5.2 server headers, unusual cache-control headers, and specific keep-alive behavior. The infrastructure fingerprinting is useful because these rare service configurations and port choices can help defenders cluster related activity without relying solely on earlier attribution assumptions.

Indicators of Compromise

Type	Value	First Seen	Last Seen
IPv4	23.27.202.27	2025-10-20	2026-06-12
IPv4	23.27.120.142	2025-10-20	2026-04-21
IPv4	85.239.62.36	2025-10-20	2026-04-21
IPv4	23.27.20.143	2025-10-20	2026-04-21
IPv4	136.0.9.8	2025-10-20	2026-04-21
IPv4	166.88.4.2	2025-10-20	2026-04-21
IPv4	202.155.8.173	2025-10-20	2026-04-11
IPv4	154.91.0.103	2025-10-20	2026-04-11
HASH	be21bf4ad94c394202e7b52a1b461ed…	2025-10-20	2025-10-27
HASH	236ff897dee7d21319482cd67815bd2…	2025-10-20	2025-10-27
HASH	742016f01fa89be4d43916d5d2349c8…	2025-10-20	2025-10-27
HASH	a7d7075e866132b8e8eb87265f7b7fa…	2025-10-20	2025-10-27
HASH	eefe39fe88e75b37babb37c7379d1ec…	2025-10-20	2025-10-27
HASH	83a84588a941e463c981083555a2e78…	2025-10-20	2025-10-20
HASH	6e48fe09117ead1ef2c10a3db614217…	2025-10-20	2025-10-20
HASH	897d040e5db47b806c01eb2a1a056ca…	2025-10-20	2025-10-20
HASH	908696f3ec522e846575061e90747dd…	2025-10-20	2025-10-20
HASH	9f2ee094aae06afdf4461b94ddbfb7b…	2025-10-20	2025-10-20
HASH	736dd2e77c190d2eb418338f49dda10e	2025-10-20	2025-10-20
HASH	56ee3dc60471063c5ac82a617ed807a…	2025-10-20	2025-10-20
HASH	a2880c2d262b4a76e64fd29a813f244…	2025-10-20	2025-10-20
HASH	973f777723d315e0bee0fb9e81e943b…	2025-10-20	2025-10-20
HASH	a51c2b2c5134d8079f11a22bd0621d2…	2025-10-20	2025-10-20
HASH	24cad593f02db847d1302ee7c486d07…	2025-10-20	2025-10-20
HASH	ba738d8fa5ecd4b996612dde6cd4516…	2025-10-20	2025-10-20
HASH	87330f64f5cd4695f2385f87c9ffffe…	2025-10-20	2025-10-20
HASH	43dc7a343649a7ce748e4c2f94bcb60…	2025-10-20	2025-10-20
HASH	77a2e59d991aad2db848827968d9faa…	2025-10-20	2025-10-20
HASH	37df04dbd54b51273251708f1d014a6…	2025-10-20	2025-10-20
URL	https://orlan-security.ru	2025-10-20	2025-10-20
URL	https://orlan-security.ru/	2025-10-20	2025-10-20
URL	https://www.anti-malware.ru/ana…	2025-10-20	2025-10-20
DOMAIN	orlan-security.ru	2025-10-20	2025-10-20
IPv4	91.242.241.122	2025-10-20	2025-10-20
IPv4	166.88.61.35	2025-10-20	2025-10-20
IPv4	136.0.141.91	2025-10-20	2025-10-20
IPv4	166.88.101.20	2025-10-20	2025-10-20
IPv4	183.101.157.30	2025-10-20	2025-10-20
IPv4	156.235.89.227	2025-10-20	2025-10-20
IPv4	166.88.55.54	2025-10-20	2025-10-20
IPv4	91.242.241.183	2025-10-20	2025-10-20
IPv4	23.26.237.117	2025-10-20	2025-10-20
IPv4	166.88.14.44	2025-10-20	2025-10-20
IPv4	166.88.95.137	2025-10-20	2025-10-20
IPv4	23.27.48.77	2025-10-20	2025-10-20
IPv4	78.25.122.218	2025-10-20	2025-10-20
IPv4	91.242.241.117	2025-10-20	2025-10-20
IPv4	136.0.141.245	2025-10-20	2025-10-20
IPv4	223.165.6.30	2025-10-20	2025-10-20
IPv4	23.27.201.30	2025-10-20	2025-10-20
IPv4	23.27.124.91	2025-10-20	2025-10-20
IPv4	38.211.230.55	2025-10-20	2025-10-20
IPv4	23.27.12.214	2025-10-20	2025-10-20
IPv4	166.88.132.69	2025-10-20	2025-10-20
IPv4	166.88.98.221	2025-10-20	2025-10-20
IPv4	78.25.123.153	2025-10-20	2025-10-20
IPv4	91.218.183.90	2025-10-20	2025-10-20
IPv4	136.0.3.71	2025-10-20	2025-10-20
IPv4	166.88.90.22	2025-10-20	2025-10-20
IPv4	78.25.108.249	2025-10-20	2025-10-20
IPv4	166.88.117.11	2025-10-20	2025-10-20
IPv4	78.25.121.187	2025-10-20	2025-10-20
IPv4	78.25.123.242	2025-10-20	2025-10-20
IPv4	23.27.244.39	2025-10-20	2025-10-20
IPv4	166.88.117.240	2025-10-20	2025-10-20
IPv4	156.236.76.90	2025-10-20	2025-10-20
IPv4	108.165.147.181	2025-10-20	2025-10-20
IPv4	166.88.2.184	2025-10-20	2025-10-20
IPv4	85.26.218.114	2025-10-20	2025-10-20
IPv4	172.121.5.230	2025-10-20	2025-10-20
IPv4	91.242.241.55	2025-10-20	2025-10-20
IPv4	78.25.109.155	2025-10-20	2025-10-20
IPv4	34.231.213.130	2025-10-20	2025-10-20
IPv4	91.99.83.196	2025-10-20	2025-10-20
IPv4	85.239.60.213	2025-10-20	2025-10-20
IPv4	195.122.31.246	2025-10-20	2025-10-20
IPv4	193.57.57.121	2025-10-20	2025-10-20
IPv4	45.194.27.99	2025-10-20	2025-10-20
IPv4	166.88.61.53	2025-10-20	2025-10-20
IPv4	45.86.231.67	2025-10-20	2025-10-20
IPv4	91.242.241.15	2025-10-20	2025-10-20
IPv4	136.0.11.193	2025-10-20	2025-10-20
IPv4	23.27.24.90	2025-10-20	2025-10-20
IPv4	166.0.132.184	2025-10-20	2025-10-20
IPv4	191.96.53.163	2025-10-20	2025-10-20
IPv4	34.250.221.219	2025-10-20	2025-10-20
IPv4	166.88.159.187	2025-10-20	2025-10-20
IPv4	216.173.64.63	2025-10-20	2025-10-20
IPv4	166.88.61.58	2025-10-20	2025-10-20
IPv4	136.0.3.240	2025-10-20	2025-10-20
IPv4	166.88.35.203	2025-10-20	2025-10-20
IPv4	166.88.57.117	2025-10-20	2025-10-20
IPv4	78.25.111.63	2025-10-20	2025-10-20
IPv4	45.138.16.208	2025-10-20	2025-10-20
IPv4	166.88.96.120	2025-10-20	2025-10-20
IPv4	181.117.128.64	2025-10-20	2025-10-20
IPv4	166.88.194.123	2025-10-20	2025-10-20
IPv4	38.211.230.5	2025-10-20	2025-10-20
IPv4	166.88.159.37	2025-10-20	2025-10-20
IPv4	37.27.108.244	2025-10-20	2025-10-20
IPv4	45.195.76.26	2025-10-20	2025-10-20
IPv4	166.88.194.53	2025-10-20	2025-10-20
IPv4	166.88.99.15	2025-10-20	2025-10-20
IPv4	166.88.141.40	2025-10-20	2025-10-20
IPv4	23.27.48.4	2025-10-20	2025-10-20
IPv4	23.27.24.227	2025-10-20	2025-10-20
IPv4	166.88.100.85	2025-10-20	2025-10-20
IPv4	78.25.123.240	2025-10-20	2025-10-20
IPv4	91.242.241.170	2025-10-20	2025-10-20
IPv4	198.105.127.124	2025-10-20	2025-10-20
IPv4	23.27.169.64	2025-10-20	2025-10-20
IPv4	154.216.19.19	2025-10-20	2025-10-20
IPv4	23.27.169.4	2025-10-20	2025-10-20
IPv4	166.88.14.137	2025-10-20	2025-10-20
IPv4	78.25.123.249	2025-10-20	2025-10-20
IPv4	136.0.8.169	2025-10-20	2025-10-20
IPv4	136.0.3.250	2025-10-20	2025-10-20
IPv4	62.106.66.151	2025-10-20	2025-10-20
IPv4	198.105.127.98	2025-10-20	2025-10-20
IPv4	166.88.2.90	2025-10-20	2025-10-20
IPv4	155.254.60.160	2025-10-20	2025-10-20
IPv4	57.128.212.19	2025-10-20	2025-10-20
IPv4	23.27.201.57	2025-10-20	2025-10-20
IPv4	78.25.123.66	2025-10-20	2025-10-20
IPv4	23.131.92.195	2025-10-20	2025-10-20
IPv4	166.88.132.139	2025-10-20	2025-10-20
IPv4	91.242.241.31	2025-10-20	2025-10-20
IPv4	50.114.5.82	2025-10-20	2025-10-20
IPv4	23.27.240.252	2025-10-20	2025-10-20
IPv4	23.27.48.179	2025-10-20	2025-10-20
IPv4	91.242.241.174	2025-10-20	2025-10-20
IPv4	96.126.191.167	2025-10-20	2025-10-20
IPv4	23.27.240.237	2025-10-20	2025-10-20
IPv4	166.88.114.78	2025-10-20	2025-10-20
IPv4	216.173.65.45	2025-10-20	2025-10-20
IPv4	38.246.73.120	2025-10-20	2025-10-20
IPv4	103.179.142.121	2025-10-20	2025-10-20
IPv4	23.27.48.113	2025-10-20	2025-10-20
IPv4	156.227.0.60	2025-10-20	2025-10-20
IPv4	154.81.220.233	2025-10-20	2025-10-20
IPv4	23.27.163.245	2025-10-20	2025-10-20
IPv4	45.129.199.127	2025-10-20	2025-10-20
IPv4	5.252.178.86	2025-10-20	2025-10-20
IPv4	23.27.168.222	2025-10-20	2025-10-20
IPv4	23.26.237.237	2025-10-20	2025-10-20
IPv4	45.195.76.82	2025-10-20	2025-10-20
IPv4	166.88.97.138	2025-10-20	2025-10-20
IPv4	166.88.14.52	2025-10-20	2025-10-20
IPv4	156.227.0.187	2025-10-20	2025-10-20
IPv4	166.88.132.39	2024-10-23	2025-10-20
IPv4	142.111.77.196	2024-08-01	2025-10-20

Related Reports

2025-10-27 • 72% Match

Cross-Chain TxDataHiding Crypto Heist: A Very Chainful Process (Part 2)

Ransom ISAC

#DevPopper #EtherHiding #T1082 #T1140 #T1005 #T1041 #T1071.001 #T1059.006 #T1059.007 #T1027 #T1204.002 #T1555.003 #T1567 #T1566 #T1195 #T1219 #T1547 #T1573 #T1095

Shares tag: EtherHiding • Shares 9 IOCs • Same author: Ransom ISAC • Published within a week

2025-11-13 • 70% Match