Cross-Chain TxDataHiding Crypto Heist: A Very Chainful Process (Part 3)
Contents
In September 2025, Ransom-ISAC was brought in by Crystal Intelligence's François-Julien Alcaraz and Nick Smart to investigate a cryptocurrency and data theft attempt via a malicious private GitHub repository. While knowledge of the current threat landscape—with the rise of renegade IT workers and payload phishing across various formats—would make most organisations suspicious, this attack vector still succeeds periodically. However, not this time.
We analysed the repository in a sandboxed environment to determine its full capabilities, uncovering a complex network of JavaScript obfuscation, AI-generated repositories, and a novel Command-and-Control (C2) technique. The C2 leverages Tron/Aptos-based TxDataHiding, where RPC queries return data via cross-chain transaction metadata. This technique is particularly effective because it's extremely difficult to trace, especially in isolated analysis environments, and the attacker can modify the TxData values at any point. Furthermore, it is not limited to Tron or Aptos but any blockchain can act as a pointer making this technique …
We analysed the repository in a sandboxed environment to determine its full capabilities, uncovering a complex network of JavaScript obfuscation, AI-generated repositories, and a novel Command-and-Control (C2) technique. The C2 leverages Tron/Aptos-based TxDataHiding, where RPC queries return data via cross-chain transaction metadata. This technique is particularly effective because it's extremely difficult to trace, especially in isolated analysis environments, and the attacker can modify the TxData values at any point. Furthermore, it is not limited to Tron or Aptos but any blockchain can act as a pointer making this technique …
IoC
23.27.20.143
16df15306f966ae5c5184901747a32087483c03eebd7bf19dbfc38e2c4d23ff8
f3c46284d1f89f33427b332a7b9357165a3d55a2b3a74f9d9b977b9673ad7c60
d33f78662df123adf2a178628980b605a0026c0d8c4f4e87e43e724cda258fef
9BC1355344B54DEDf3E44296916eD15653844509
f46c86c886bbf9915f4841a8c27b38c519fe3ce54ba69c98d233d0ffc94d19fc
be037400670fbf1c32364f762975908dc43eeb38759263e7dfcdabc76380811e
3f0e5781d0855fb460661ac63257376db1941b2bb522499e4757ecb3ebd5dce3
000000000000000000000000000000000000dEaD
9bc1355344b54dedf3e44296916ed15653844509
rule DPRKObfuscatedJavaScript1 {
meta:
description = "RepoCrossChainTxDataHiding detection with specific + generic indicators"
author = "Ransom-ISAC"
strings:
// High-confidence specific strings
$s1 = "global['_V']"
$s2 = "global['r']"
// Generic obfuscation patterns
$obf1 = ".charAt(" nocase
$obf2 = ".substr(" nocase
$obf3 = /function \w{3}\(\w\)\{/
// Suspicious execution patterns
$exec1 = "require"
$exec2 = /\(\)\)\(\)/
condition:
filesize < 50KB and
all of ($s*) and
2 of ($obf*) and
1 of ($exec*)
}
rule DPRKObfuscatedJavaScript2 {
meta:
description = "Flexible RepoCrossChainTxDataHiding detection"
author = "Ransom-ISAC"
strings:
$s1 = "global['_V']"
$s2 = "global['r']"
$obf = ".charAt" nocase
$req = "require"
condition:
filesize < 100KB and
all of them
}
16df15306f966ae5c5184901747a32087483c03eebd7bf19dbfc38e2c4d23ff8
f3c46284d1f89f33427b332a7b9357165a3d55a2b3a74f9d9b977b9673ad7c60
d33f78662df123adf2a178628980b605a0026c0d8c4f4e87e43e724cda258fef
9BC1355344B54DEDf3E44296916eD15653844509
f46c86c886bbf9915f4841a8c27b38c519fe3ce54ba69c98d233d0ffc94d19fc
be037400670fbf1c32364f762975908dc43eeb38759263e7dfcdabc76380811e
3f0e5781d0855fb460661ac63257376db1941b2bb522499e4757ecb3ebd5dce3
000000000000000000000000000000000000dEaD
9bc1355344b54dedf3e44296916ed15653844509
rule DPRKObfuscatedJavaScript1 {
meta:
description = "RepoCrossChainTxDataHiding detection with specific + generic indicators"
author = "Ransom-ISAC"
strings:
// High-confidence specific strings
$s1 = "global['_V']"
$s2 = "global['r']"
// Generic obfuscation patterns
$obf1 = ".charAt(" nocase
$obf2 = ".substr(" nocase
$obf3 = /function \w{3}\(\w\)\{/
// Suspicious execution patterns
$exec1 = "require"
$exec2 = /\(\)\)\(\)/
condition:
filesize < 50KB and
all of ($s*) and
2 of ($obf*) and
1 of ($exec*)
}
rule DPRKObfuscatedJavaScript2 {
meta:
description = "Flexible RepoCrossChainTxDataHiding detection"
author = "Ransom-ISAC"
strings:
$s1 = "global['_V']"
$s2 = "global['r']"
$obf = ".charAt" nocase
$req = "require"
condition:
filesize < 100KB and
all of them
}