Cross-Chain TxDataHiding Crypto Heist: A Very Chainful Process (Part 2)

2025-10-27 • Ransom ISAC •

https://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-2/

#DevPopper #EtherHiding #T1082 #T1140 #T1005 #T1041 #T1071.001 #T1059.006 #T1059.007 #T1027 #T1204.002 #T1555.003 #T1567 #T1566 #T1195 #T1219 #T1547 #T1573 #T1095

Thumbnail for Cross-Chain TxDataHiding Crypto Heist: A Very Chainful Process (Part 2)

Ransom-ISAC analyzed a suspected DPRK-affiliated campaign that used a weaponized private GitHub repository to compromise cryptocurrency and developer environments. The attack chain combined DEV#POPPER.js, a cross-platform JavaScript payload, with OmniStealer, a Python stealer targeting wallets, private keys, browser credentials, development secrets, and source code. A key technique was Cross-Chain TxDataHiding, where malware queried TRON or Aptos transaction data to recover a BSC transaction hash and then pulled encrypted payload data from Binance Smart Chain transaction input. This multi-chain design increases takedown resistance and complicates detection because command data is distributed across immutable blockchain infrastructure and backup paths.

Indicators of Compromise

Type	Value	First Seen	Last Seen
IPv4	23.27.202.27	2025-10-20	2026-06-12
DOMAIN	api.trongrid.io	2025-10-27	2026-05-31
DOMAIN	fullnode.mainnet.aptoslabs.com	2025-10-27	2026-05-31
IPv4	23.27.20.143	2025-10-20	2026-04-21
IPv4	136.0.9.8	2025-10-20	2026-04-21
IPv4	166.88.4.2	2025-10-20	2026-04-21
DOMAIN	bsc-dataseed.binance.org	2025-10-27	2026-04-11
DOMAIN	bsc-rpc.publicnode.com	2025-10-27	2026-04-11
DOMAIN	ip-api.com	2022-11-14	2026-01-21
URL	http://ip-api.com/json	2024-07-31	2026-01-20
URL	https://bsc-dataseed.binance.org	2025-10-27	2026-01-14
HASH	f3c46284d1f89f33427b332a7b93571…	2025-10-27	2025-11-13
HASH	16df15306f966ae5c5184901747a320…	2025-10-27	2025-11-13
URL	https://api.trongrid.io/v1/acco…	2025-10-27	2025-11-13
YARA	Actor_APT_DPRK_Unknown_MAL_Indi…	2025-10-27	2025-10-27
YARA	Actor_APT_DPRK_Unknown_MAL_Scri…	2025-10-27	2025-10-27
YARA	Actor_APT_DPRK_Unknown_MAL_Scri…	2025-10-27	2025-10-27
YARA	Actor_APT_DPRK_Unknown_MAL_Scri…	2025-10-27	2025-10-27
YARA	Actor_APT_DPRK_Unknown_MAL_Scri…	2025-10-27	2025-10-27
HASH	7a62286e68d879b45da710e1daa4959…	2025-10-27	2025-10-27
HASH	be037400670fbf1c32364f762975908…	2025-10-27	2025-10-27
HASH	3f0e5781d0855fb460661ac63257376…	2025-10-27	2025-10-27
HASH	d33f78662df123adf2a178628980b60…	2025-10-27	2025-10-27
HASH	ce47fef68059f569d00dd6a56a61aa9…	2025-10-27	2025-10-27
HASH	3414a658f13b652f24301e986f9e007…	2025-10-27	2025-10-27
HASH	8c0233a07662934977d1c5c29b930f4…	2025-10-27	2025-10-27
HASH	a8cdabea3616a6d43e0893322112f9d…	2025-10-27	2025-10-27
HASH	ee3cc7c6bd58113f4a654c74052d252…	2025-10-27	2025-10-27
HASH	f46c86c886bbf9915f4841a8c27b38c…	2025-10-27	2025-10-27
EMAIL	[email protected]	2025-10-27	2025-10-27
DOMAIN	bootstrap.pypa.io	2025-10-27	2025-10-27
HASH	be21bf4ad94c394202e7b52a1b461ed…	2025-10-20	2025-10-27
HASH	236ff897dee7d21319482cd67815bd2…	2025-10-20	2025-10-27
HASH	742016f01fa89be4d43916d5d2349c8…	2025-10-20	2025-10-27
HASH	a7d7075e866132b8e8eb87265f7b7fa…	2025-10-20	2025-10-27
HASH	eefe39fe88e75b37babb37c7379d1ec…	2025-10-20	2025-10-27

Related Reports

2025-11-13 • 42% Match

Cross-Chain TxDataHiding Crypto Heist: A Very Chainful Process (Part 3)

Ransom ISAC

#FamousChollima #EtherHiding

Shares tag: EtherHiding • Shares 9 IOCs • Same author: Ransom ISAC • Published within a month

2025-10-20 • 42% Match

Cross-Chain TxDataHiding Crypto Heist: A Very Chainful Process (Part 1)

Ransom ISAC

#EtherHiding

Shares tag: EtherHiding • Shares 9 IOCs • Same author: Ransom ISAC • Published within a week

2025-10-19 • 36% Match

Contagious Interview

MITRE

#ContagiousInterview #G1052 #T1082 #T1090 #T1041 #T1555 #T1083 #T1497 #T1036 #T1027 #T1567 #T1071 #T1204 #T1566 #T1059 #T1656 #T1480 #T1219 #T1543 #T1571 #T1588 #T1593 #T1589 #T1657 #T1587 #T1585 #T1583 #T1547 #T1573 #T1048 #T1562 #T1608 #T1546 #T1681 #T1070

Shares tags: T1082, T1041, T1027 • Published within a month

2025-11-26 • 32% Match

Inside the GitHub Infrastructure Powering North Korea’s Contagious Interview npm Attacks

Socket

#NPM #ContagiousInterview #OtterCookie #T1082 #T1119 #T1005 #T1587.001 #T1041 #T1113 #T1608.001 #T1195.002 #T1115 #T1083 #T1497 #T1056.001 #T1059.007 #T1036 #T1204.002 #T1555.003 #T1583.006 #T1547.001 #T1539 #T1583.001 #T1656 #T1105 #T1204.005 #T1571 #T1657 #T1587 #T1585 #T1555.001 #T1546.016 #T1217

Shares tags: T1082, T1005, T1041 • Published within a month

2025-10-10 • 32% Match

North Korea’s Contagious Interview Campaign Escalates: 338 Malicious npm Packages, 50,000 Downloads

Socket

#NPM #ContagiousInterview #T1027.013 #T1082 #T1119 #T1005 #T1041 #T1608.001 #T1195.002 #T1083 #T1059.007 #T1204.002 #T1555.003 #T1105 #T1657 #T1555.001 #T1546.016 #T1217

Shares tags: T1082, T1005, T1041 • Published within a month

2025-10-21 • 28% Match

Beyond eval(): DPRK’s New Malware Strategy Hidden in Job Assignments

KL4R10N

#NPM #ContagiousInterview #T1082 #T1041 #T1115 #T1083 #T1497 #T1056.001 #T1059.007 #T1036 #T1204.002 #T1566.003 #T1071 #T1199 #T1048

Shares tags: T1082, T1041, T1059.007 • Published within a week

« Back