Novel DPRK stager using Pastebin and text steganography
Contents
This is a quick one as FAMOUS CHOLLIMA has been keeping me busy this week by testing Google Drive as a stager and my longer write-up on tracking their IP addresses through temporary mailboxes. I just cannot help writing about this one as itâs really fun â it also helps that having a sleeping baby strapped to the chest for three hours makes for idle hands, and you know what they say about idle hands!
Summary
- Seventeen recent npm malware packages use Pastebin and a custom text steganography component as a dead-drop resolver
- This signals further recent and rapid testing and development by FAMOUS CHOLLIMA
- This post contains tactical IOCs and brief hunting guidelines
From 25-26 February 2026 my continuous scanner that supports my DPRK tracking on npm identified seventeen new packages that contained novel loader logic.
All seventeen packages contain an identical malicious JavaScript file at
vendor/scrypt-js/version.js
.
sha256 da1775d0fbe99fbc35b6f0b4a3a3cb84da3ca1b2c1bbac0842317f6f804e30a4
view raw
sample â itâs highly obfuscated, …
Summary
- Seventeen recent npm malware packages use Pastebin and a custom text steganography component as a dead-drop resolver
- This signals further recent and rapid testing and development by FAMOUS CHOLLIMA
- This post contains tactical IOCs and brief hunting guidelines
From 25-26 February 2026 my continuous scanner that supports my DPRK tracking on npm identified seventeen new packages that contained novel loader logic.
All seventeen packages contain an identical malicious JavaScript file at
vendor/scrypt-js/version.js
.
sha256 da1775d0fbe99fbc35b6f0b4a3a3cb84da3ca1b2c1bbac0842317f6f804e30a4
view raw
sample â itâs highly obfuscated, …
IoC
http://zenithflow-ext156.vercel.app
http://primevector-app920.vercel.app
http://openmatrix-ext539.vercel.app
http://orbitstack-app318.vercel.app
http://neuraldock-app734.vercel.app
http://visiondock-app157.vercel.app
http://brightlaunch-ext742.vercel.app
http://quantapath-app914.vercel.app
http://sparkforge-app790.vercel.app
http://zenithflow-app877.vercel.app
http://cloudharbor-app239.vercel.app
http://atlasnode-ext957.vercel.app
http://atlasnode-app204.vercel.app
http://visiondock-ext648.vercel.app
http://ext-checkdin.vercel.app/api/tokenw?st=eTExbGRFdENlUlVWbTRyS2ZlMXFuQT09OmpJb0RRWktvV2wzaVRSNWZ4RzVqV1AwM0w2L3ZiZ1ltS1MvZ2E4aGQ1dFlYQmxjeHd3VmdSMkRVRTExL21VZS94aGl1MFBHWDRqSDdicTZMRHYrSWFaRDh6N3Zmcis4VXFybzRXNzU4blVYalNJUnRQVzEyZUJDZlJQdCtYajVBOUxXbnVLaVJuNnlNWXd3bDMvTnlRQWhDVEZDSDhreXdvdEpuVG9TVkpOZz0
http://sparkforge-ext518.vercel.app
http://logicfield-app681.vercel.app
https://pastebin.com/DjDCxcsT
http://orbitstack-ext592.vercel.app
http://signalbase-app845.vercel.app
http://fusionlayer-app463.vercel.app
http://cleverstack-ext301.vercel.app
http://ext-checkdin.vercel.app/api/tokenl?st=eXVCQi90UlVBMkF0MkpOd09jY1hJdz09OlAvcFZYajB5dG1QbUczTm16ZFVoQUhIcFVjL3ZOUFYxQlBRZEw1emp5K2gvTnE1VmFEamFQaG4zVEdwNDJSRVdoRm1zTEVXbitjSlBMWnd2blp1ZWFJcWhjNnZicWMwUVNGUTZWUndrb0pnWVRmbnRJcVJrcXM5NUtQRllGNCtNeThZZEQxQjY1T3M3a1hwbXhpMWdtRjhnclZkOXhwT0J6d0RHbjdrSXY3UT0
http://fusionlayer-ext807.vercel.app
http://quantapath-ext275.vercel.app
http://signalbase-ext369.vercel.app
https://pastebin.com/0ec7i68M
http://neuraldock-ext126.vercel.app
http://logicfield-ext432.vercel.app
http://brightlaunch-app615.vercel.app
http://cloudharbor-ext664.vercel.app
http://primevector-ext483.vercel.app
http://openmatrix-app882.vercel.app
http://cleverstack-app998.vercel.app
http://ext-checkdin.vercel.app
http://ext-checkdin.vercel.app/api/tokenl?&st=Z09RcS80UmR0VzdpTUh0Q055Y3ZIQT09OnpadVJXRElOV0o0TkFxbDRneFAwRHVzbnU5SVJLUURTcjUvcnBiY0o3MG42L1pCM3lmdjFVMk0zdkhjdGg1QkV4bzZJMkNmQStCejY3bEd4b1NRQnZEQkE2RXhVL1FkZjJDWUdzNGJNVVQ4UVZVc0JMZklTa1pzaFR0T0pSVnVSVXFHRnR2WGNuMUlVV2RtdlpRcXlyN2JWWTBwYzFCTEpkRVJnSFdCdW5Hdz0
https://pastebin.com/CJ5PrtNk
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
da1775d0fbe99fbc35b6f0b4a3a3cb84da3ca1b2c1bbac0842317f6f804e30a4
869c327b8dc757fa126cd281bc4a14d809c50e9a792954442c55cea5b46912ec
e361d2859ba2eb2540bf6fb12db0b9857ef610bb9920830921e986d4b9109e89
bce0da6547ae74f97e2bb61672a3e159b837acf01f7c68a813ea75c3835ff303
accf04ad3228a22532d2f5802a5b0c379c3616564c4766fc1f1ca20dac8dba07
http://primevector-app920.vercel.app
http://openmatrix-ext539.vercel.app
http://orbitstack-app318.vercel.app
http://neuraldock-app734.vercel.app
http://visiondock-app157.vercel.app
http://brightlaunch-ext742.vercel.app
http://quantapath-app914.vercel.app
http://sparkforge-app790.vercel.app
http://zenithflow-app877.vercel.app
http://cloudharbor-app239.vercel.app
http://atlasnode-ext957.vercel.app
http://atlasnode-app204.vercel.app
http://visiondock-ext648.vercel.app
http://ext-checkdin.vercel.app/api/tokenw?st=eTExbGRFdENlUlVWbTRyS2ZlMXFuQT09OmpJb0RRWktvV2wzaVRSNWZ4RzVqV1AwM0w2L3ZiZ1ltS1MvZ2E4aGQ1dFlYQmxjeHd3VmdSMkRVRTExL21VZS94aGl1MFBHWDRqSDdicTZMRHYrSWFaRDh6N3Zmcis4VXFybzRXNzU4blVYalNJUnRQVzEyZUJDZlJQdCtYajVBOUxXbnVLaVJuNnlNWXd3bDMvTnlRQWhDVEZDSDhreXdvdEpuVG9TVkpOZz0
http://sparkforge-ext518.vercel.app
http://logicfield-app681.vercel.app
https://pastebin.com/DjDCxcsT
http://orbitstack-ext592.vercel.app
http://signalbase-app845.vercel.app
http://fusionlayer-app463.vercel.app
http://cleverstack-ext301.vercel.app
http://ext-checkdin.vercel.app/api/tokenl?st=eXVCQi90UlVBMkF0MkpOd09jY1hJdz09OlAvcFZYajB5dG1QbUczTm16ZFVoQUhIcFVjL3ZOUFYxQlBRZEw1emp5K2gvTnE1VmFEamFQaG4zVEdwNDJSRVdoRm1zTEVXbitjSlBMWnd2blp1ZWFJcWhjNnZicWMwUVNGUTZWUndrb0pnWVRmbnRJcVJrcXM5NUtQRllGNCtNeThZZEQxQjY1T3M3a1hwbXhpMWdtRjhnclZkOXhwT0J6d0RHbjdrSXY3UT0
http://fusionlayer-ext807.vercel.app
http://quantapath-ext275.vercel.app
http://signalbase-ext369.vercel.app
https://pastebin.com/0ec7i68M
http://neuraldock-ext126.vercel.app
http://logicfield-ext432.vercel.app
http://brightlaunch-app615.vercel.app
http://cloudharbor-ext664.vercel.app
http://primevector-ext483.vercel.app
http://openmatrix-app882.vercel.app
http://cleverstack-app998.vercel.app
http://ext-checkdin.vercel.app
http://ext-checkdin.vercel.app/api/tokenl?&st=Z09RcS80UmR0VzdpTUh0Q055Y3ZIQT09OnpadVJXRElOV0o0TkFxbDRneFAwRHVzbnU5SVJLUURTcjUvcnBiY0o3MG42L1pCM3lmdjFVMk0zdkhjdGg1QkV4bzZJMkNmQStCejY3bEd4b1NRQnZEQkE2RXhVL1FkZjJDWUdzNGJNVVQ4UVZVc0JMZklTa1pzaFR0T0pSVnVSVXFHRnR2WGNuMUlVV2RtdlpRcXlyN2JWWTBwYzFCTEpkRVJnSFdCdW5Hdz0
https://pastebin.com/CJ5PrtNk
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
da1775d0fbe99fbc35b6f0b4a3a3cb84da3ca1b2c1bbac0842317f6f804e30a4
869c327b8dc757fa126cd281bc4a14d809c50e9a792954442c55cea5b46912ec
e361d2859ba2eb2540bf6fb12db0b9857ef610bb9920830921e986d4b9109e89
bce0da6547ae74f97e2bb61672a3e159b837acf01f7c68a813ea75c3835ff303
accf04ad3228a22532d2f5802a5b0c379c3616564c4766fc1f1ca20dac8dba07