We identified and acquired a trojanized NVIDIA CUDA toolkit installer circulating in an active campaign. Initial triage confirmed a multi-component payload: a remote access trojan, an infostealer, and a cryptocurrency clipboard hijacker bundled into a single deployment chain. The installer appeared legitimate. The execution chain did not. We reversed the binary, broke the C2 (command-and-control) protocol, impersonated a compromised host, and mapped the entire operational playbook. What we found carries the fingerprints of Pyongyang.
Delivery and Payload
The campaign distributed a PowerShell dropper disguised as cuda_toolkit_sim_v12.4.ps1. On execution it downloaded a 19MB ZIP archive from camdriver[.]pro, extracted it to a temporary directory, and silently launched a VBScript bootstrap. The download URL referenced Realtek drivers rather than NVIDIA (hxxps://camdriver[.]pro/realtekwin.update?r=ffa752c6-84e9-4bb9-b3c8-a3ab09cbcbe6), suggesting the same infrastructure serves multiple lure variants targeting different developer audiences.
The payload archive, driver.zip, contained a complete attack toolkit: 14 Python modules, two RSA-2048 public keys, a bundled Python 3.12 runtime packed into Module.zip at 16.5MB, and a renamed copy of pythonw.exe masquerading as svchost.exe. The VBScript launcher extracted the Python runtime and executed the RAT entry point (updatedriver.py) via the disguised interpreter, keeping the entire chain windowless and invisible to the user.
Persistence
The dropper established four independent persistence mechanisms to survive across privilege levels. With admin access: a scheduled task named svchost running at logon with HIGHEST privilege, plus a second task disguised as OneDrive Update Task-S-16-5-25-262930093-1106209884-352468633-100 executing from %TEMP% as SYSTEM. Without admin access: a startup folder shortcut at %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk, and a registry Run key at HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost. The malware also entered a UAC elevation loop, repeatedly calling ShellExecuteW with "runas" until the user clicked Yes.
Anti-Analysis and Evasion
The evasion module patched seven ETW functions in memory: EtwEventWrite, EtwEventWriteEx, EtwEventWriteFull, EtwEventWriteString, EtwEventWriteTransfer, EtwWrite, and EtwWriteEx. Each was overwritten with xor eax, eax; ret (0x48 0xC7 0xC0 0x00 0x00 0x00 0x00 0xC3 on x64), blinding Event Tracing for Windows entirely. AMSI was neutralized by patching AmsiScanBuffer to return E_INVALIDARG (0x80070057). NTDLL was unhooked by loading a fresh copy from System32, bypassing any EDR inline hooks.
VMware detection checked MAC address prefixes (00:0C:29, 00:50:56, 00:05:69), registry keys, WMI queries, and process names. Every Python module opened with base64-encoded guard code checking for UTC timezone, sandbox path keywords (virus, sample, sandbox, malware, InsideTm), active debuggers via sys.gettrace(), and memory tracers via tracemalloc.is_tracing(). Patching seven ETW functions instead of just EtwEventWrite is unusual for commodity malware and reflects operational maturity.
C2 Protocol Reversal
We fully reversed the layered encryption scheme used for C2 communication. The transport layer generated a random AES-256-GCM session key per request, encrypted the message payload, then wrapped the session key with the server RSA-2048-OAEP public key using SHA-256. The wire format was [RSA_ENCRYPTED_KEY | NONCE | TAG | CIPHERTEXT], sent as an HTTP POST to 144[.]172[.]115[.]189:8080 with Content-Type: application/octet-stream. The server responded using the same session key as [NONCE | TAG | CIPHERTEXT].
A second encryption layer operated at the message level: individual data fields within commands were encrypted using AES-CBC with a hardcoded 32-byte key (f7Jk9vB2xQpL6zT1wR8sY3uN0eH5cD4a) and 16-byte IV (pL9vB2xQpL6zT1wR) extracted directly from constants.py. Exfiltrated files received a third layer of encryption using a separate RSA-2048 operator public key, ensuring only the holder of the corresponding private key could decrypt stolen data. This dual-key architecture, separating transport encryption from data encryption, suggests organizational separation between infrastructure operators and intelligence consumers.
Impersonating a Compromised Host
With the protocol broken, we built a fake agent. It registered with fabricated system information: a plausible hostname, a Windows 10 build string, daemon version 1.0.3, and a generated machine fingerprint matching the format stored at %APPDATA%\.system_id\.host. The agent responded to every C2 command with plausible synthetic data. Credential theft requests received fake Chrome Login Data entries. Cookie extraction received fabricated session cookies. Extension enumeration received dummy wallet data. At no point did the agent execute any received command. It was a listener, not a participant.
The Automated Attack Playbook
The C2 responded within seconds. It issued seven automated data theft commands in rapid sequence, each identified by an obfuscated command prefix:
| Command | Target |
|---|---|
r4ys/gi%# | Chrome cookies |
r4ys/89io | Full Chrome profile |
r4ys/kyci | Chrome Login Data (passwords via DPAPI) |
r4ys/tgth | Telegram tdata session directories |
r4ys/dcgd | Discord tokens (stable, PTB, canary, dev) |
r4ys/stsf | Steam SSFN authentication files |
r4ys/cook | Chrome cookies (second pass) |
Browser credentials and session tokens were collected first, indicating immediate interest in account takeover. Cryptocurrency wallet extensions were specifically targeted through a hardcoded list of 85+ browser extension IDs, including MetaMask, TronLink, Binance Wallet, Phantom, and Rabby. The clipboard hijacker module (utils_block.py) monitored for cryptocurrency addresses across eight blockchains (BTC, ETH, LTC, DOGE, ADA, TRX, SOL, SUI), replacing them with 40 attacker-controlled wallets embedded in the binary.
After the initial theft cycle, the C2 entered a WAIT/SLEEP loop issuing 300-second polling intervals. We capped the sleep to 5 seconds and maintained persistent contact. Over thousands of exchanges across the first hours of monitoring, the server issued no manual operator commands. No shell access. No file uploads. No lateral movement. The infrastructure appeared to operate on full autopilot, executing its credential harvesting playbook without any human in the loop.
The Operator Wakes Up
That changed 24 hours later. At 21:15:00 UTC on February 26, after over 6,300 silent polling exchanges, the C2 issued its first non-automated command: dghh, the EXIT (self-destruct) instruction. Our watcher logged the 128-byte encrypted payload, sent a fake acknowledgment, re-registered with a fresh agent ID, and resumed monitoring.
The operator responded immediately. Within 19 seconds, a second EXIT command arrived. Our agent re-registered again. Nine seconds later, a third EXIT. Ten seconds after that, a fourth. Between 21:15:00 and 21:15:38, the operator sent four rapid-fire self-destruct commands, each time watching our agent complete the full 7-command theft cycle before issuing another kill signal. They were actively watching the C2 panel in real time.
After the fourth attempt, the EXIT commands stopped. The C2 returned to its WAIT/SLEEP loop and has remained silent since. The operator either gave up or concluded the agent was compromised and moved on. What they could not do was actually kill our watcher, the fake agent logged every EXIT command but never executed any of them, and the re-registration with a fresh ID kept the session alive.
This sequence confirms three things. First, there is a human operator staffing this infrastructure, not just automated collection. Second, that operator is actively reviewing incoming victim sessions, which means the exfiltrated data from real victims is being processed and acted on. Third, the operator recognized our fake data as synthetic, the fabricated Chrome cookies, dummy Telegram tdata, and placeholder Discord tokens we fed back during the theft cycle were apparently unconvincing enough to trigger a manual review and cleanup attempt. The operation is not just running. Someone is watching.
Linked Phishing Infrastructure
Concurrent with the malware analysis, we identified a separate phishing operation sharing infrastructure. A fake Ripple careers site at ripplecareer[.]com collected victim PII through a fabricated "Brand Design Intern, Brand Studio (Summer 2026)" application form. Data was exfiltrated via HTTPS POST to camdriver[.]pro/letsgoassessment using RSA-2048-OAEP encryption in the browser.
The "company" field was transmitted in cleartext, an operational security failure that exposed full device fingerprints (OS, browser version, screen resolution, timezone), phone numbers, and the social engineering lure verbatim. The User-Agent was spoofed with Safari/7046A194A on Mac OS X 10.9.3 while sec-ch-ua headers reported Chrome 145 on Windows.
ripplecareer[.]com resolved to 95.169.180.146 and camdriver[.]pro to 95.169.180.198, both within the same /24 block. camdriver[.]pro served dual purposes: hosting the malware payload archive and receiving exfiltrated phishing data. Shared infrastructure across a malware pipeline and a credential phishing operation indicates unified operational management. The RSA public key from the phishing site did not match either key from the malware binary (server key dated rsa-key-20260210, operator key dated rsa-key-20260211), confirming separate key material per campaign but a common operator.
DPRK / Lazarus Attribution
The pattern of trojanizing legitimate developer tools to deliver Python-based credential stealers with heavy cryptocurrency focus maps directly to documented DPRK threat activity. The overlaps are not circumstantial. They are structural.
Architectural Match to BeaverTail / InvisibleFerret
Palo Alto Unit 42 tracks an ongoing DPRK campaign designated CL-STA-0240 "Contagious Interview." Their BeaverTail malware downloads a complete Python runtime and deploys InvisibleFerret, a Python backdoor that steals browser credentials, cryptocurrency wallet extensions, and messaging platform tokens. Our sample bundles a 16.5MB Python 3.12 runtime (Module.zip) to execute a Python RAT via a renamed pythonw.exe. The delivery architecture is functionally equivalent.
Exact Extension ID Overlap
BeaverTail targets MetaMask (nkbihfbeogaeaoehlefnkodbefgpgknn), MetaMask Edge (ejbalbakoplchlghecdalmeeeajnimhm), Binance Wallet (fhbohimaelbohpjbbldcngcnapndodjp), TronLink (ibnejdfjmmkpcnlpebklmnkoeoihofec), Phantom (bfnaelmomeimhlpmgjnjophhpkkoljpa), and Rabby (acmacodkjbdgmoleebolmdjonilkdbch). Our sample targets every one of these same extension IDs, plus 70 more. The list in constants.py is a superset of the known DPRK target list. Both tools also target the same messaging platforms: Telegram tdata, Discord tokens across four client variants, and Steam SSFN files. This is a specific collection priority list that matches DPRK operational requirements.
Operation DreamJob Recruitment Lure
ESET Research documented Lazarus Group Operation DreamJob, in which actors impersonate recruiters from companies like Meta and Amazon to deliver trojanized coding challenges. The fake Ripple internship site at ripplecareer[.]com follows this exact playbook: a fabricated job opportunity at a prominent cryptocurrency company used as a social engineering lure. The choice of Ripple aligns with DPRK documented strategic interest in cryptocurrency industry infiltration. UN Security Council reports have repeatedly documented North Korean actors targeting cryptocurrency exchanges, DeFi platforms, and blockchain companies to fund the regime weapons programs.
Multi-Stage Delivery Complexity
The delivery chain (PowerShell dropper to VBScript launcher to Python RAT via renamed interpreter) mirrors Lazarus tooling complexity. ESET analysis of LightlessCan, a Lazarus RAT delivered through Operation DreamJob, documented similar multi-stage chains with encrypted payloads, environment-dependent decryption keys, and execution guardrails. Our sample employs comparable anti-analysis guardrails terminating execution in sandboxes, debuggers, or VMs.
Financial Architecture
Clipboard hijacking across eight blockchains with 40 pre-staged wallet addresses represents infrastructure investment. Each address is an operational asset requiring management, gas funding, and monitoring. According to Chainalysis and UN Panel of Experts reports, North Korean threat actors stole over $1.7 billion in cryptocurrency in 2023 alone. Crypto clipboard hijacking is a known DPRK revenue generation technique that operates passively once deployed, exactly the autonomous model we observed.
Tradecraft Consistency
The comprehensive ETW patching of seven functions goes beyond what commodity malware implements. The dual-key RSA architecture suggests organizational separation between operators and consumers. The fully automated C2 with no human operator suggests a scaled collection model rather than targeted intrusion. IP clustering of phishing and malware infrastructure within the same /24 at 95.169.180.0/24 is consistent with DPRK bulk-provisioning practices. We also found a backup C2 address commented out in the source (23[.]227[.]203[.]99:8080), indicating contingency planning for primary C2 loss.
Assessment
We assess with moderate confidence that this operation is linked to DPRK-affiliated threat activity, specifically the cluster tracked as Contagious Interview / CL-STA-0240 and the broader Lazarus Group umbrella. This assessment is based on seven converging factors: (1) architectural equivalence to BeaverTail/InvisibleFerret; (2) exact overlap in targeted cryptocurrency wallet extension IDs; (3) identical targeting of Telegram, Discord, and Steam session data; (4) fake cryptocurrency company recruitment site consistent with Operation DreamJob; (5) shared infrastructure between malware delivery and phishing at camdriver[.]pro; (6) cryptocurrency clipboard hijacking across multiple blockchains as a revenue mechanism; and (7) fully automated C2 infrastructure designed for scale.
The C2 at 144[.]172[.]115[.]189 remains live as of this writing. It continues to accept connections and execute its automated collection playbook against any agent that presents valid protocol formatting. A human operator connected during our extended monitoring window and attempted to terminate our fake agent four times via EXIT commands before giving up. The infrastructure is not just running on autopilot, it is actively staffed and monitored. The operation is burned. Pyongyang knows.
Indicators of Compromise
Network Indicators
| Type | Indicator | Context |
|---|---|---|
| C2 Server | 144[.]172[.]115[.]189:8080 | Primary C2 (confirmed live) |
| C2 Server | 23[.]227[.]203[.]99:8080 | Backup C2 (dormant, in source comments) |
| Domain | camdriver[.]pro | Payload hosting and phishing exfil |
| Domain | ripplecareer[.]com | Phishing lure site (95.169.180.146) |
| URL | hxxps://camdriver[.]pro/realtekwin.update?r=ffa752c6-... | Stage 2 payload download |
| URL | hxxp://144[.]172[.]115[.]189:8080 | C2 HTTP endpoint |
| URL | hxxps://camdriver[.]pro/letsgoassessment | Phishing data exfil endpoint |
File Hashes (SHA256)
| Hash | File |
|---|---|
63797c555d995fac8d167c184d016534a1da0f338521a8af244ad4e78ae79946 | driver.zip (payload archive) |
204337c13fe22c6b1c22c91b87f8bb5e3be1316d96405549a92a4f0daab6d4d1 | updatedriver.py (RAT entry point) |
7d733fcee66f0d93f5d38e773c5f8ce1747b8a4244e031a45050708e5cf446a2 | core.py (C2 command loop) |
d89a4e1880f762aacfd63467072dcc53c45d82a8fdbfdb9878f3897d215d72cb | transport.py (encrypted transport) |
678042861a29ade86989c7952371ba4bb9b083f78e8f42cae0c5c438261e20d4 | constants.py (config/wallets/extensions) |
1c6b8ed92d08ff2eacf441e5d9bac079bd01588f719374675a978610b0bd743a | auto.py (Chrome credential theft) |
b2776c9383d45bec871e426304c47681628d82bb9d29a4fc543cf58a042d5935 | auto_gather.py (Telegram/Discord/Steam) |
f7f69ae26afd0d3011a583f9994fae1382d746f5f97115a48adc98029f10b63b | evasion.py (ETW/AMSI/NTDLL bypass) |
ffb76093fa92e1a6731582707023da6d1fdbcd806d00974a95c008504bfe96be | dec.py (Chrome DPAPI decryption) |
fd5c46d73d29ba21b04c844bbaf9096066136526911230645a2a040d23fb612b | svchost.exe (renamed pythonw.exe) |
Host Indicators
| Type | Indicator |
|---|---|
| Registry | HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost |
| Sched Task | svchost (ONLOGON, HIGHEST, current user) |
| Sched Task | OneDrive Update Task-S-16-5-25-262930093-1106209884-352468633-100 (SYSTEM) |
| File Path | %TEMP%\OneDriveUpdate.exe |
| File Path | %APPDATA%\.system_id\.host |
| File Path | %TEMP%\.store |
| Startup | %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk |
Cryptographic Material
| Type | Value |
|---|---|
| AES-CBC Key | f7Jk9vB2xQpL6zT1wR8sY3uN0eH5cD4a |
| AES-CBC IV | pL9vB2xQpL6zT1wR |
| Daemon Version | 1.0.3 |
Detection Strings
| String | Context |
|---|---|
StarMainLoop | C2 command loop function name |
REPLACEMENT_ADDRESSES | Clipper wallet configuration variable |
OneDriveUpdate.exe | Persistence binary in %TEMP% |
realtekwin.update | Payload URL path component |
camdriver.pro | Payload and phishing domain |