Sefirah

The repository had typosquatted OpenAI's legitimate Privacy Filter release, copied its model card nearly verbatim, and shipped a loader.py file that fetches and executes infostealer malware on Windows machines.

A fake repository impersonating OpenAI’s Privacy Filter tool climbed to the top of Hugging Face’s trending list last week... Attackers cloned its documentation almost word-for-word, creating a mirror repository that looked credible enough to fool experienced developers at first glance.

followed by the creation of a scheduled task dressed up as a Microsoft Edge update to lock in SYSTEM-level persistence.

The repository had typosquatted OpenAI's legitimate Privacy Filter release, copied its model card nearly verbatim, and shipped a loader.py file that fetches and executes infostealer malware on Windows machines.

The command, which is executed in an invisible window, downloads a batch file (start.bat) that performs privilege escalation, downloads the final payload (sefirah), adds it to Microsoft Defender's exclusions for it, and executes it.

The command, which is executed in an invisible window, downloads a batch file (start.bat) that performs privilege escalation, downloads the final payload (sefirah), adds it to Microsoft Defender's exclusions for it, and executes it.

Users who followed the repo’s setup instructions – cloning the project and running either start.bat on Windows or loader.py on Linux/macOS – kicked off a multi-stage infection chain.

followed by the creation of a scheduled task dressed up as a Microsoft Edge update to lock in SYSTEM-level persistence.

followed by the creation of a scheduled task dressed up as a Microsoft Edge update to lock in SYSTEM-level persistence.

Next came a Windows UAC prompt to grab admin rights

The ‘loader.py’ Python script included fake AI-related code to appear harmless, but in the background, it disabled SSL verification, decoded a base64 URL pointing to an external resource, and then fetched and executed a JSON payload containing a PowerShell command.

HiddenLayer highlights the malware’s extensive anti-analysis features, which include checks for virtual machines, sandboxes, debuggers, and analysis tools, all with the purpose of evading analysis systems.

Browser data: Saved passwords, credit cards, cookies, and autofill data from Chrome, Edge, Firefox, Brave, and any other Chromium or Gecko-based browser on the machine.

Developer credentials: SSH keys, FTP credentials (with specific attention to FileZilla), and VPN configs.

Browser data: Saved passwords, credit cards, cookies, and autofill data from Chrome, Edge, Firefox, Brave...

Discord tokens: Session tokens and local databases that can let attackers bypass MFA entirely.

File search: A sweep for files containing words like “backup,” “seed,” “secret,” or “password.”

HiddenLayer highlights the malware’s extensive anti-analysis features, which include checks for virtual machines, sandboxes, debuggers, and analysis tools, all with the purpose of evading analysis systems.

The payload ran eight data collectors in parallel... Crypto wallets... Developer credentials... Browser data... File search...

Screenshots: Multi-monitor captures to grab whatever was on screen at the time of infection.

Everything was bundled into a JSON package and sent to a command-and-control server

It then fetched an encoded payload from JSON Keeper, a public paste service used as a “dead drop”

It then fetched an encoded payload from JSON Keeper, a public paste service used as a “dead drop”, a trick that let attackers swap out the malicious payload remotely without ever touching the Hugging Face repo again.

Everything was bundled into a JSON package and sent to a command-and-control server at recargapopular[.]com over encrypted channels.

The command, which is executed in an invisible window, downloads a batch file (start.bat) that performs privilege escalation, downloads the final payload (sefirah), adds it to Microsoft Defender's exclusions for it, and executes it.

To stay hidden, the malware added its own directories to Microsoft Defender’s exclusion list and disabled both AMSI and ETW