Needle

Needle is a crimeware-as-a-service / malware-as-a-service platform described as a crypto-stealer and broader theft framework. Reported capabilities include a browser wallet spoofer targeting MetaMask, Phantom, Trust Wallet, Coinbase Wallet, Rabby, Keplr, OKX Wallet, and Brave Wallet; a desktop wallet spoofer targeting Ledger, Trezor, Exodus, Atomic, Guarda, TonKeeper, Zelcore, and Coinomi; and theft across Ethereum, BSC, Polygon, Solana, Tron, Bitcoin, Litecoin, Dogecoin, Avalanche, Arbitrum, Optimism, and Base. Needle Core was reported to support password theft, cookie theft, credit card theft, autofill theft, token theft, browser history collection, extension data theft, browser key theft, FTP credential theft, Telegram session theft, wallet file theft, screenshots, system information collection, form grabbing, and clipboard hijacking. The platform also includes a builder system and launcher system for generating custom payloads with per-build API keys and configurable options, plus Telegram-integrated notifications using bot tokens and chat IDs for stealer logs, wallet spoofer hits, and panel events.

Needle has been linked to a Phorpiex/Trik delivery chain. In the documented campaign, a Phorpiex worm dropper downloaded seven payloads from 178.16.54[.]109, saved them to %TEMP% via URLDownloadToFileW, and executed them with ShellExecuteW. The dropper created %TEMP%\d3333333333333333333333.txt as an infection marker and checked IsDebuggerPresent before proceeding. Retrieved payloads included xmrget.exe, xmr.exe, peinf.exe, 1.exe, 2.exe, 3.exe, and 4.exe. xmrget.exe deployed XMRig as sysmgnrsv.exe and persisted via HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Config; peinf.exe contained the string TWIZTPEINF and harvested files and installed-software paths for exfiltration; and 2.exe fetched credential batches from 130.12.180[.]190/2/ and sent sextortion spam through victim SMTP accounts. The operation also used a private Monero mining pool on 178.16.54[.]109:6060.

The platform exposes operator/customer web panels on TCP port 3000. Researchers identified a live Needle panel at 178.16.54[.]109:3000 and later mapped nine live Needle MaaS panels across multiple providers and ASNs. Common panel fingerprints included HTTP 200 on /, root HTML title "Needle," a Vite/React SPA bundle under /assets/index-<hash>.js, and a healthy /api/v2/health endpoint. Authenticated API routes included /api/v2/users, /api/v2/settings, and /api/v2/launcher/builds, using Bearer token authentication; client-side storage of localStorage["auth_token"] and CORS Access-Control-Allow-Origin: * were observed. Distinct bundle hashes and sizes across the nine panels indicated separately compiled multi-tenant deployments. The captured JavaScript bundles were specifically described as client-side operator-panel UI code rendering the browser-stealer panel UI, not the Phorpiex worm, wallet-drainer stage, or Monero miner payloads.

Needle infrastructure and indicators directly mentioned in the content include 178.16.54[.]109:3000 (panel), 178.16.55[.]234:3000 (panel), 193.24.123[.]23:3000, 94.26.83[.]82:3000, 95.179.181[.]208:3000, 45.151.106[.]204:3000, 144.31.151[.]223:3000, 130.12.180[.]135:3000, and 209.17.118[.]17:3000; the private Monero pool at 178.16.54[.]109:6060; and the spam coordination server at 130.12.180[.]190. Additional observables include the Phorpiex dropper SHA256 d55ec8ebbf308993bbb517f0281fe4296c8e9864e43ff51ba5e0b639b840b085, the XMRig miner SHA256 9639f7ebc6a6d69d7bf5b8bc869e7783a1406088f192868624ad8919e9bfd1d4, the Monero wallet 83h9mBvy1LL2qW6c2HeWczYVJQsFDF7RfVqDnaiSfFBdDcxfyJfWhRnZqZkY5chb5b6tmKZ1PPhuQbNgXggCdwTrMYWN8hi, and the sextortion Bitcoin wallet 1LK753UYyYXPcUthYTrxgnaGC8qxXN8ZUK. One social-media-referenced report additionally claimed Needle is written in Rust and that a plaintext embedded API key exposed access to 1,932 victims and the operator withdrawal configuration, but the provided content notes that this claim came only from a Reddit post preview rather than the underlying technical report.