WAVESHAPER
WAVESHAPER is a C++ backdoor associated in the provided reporting with UNC1069, a suspected DPRK/North Korea-linked and financially motivated threat actor. It has been described as targeting macOS and Linux, and related reporting also references an updated WAVESHAPER.V2 used in a 2026 npm supply-chain compromise affecting the Axios package. In the cryptocurrency-focused intrusions attributed to UNC1069, WAVESHAPER was deployed after social-engineering lures involving fake Zoom or Teams meetings, deepfake video, and ClickFix-style troubleshooting commands. In the Axios incident, a malicious dependency (plain-crypto-js) used a postinstall hook to drop a macOS Mach-O payload overlapping with WAVESHAPER; reporting also describes WAVESHAPER.V2 as a cross-platform backdoor family affecting Windows, macOS, and Linux.
High-confidence behavior described in the content includes running as a background daemon, collecting host/system information, communicating with command-and-control over HTTP or HTTPS using the curl library, and downloading and executing follow-on payloads. Reporting states it accepts the C2 URL dynamically via command-line arguments and, in the WAVESHAPER.V2 evolution, beaconed every 60 seconds, used Base64-encoded JSON over HTTP POST, and supported commands including kill, rundir, runscript, and peinject. The malware is repeatedly described as an entry-point backdoor used to deploy additional UNC1069 tooling, including HYPERCALL, and in broader intrusion chains alongside DEEPBREATH, SUGARLOADER, and CHROMEPUSH for persistent compromise and data theft.
Observed infection vectors in the content include fake meeting/social-engineering chains against cryptocurrency and Web3 targets, and software supply-chain delivery via trojanized npm packages. Targeting described in the content includes cryptocurrency companies, DeFi and Web3 organizations, software developers, venture capital personnel, and downstream users of the compromised Axios package across multiple sectors and regions. Indicators and artifacts directly mentioned in the content include C2 domain sfrclak[.]com, IP 142.11.206[.]73, related IOC callnrwise[.]com, and macOS artifact /Library/Caches/com.apple.act.mond, which was specifically associated with the Axios-delivered Mach-O payload overlapping with WAVESHAPER.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The goal was credential harvesting and financial theft, facilitated by multiple malware families including WAVESHAPER and SUGARLOADER... a fake error prompt tricked the maintainer into running an “update” that deployed WAVESHAPER.V2, giving the attackers the npm credentials needed to publish trojanized versions of axios.
Post lazarusholic lazarusholic.bsky.social ... "Lazarus Group Poisons Axios: Inside the npm Supply Chain Attack" published by ThreatBook. #Axios, #Lazarus, #NPM, #SupplyChain, #WAVESHAPER, #DPRK, #CTI
Techniques & procedures
20 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesWith that access, publishing a malicious package to npm requires no additional authentication bypass.
GTIG said it was monitoring an “active software supply chain attack” targeting Axios... They tried to introduce a malicious dependency named "plain-crypto-js"
The axios npm compromise (March 30-31, malicious versions 1.14.1 and 0.30.4) has received formal attribution.
Execution
5 techniquesElastic Security Labs published a detailed analysis identifying the macOS Mach-O binary payload as overlapping with WAVESHAPER, a C++ backdoor that Mandiant attributes to UNC1069... Recommended action: Organizations that installed axios v1.14.1 or v0.30.4 should check for platform-specific IOCs: macOS (/Library/Caches/com.apple.act.mond), Windows (%PROGRAMDATA%\wt.exe), Linux (/tmp/ld.py). Block C2 domain sfrclak[.]com...
At that point, the victim is prompted to fix the issue, either by clicking a link that downloads a malicious AppleScript or by running a command pasted into the terminal.
The axios npm compromise (March 30-31, malicious versions 1.14.1 and 0.30.4)... Elastic Security Labs published a detailed analysis identifying the macOS Mach-O binary payload as overlapping with WAVESHAPER
The axios npm compromise (March 30-31, malicious versions 1.14.1 and 0.30.4) has received formal attribution.
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
3 techniquesEvery artifact was designed to self-destruct... The dropper contacts a live command-and-control server... then erases itself and replaces its own package.json with a clean decoy.
Credential Access
2 techniquesThe goal was credential harvesting and financial theft, facilitated by multiple malware families including WAVESHAPER and SUGARLOADER.
The malware can exfiltrate .npmrc tokens, browser session cookies, AWS credentials, keychain contents, and anything else stored on the machine.
Discovery
3 techniquesCapabilities include reconnaissance (system info, running processes), directory enumeration, script execution, and PE injection.
The malware was designed to perform reconnaissance... WAVESHAPER also... collects the returned system information, which is sent to the C2 server in an HTTP POST request.
Capabilities include reconnaissance (system info, running processes), directory enumeration, script execution, and PE injection.
Collection
1 techniqueCommand and Control
4 techniquesBlock C2 domain sfrclak[.]com and IP 142.11.206[.]73.
Recommended action: Organizations that installed axios v1.14.1 or v0.30.4 should check for platform-specific IOCs... Block C2 domain sfrclak[.]com and IP 142.11.206[.]73.
The dropper queries the operating system and sends an HTTP POST request to a command-and-control (C2) server at sfrclak[.]com:8000... The C2 server delivers a different payload depending on the victim's operating system.
Google described WAVESHAPER.V2 as a “fully functional RAT”, capable of reconnaissance, command execution... and system enumeration
Other
1 techniqueIOCs tracked for this family
13 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
19 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A backdoor used for deep, persistent compromise of individual machines.
Used in UNC1069 social engineering operations to harvest credentials and enable financial theft; in this case it was deployed via a fake update prompt during a Teams call and stole npm credentials.
A C++ backdoor previously reported in operations linked to DPRK activity. It communicates with a C2 server over HTTP/HTTPS, can download and execute arbitrary payloads, runs as a background daemon, and sends collected system information to the C2.
A macOS and Linux C++ backdoor previously attributed to UNC1069 and used in attacks targeting the cryptocurrency sector. The article describes WAVESHAPER.V2 as its updated successor, noting the original used a lightweight raw binary C2 protocol and code packing.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.