The axios attack is an extension of the GhostCall campaign by BlueNoroff
Contents
The #axios attack is an extension of the GhostCall campaign by #BlueNoroff we revealed last year. An updated SysPhon (aka. WAVESHAPER) is used in this attack to profile valuable hosts and fetch additional payloads. Notably, the .npmrc file had already been a primary target. [1/N]
We had already anticipated this type of supply chain attack by #BlueNoroff, given that their #SilentSiphon stealer suite targets a broad range of credential data. The attack vector disclosed by the targeted maintainer directly aligns with BlueNoroff’s known strategy. [2/N]
It also overlaps with the #GhostHire campaign. The malicious code is triggered within an attacker‑controlled dependency executed during the project's installation lifecycle, rather than modifying the main source code. [3/N]
The campaign targeted all three major operating systems—Windows, macOS, and Linux—under a single, unified C2 infrastructure. On Windows, VBS and PS1 scripts were likewise used to deploy the next-stage payload. [4/N]
Interestingly, the Windows #SysPhon payload was replaced …
We had already anticipated this type of supply chain attack by #BlueNoroff, given that their #SilentSiphon stealer suite targets a broad range of credential data. The attack vector disclosed by the targeted maintainer directly aligns with BlueNoroff’s known strategy. [2/N]
It also overlaps with the #GhostHire campaign. The malicious code is triggered within an attacker‑controlled dependency executed during the project's installation lifecycle, rather than modifying the main source code. [3/N]
The campaign targeted all three major operating systems—Windows, macOS, and Linux—under a single, unified C2 infrastructure. On Windows, VBS and PS1 scripts were likewise used to deploy the next-stage payload. [4/N]
Interestingly, the Windows #SysPhon payload was replaced …