Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actor

OmniStealer

OmniStealer is an information-stealing malware family linked in the provided reporting to DPRK/North Korea activity, including Famous Chollima and broader Void Dokkaebi/Contagious Interview-style operations. The content associates OmniStealer with campaigns targeting developers through social-engineering lures such as fake job offers and developer tasks, including weaponized Node.js projects hosted on GitHub and software supply-chain compromises affecting developer workflows.

In the cited reporting, OmniStealer is not described as the visible first-stage loader itself, but as a payload delivered by multistage JavaScript/Node.js loaders. Those loaders were observed hidden in development artifacts such as appended obfuscated JavaScript in tailwind.js within the Packagist dev release dev-drewroberts/feature/test-case of the legitimate roberts/leads package, and in broader compromised repositories that also used malicious .vscode/tasks.json files. The loaders retrieved encrypted payload material from public blockchain infrastructure including TRON, Aptos, and BNB Smart Chain, decrypted it with embedded XOR keys, and executed it via eval(); they could also spawn detached hidden Node.js child processes with windowsHide set to true. Reporting states this blockchain dead-drop infrastructure and campaign marker global['!']='9-0264-2' overlap with prior DPRK-linked malware delivery involving DEV#POPPER RAT, OmniStealer, and BeaverTail-family payloads.

The content explicitly identifies OmniStealer as an information stealer. While the local loader in the Packagist case did not directly exfiltrate files or credentials, the delivered payloads were described as capable of accessing process.env, local files, Git metadata, network APIs, and child-process execution; additional reporting notes remote payload access to environment variables containing cloud credentials and CI secrets, local files such as .env files and SSH keys, stored tokens, and the ability to execute additional processes. OmniStealer is repeatedly grouped with other DPRK-linked malware families including DEV#POPPER, BeaverTail, InvisibleFerret, and OtterCookie.

High-confidence indicators and contextual artifacts from the associated delivery infrastructure in the content include the campaign marker global['!']='9-0264-2' / global['_V']='A9-0264-2'; TRON wallet addresses TMfKQEd7TJJa5xNZJZ2Lep838vrzrs7mAP and TXfxHUet9pJVU1BgVkBAbrES4YUc1nGzcG; Aptos identifiers 0xbe037400670fbf1c32364f762975908dc43eeb38759263e7dfcdabc76380811e and 0x3f0e5781d0855fb460661ac63257376db1941b2bb522499e4757ecb3ebd5dce3; XOR keys 2[gWfGj;<:-93Z^C and m6:tTh^D)cBz?NM]; malicious branch commit 6c5c3c7655ce76399af11126b7e9a9058eb2e45d; archive SHA-256 522b28a2f78771715497ba53729d4ab9a50e982322c391379f3bddf7c8cb363f; and tailwind.js SHA-256 96afdba882046385242cbed46871e41147c8055c5d9eff7460847b2c01a77dc3. The content does not provide a standalone technical breakdown of OmniStealer internals beyond its role as a DPRK-linked information stealer delivered in these campaigns.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Contagious Interview

In prior reports using the same blockchain-C2 infrastructure and overlapping wallet addresses, the loader ultimately delivered DPRK-linked malware including DEV#POPPER RAT, OmniStealer, and BeaverTail-family payloads.

via socket blogsocket.dev
MITRE ATT&CK

Techniques & procedures

15 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1583Acquire InfrastructureEvidence1

Contagious Interview ... approaches prospective targets and tricks them into executing malicious code from a fake repository as part of an assessment. Some of these efforts have used weaponized Node.js projects hosted on GitHub.

Initial Access

3 techniques
T1189Drive-by CompromiseEvidence1

Contagious Interview ... tricks them into executing malicious code from a fake repository as part of an assessment.

T1195Supply Chain CompromiseEvidence2

A well-known North Korean threat actor has been caught hiding malware inside a legitimate PHP package available through Packagist... The package itself belongs to a legitimate maintainer named Drew Roberts, suggesting either a branch-level compromise or a poisoned workflow injection rather than a wholly fabricated fake package.

T1195.002Compromise Software Supply ChainEvidence1

MITRE ATT&CK # T1195.002 — Supply Chain Compromise: Compromise Software Supply Chain

Execution

5 techniques
T1059Command and Scripting InterpreterEvidence1

It can also quietly launch a second hidden process in the background using child_process.spawn() with the windowsHide flag set to true, keeping everything out of sight on Windows systems.

T1059.007JavaScriptEvidence3

MITRE ATT&CK # T1059.007 — Command and Scripting Interpreter: JavaScript

T1127Trusted Developer Utilities Proxy ExecutionEvidence1

The malware sits quietly inside what looks like a standard Tailwind CSS configuration file... Once that obfuscated code runs, it quietly transforms into a full JavaScript malware loader operating inside Node.js.

T1204User ExecutionEvidence1

Contagious Interview ... tricks them into executing malicious code from a fake repository as part of an assessment.

T1204.002Malicious FileEvidence1

MITRE ATT&CK # T1204.002 — User Execution: Malicious File

Stealth

3 techniques
T1027Obfuscated Files or InformationEvidence2

The appended JavaScript is obfuscated and reconstructs its real behavior at runtime... A large whitespace gap hides the malicious payload after the legitimate Tailwind configuration, making it easy to miss in code review.

T1127Trusted Developer Utilities Proxy ExecutionEvidence1

The malware sits quietly inside what looks like a standard Tailwind CSS configuration file... Once that obfuscated code runs, it quietly transforms into a full JavaScript malware loader operating inside Node.js.

T1140Deobfuscate/Decode Files or InformationEvidence1

The loader uses hardcoded XOR keys to decrypt the material it retrieves and then runs the result directly inside Node.js using eval().

Credential Access

1 technique
T1649Steal or Forge Authentication CertificatesEvidence1

the delivered malware can read environment variables holding cloud credentials and CI secrets, grab local files such as .env files and SSH keys, access stored tokens

Collection

1 technique
T1005Data from Local SystemEvidence1

the delivered malware can read environment variables holding cloud credentials and CI secrets, grab local files such as .env files and SSH keys

Command and Control

2 techniques
T1102.001Dead Drop ResolverEvidence2

MITRE ATT&CK # T1102.001 — Web Service: Dead Drop Resolver

T1105Ingress Tool TransferEvidence2

MITRE ATT&CK # T1105 — Ingress Tool Transfer

INDICATORS OF COMPROMISE

IOCs tracked for this family

9 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
2 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
5 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
2 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
hash.sha256●●●●●●●●●●●●View more in app21 days ago
hash.sha256●●●●●●●●●●●●View more in app21 days ago
hash.sha256●●●●●●●●●●●●View more in app21 days ago
hash.sha1●●●●●●●●●●●●View more in app21 days ago
hash.sha256●●●●●●●●●●●●View more in app21 days ago
domain●●●●●●●●●●●●View more in app22 days ago
ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
cyber security newsNews
Jun 1, 2026
Famous Chollima Hackers Target PHP Developers Using Compromised Packagist Package

Information-stealing malware associated with Famous Chollima and linked to this campaign through a known operation marker.

Read more
socket blogNews
May 31, 2026
Famous Chollima Targets PHP Developers Through Compromised P...

A DPRK-linked stealer payload associated with the same blockchain dead-drop loader chain referenced in the report.

Read more
lazarusholic blueskyNews
May 18, 2026
Post by @lazarusholic.bsky.social - Bluesky

Named malware/tool referenced in connection with Contagious Interview via hashtags; no further behavior is described in the provided content.

Read more
trend micro researchNews
Apr 21, 2026
Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories | Trend Micro (US)

Named as part of the threat actor's malware toolset that can be delivered through the blockchain-based staging mechanism.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching9

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping15

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.