MalwareUsed by 2 actors

Arti

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

TeamPCP

The final payload was a weaponised build of Arti the official Rust Tor client extended with credential theft, cryptomining, privilege escalation, and systemd persistence.

via cloudsek blogcloudsek.com

Sukob

The final payload was a weaponised build of Arti the official Rust Tor client extended with credential theft, cryptomining, privilege escalation, and systemd persistence.

via cloudsek blogcloudsek.com

MITRE ATT&CK

Techniques & procedures

8 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1195Supply Chain CompromiseEvidence1

CloudSEK TRIAD identified a sophisticated npm supply chain attack involving the typosquatted package crypto-javascri, which harvested npm and GitHub credentials and used compromised maintainer accounts to silently republish trojanized packages.

Persistence

1 technique

T1543.002Systemd ServiceEvidence1

Persistence - The Systemd Implant Following credential theft and payload staging, the binary establishes persistence through: ~/.local/bin/systemd-broker ← copy of the main binary ~/.config/systemd/user/systemd-broker.service

Privilege Escalation

1 technique

T1543.002Systemd ServiceEvidence1

Stealth

3 techniques

T1027Obfuscated Files or InformationEvidence1

Searching for hex-encoded Python patterns in the binary revealed a continuous string of hexadecimal characters at binary offset 1,709,372 (0x1A1F7C). The string begins with 78daab77f57163626464... - the 78da magic byte is the zlib compression header.

T1070.006TimestompEvidence1

The binary is timestomped to match the mtime of legitimate system binaries, reducing the signal available to filesystem based detectors.

T1497Virtualization/Sandbox EvasionEvidence1

Cloud detection gate: The malware checks for cloud provider metadata endpoints. If no cloud environment is detected, it exits cleanly.

Discovery

1 technique

T1497Virtualization/Sandbox EvasionEvidence1

Cloud detection gate: The malware checks for cloud provider metadata endpoints. If no cloud environment is detected, it exits cleanly.

Command and Control

2 techniques

T1071Application Layer ProtocolEvidence1

Strace output TOR C2 1cpur2zdsv762uzyoyzma6pvzz4a2xhv64zdouxpjlu3exyks7gh7leyd.onion:80 -> Using Tor as the command-and-control (C2) channel gives the attacker both anonymity and resilience.

T1090.003Multi-hop ProxyEvidence1

The malware bootstraps a full Tor client, builds a circuit to a hidden service, and maintains a heartbeat.

Impact

1 technique

T1496Resource HijackingEvidence1

The presence of struct MinerConfig confirms a cryptomining component. The field names (XM_POOL, XM_ADDRESS, XM_MAX_THREADS_HINT) follow XMRig convention.

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

1 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app1 month ago

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

cloudsek blogNews

May 14, 2026

Inside a Tor Backed Supply Chain Worm | CloudSEK

A modified build of the official Rust Tor client used as the final-stage implant. It provides Tor-based C2 via a hidden service, steals npm/GitHub and cryptocurrency-related credentials, includes a cryptomining component, attempts privilege escalation, and establishes persistence through user-level systemd services.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping8

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.