Koalemos

the threat actors are said to have asked candidates to clone a GitHub repository and run commands to install an npm package to trigger malware execution.

Another variant of the intrusion set documented by Panther is suspected to involve the use of malicious npm packages to deploy a modular JavaScript remote access trojan (RAT) framework dubbed Koalemos via a loader.

The malicious phase of the attack kicks in when individuals presenting themselves as recruiters and hiring managers instruct targets to complete a skill assessment that eventually leads to them executing malicious code.

using malicious Microsoft VS Code task files to execute JavaScript malware disguised as web fonts

the threat actors are said to have asked candidates to clone a GitHub repository and run commands to install an npm package to trigger malware execution.

The initial loader performs DNS-based execution gating and engagement date validation before downloading and spawning the RAT module as a detached process.

It supports 12 different commands to conduct filesystem operations, transfer files, run discovery instructions (e.g., whoami), and execute arbitrary code.

Koalemos performs system fingerprinting, establishes encrypted command-and-control communications, and provides full remote access capabilities.

It supports 12 different commands to conduct filesystem operations, transfer files, run discovery instructions (e.g., whoami), and execute arbitrary code.

The initial loader performs DNS-based execution gating and engagement date validation before downloading and spawning the RAT module as a detached process.

The end goal of these efforts is two-pronged: to generate a steady revenue stream to fund the nation's weapons programs, conduct espionage by stealing sensitive data

The RAT is designed to enter a beacon loop to retrieve tasks from an external server, execute them, send encrypted responses, and sleep for a random time interval before repeating again.

Running the setup process resulted in malware being downloaded and executed on the victim's system, giving the attackers a foothold in the victim's machine.

Another variant of the intrusion set documented by Panther is suspected to involve the use of malicious npm packages to deploy a modular JavaScript remote access trojan (RAT) framework dubbed Koalemos via a loader.

Koalemos performs system fingerprinting, establishes encrypted command-and-control communications, and provides full remote access capabilities.