{ "type": "bundle", "id": "bundle--26521be7-83c3-43d1-a25a-1d287ed4dac6", "objects": [ { "type": "identity", "spec_version": "2.1", "id": "identity--92ff57a5-09db-445f-8b10-db8b08709382", "created": "2026-06-30T13:00:36.667992Z", "modified": "2026-06-30T13:07:08.574636Z", "name": "MeltedInHex", "identity_class": "organization" }, { "type": "indicator", "spec_version": "2.1", "id": "indicator--4c19dda6-8808-4a3e-aa9a-ee76a813c2c9", "created": "2026-06-30T23:06:31.862224Z", "modified": "2026-06-30T23:06:31.862224Z", "name": "YARA Rule", "pattern": "rule polinrider_v_variant_blockchain_loader {\nmeta:\n description = \"PolinRider new variant - blockchain dead-drop loader (decoded)\"\n author = \"meltedinhex\"\n reference = \"tailwind-color-shades 1.0.2 (npm), marker A6-Shadow-15\"\nstrings:\n $marker = \"global['_V']\" ascii\n $boot = \"/$/boot\" ascii\n $secv = \"Sec-V\" ascii\n $tron = \"trongrid.io\" ascii\n $aptos = \"aptoslabs.com\" ascii\n $bsc = \"bsc-dataseed\" ascii\n $delim = \"?.?\" ascii\ncondition:\n ($marker and $boot) or ($secv and $boot and 1 of ($tron, $aptos, $bsc)) or (3 of ($tron, $aptos, $bsc, $delim, $boot))\n}", "pattern_type": "yara", "valid_from": "2026-06-22T00:00:00Z" }, { "type": "file", "spec_version": "2.1", "id": "file--274c7d6b-39f6-4e0d-912a-f41bb0504d85", "hashes": { "SHA-1": "a048ac42b7e4c7dad4dd24e352dfe292d835a0cf" } }, { "type": "file", "spec_version": "2.1", "id": "file--e0472126-3c18-48f8-a5b6-e86e80f08481", "hashes": { "MD5": "dd58d3a964e739f524dd3b28f1542c01", "SHA-1": "20d89e126abc68e74e01f1a8701b68dfc29005fa", "SHA-256": "fab731cd8005d9d73a8fe862a8bfea32c945bd957bbb9861f36401d18b878c8b" } }, { "type": "url", "spec_version": "2.1", "id": "url--fc144c1d-beca-44f4-b16d-97fd359441a5", "value": "http://23.27.202.27/$/boot" }, { "type": "url", "spec_version": "2.1", "id": "url--570064ee-18fd-484b-b872-2e3e9659d932", "value": "http://198.105.127.210/$/boot" }, { "type": "url", "spec_version": "2.1", "id": "url--c3d7259f-517d-4f1f-82ad-b121a5917dc1", "value": "http://166.88.54.158/$/boot" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--ddeb15ae-c58f-4ba7-b61f-9b54346de075", "value": "166.88.54.158" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--c536dec4-c5ed-4410-9b70-ab9994e7b461", "value": "198.105.127.210" }, { "type": "ipv4-addr", "spec_version": "2.1", "id": "ipv4-addr--07b2a6fc-8fc9-4ac8-9a19-ae97064c246f", "value": "23.27.202.27" }, { "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--af08d5c9-f507-5ed5-9986-7ffea3df195b", "created": "2026-06-30T23:06:31.873048Z", "modified": "2026-06-30T23:06:31.873048Z", "name": "Lazarus" }, { "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--21a5efde-6a09-5457-b095-3687a21fa8b8", "created": "2026-06-30T23:06:31.8766Z", "modified": "2026-06-30T23:06:31.8766Z", "name": "PolinRider" }, { "type": "report", "spec_version": "2.1", "id": "report--3629d802-692c-440a-bc42-13df3f223282", "created_by_ref": "identity--92ff57a5-09db-445f-8b10-db8b08709382", "created": "2026-06-30T23:06:31.877588Z", "modified": "2026-06-30T23:06:31.877588Z", "name": "Dead Drops on the Blockchain: Reversing a DPRK npm Loader (PolinRider / A6-Shadow-15)", "published": "2026-06-22T00:00:00Z", "object_refs": [ "identity--92ff57a5-09db-445f-8b10-db8b08709382", "indicator--4c19dda6-8808-4a3e-aa9a-ee76a813c2c9", "file--274c7d6b-39f6-4e0d-912a-f41bb0504d85", "file--e0472126-3c18-48f8-a5b6-e86e80f08481", "url--fc144c1d-beca-44f4-b16d-97fd359441a5", "url--570064ee-18fd-484b-b872-2e3e9659d932", "url--c3d7259f-517d-4f1f-82ad-b121a5917dc1", "ipv4-addr--ddeb15ae-c58f-4ba7-b61f-9b54346de075", "ipv4-addr--c536dec4-c5ed-4410-9b70-ab9994e7b461", "ipv4-addr--07b2a6fc-8fc9-4ac8-9a19-ae97064c246f", "threat-actor--af08d5c9-f507-5ed5-9986-7ffea3df195b", "threat-actor--21a5efde-6a09-5457-b095-3687a21fa8b8" ], "external_references": [ { "source_name": "source", "url": "https://meltedinhex.com/posts/polinrider-blockchain-dead-drop-npm/" } ] } ] }