DPRK-Linked Malware Campaigns Use Blockchain C2 to Target Crypto Firms and Developers
Researchers detailed two likely DPRK-linked malware operations that used public blockchains as resilient command-and-control infrastructure while targeting the cryptocurrency ecosystem and software developers. Elastic Security Labs said the PHANTOMPULSE Windows RAT, delivered through abused Obsidian plugins and the PHANTOMPULL loader, used multiple process-injection techniques, a schuac-based UAC bypass via IElevatedFactoryServer, hardware breakpoints to suppress AMSI, WLDP, and ETW, and scheduled tasks for persistence. The implant conducted host reconnaissance, screenshot capture, keylogging, and clipboard monitoring, and resolved its latest C2 by reading transaction data from Ethereum, Base, and Optimism, with Telegram and hardcoded-domain fallback paths also noted.
A separate supply-chain intrusion attributed to Famous Chollima compromised the legitimate Packagist package roberts/leads, hiding malicious JavaScript in a development-branch tailwind.js file that fetched encrypted payloads from TRON, Aptos, and BNB Smart Chain. Socket linked the activity to prior DPRK tooling including DEV#POPPER RAT, OmniStealer, and BeaverTail, while public reporting and social-media tracking tied it to the broader Contagious Interview ecosystem. Elastic said PHANTOMPULSE's blockchain resolver failed to verify transaction senders, creating a rare opportunity for defenders to sinkhole infected hosts with a crafted transaction, and advised monitoring suspicious scheduled tasks, unusual rundll32.exe execution, hardware-breakpoint tampering, and Node.js access to blockchain or RPC services during builds.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Affected Packagist dev version was reported and removed
The compromised development version of the roberts/leads package was reported and subsequently removed from Packagist. This was part of the response to the supply-chain attack targeting PHP developers.
Malicious Packagist dev branch used to target PHP developers
Socket.dev identified a supply-chain attack involving the legitimate PHP package roberts/leads on Packagist, where malicious JavaScript was hidden in a development branch file named tailwind.js. The activity was attributed to Famous Chollima and used blockchain platforms including TRON, Aptos, and BNB Smart Chain to retrieve encrypted payloads.
Bluesky post amplifies reporting on Famous Chollima Packagist campaign
A Bluesky post by lazarusholic shared Socket’s article about Famous Chollima targeting PHP developers through a compromised Packagist package. The post tagged the activity with #ContagiousInterview, #FamousChollima, and #DPRK.
Elastic links PHANTOMPULSE activity to DPRK-aligned clusters
In its PHANTOMPULSE analysis, Elastic assessed the tradecraft, targeting, and infrastructure as aligned with DPRK-linked crypto-focused clusters including Lazarus, BlueNoroff, UNC5342, and APT38. The assessment tied the malware campaign to North Korean threat activity targeting the cryptocurrency sector.
Elastic documents PHANTOMPULSE RAT and sinkhole weakness
Elastic Security Labs published analysis of PHANTOMPULSE, the final-stage implant in the REF6598 intrusion set, detailing its injection methods, persistence, UAC bypass, and blockchain-based C2 resolution. The report highlighted that the resolver does not verify transaction senders, creating an opportunity for defenders to sinkhole implants with a crafted transaction.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
PHANTOMPULSE Malware Analysis: Blockchain C2 Channel
securityonline.info
Open sourcePHANTOMPULSE RAT Uses Process Injection and UAC Bypass to Compromise Windows Systems
cybersecuritynews.com
Open sourceFamous Chollima Hackers Target PHP Developers Using Compromised Packagist Package
cybersecuritynews.com
Open sourcePost by @lazarusholic.bsky.social - Bluesky
bsky.app
Open sourcePHANTOMPULSE: anatomy of a hijackable blockchain-C2 RAT - Elastic Security Labs
elastic.co
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
DPRK Malware Campaign Uses EtherHiding to Conceal Payloads on Blockchain
Google Cloud's Mandiant reported that North Korean operators adopted **EtherHiding**, a technique that abuses blockchain infrastructure to hide malicious content and stage malware delivery. The activity uses decentralized platforms to store or retrieve attacker-controlled data, complicating takedown efforts and making network-based detection harder because the infrastructure blends into legitimate blockchain traffic. The report links the tradecraft to DPRK threat activity and highlights a broader shift toward resilient, hard-to-disrupt hosting for command-and-control or payload staging. By moving parts of the infection chain onto blockchain-backed services, the operators reduce reliance on traditional attacker domains and hosting, increasing the durability and stealth of malware campaigns targeting victims across the internet.
May 25, 2026
DPRK-Linked Contagious Interview Campaign Stole Crypto via Fake Developer Job Tests
North Korea-linked operators tracked as **HexagonalRodent**, **Contagious Interview**, and overlaps of **Lazarus/Famous Chollima** used fake recruiter outreach on LinkedIn and sham company infrastructure to lure software and Web3 developers into opening malicious coding assessments. Researchers said the campaign delivered malware including **BeaverTail**, **InvisibleFerret**, and **OtterCookie** through backdoored GitHub repositories, rogue npm content, malicious VS Code `tasks.json` execution, and weaponized Git hooks such as `pre-commit` and `post-checkout`. The malware targeted Windows, macOS, and Linux systems, stealing browser credentials, keychains, wallet data, seed phrases, and developer secrets while maintaining persistence and remote access.
Jun 17, 2026
Phishing and social-engineering campaigns increasingly abuse trusted channels and identities to deliver malware
Multiple reports highlight a surge in **social-engineering-led initial access**, with attackers increasingly relying on trusted-looking delivery mechanisms rather than novel exploits. Microsoft-described activity impersonates *Zoom*, *Microsoft Teams*, and *Adobe Reader* updates and uses **stolen Extended Validation (EV) code-signing certificates** (including one issued to **TrustConnect Software PTY LTD**) to make malicious executables appear legitimate; lures include fake meeting invites and deceptive download sites, and payloads commonly install **RMM tooling** such as *ScreenConnect* and *MeshAgent* for persistent access, followed by additional tooling via encoded PowerShell. Separately, Moonlock reported a **ClickFix**-style operation targeting crypto/Web3 professionals via **fake venture capital personas on LinkedIn**, redirecting victims through Calendly to spoofed video-conferencing pages to induce execution of attacker-supplied commands, with infrastructure tied to multiple fake firms (e.g., *SolidBit Capital*, *MegaBit*, *Lumax Capital*) and domains attributed to a single registrant. In parallel, NCC Group’s Fox-IT assessed that **messaging platforms** (e.g., WhatsApp, Telegram, Discord, Signal, LinkedIn messaging) are increasingly used to deliver phishing links, malicious attachments, QR codes, and fake invitations while bypassing traditional email controls, and that Telegram in particular is also used to host phishing infrastructure, malware repositories, and bot-enabled fraud services. One referenced item is materially different from the above social-engineering theme: reporting on suspected **DPRK-linked intrusions** into cryptocurrency organizations describes web-app exploitation (including `CVE-2025-55182` in *React2Shell*) and the use of pre-obtained **AWS access tokens** to steal source code, private keys, and cloud secrets—an intrusion set focused on direct compromise and theft rather than the phishing/update-impersonation and messaging-platform delivery techniques described elsewhere.
Mar 21, 2026