"The final payload (BeaverTail) showed previously seen capabilities, including "usage of Axioms as embedded HTTP client, enumeration and exfiltration of system information, searching browser profiles and extension directories for sensitive data, and searching for and exfiltrating Word documents, PDF files, screenshots, secret files, files containing environment variables, and other sensitive files such as the logged-in user's Keychain"."
"Developers remain a high-value target Researchers highlighted that the campaign specifically targets developers involved in crypto and Web3 projects, using realistic-sounding personas and demo applications (real estate, DeFi, game forks) to lower suspicion. The state-linked actors' shift from direct payload hosting to abusing legitimate JSON storage services suggests that even benign developer-centric platforms are now being weaponized to bypass detection and exploit trust in tech workflows."
"Because the attack blends legitimate platforms (GitLab/GitHub, JSON Keeper/npoint) with obfuscated payloads, defenders must treat code provenance as part of security hygiene. Running code in fully isolated sandboxes, auditing any external URLs or keys in config files before executing, and blocking unusual outbound requests to known JSON-storage endpoints and IOCs NVISO listed might help, researchers added."
BeaverTail exhibited capabilities to use Axioms as an embedded HTTP client, enumerate and exfiltrate system information, search browser profiles and extension directories, and extract Word documents, PDFs, screenshots, secret files, environment-variable files, and the logged-in user's Keychain. Developers involved in crypto and Web3 projects are specifically targeted through realistic personas and demo applications to lower suspicion. State-linked actors shifted from direct payload hosting to abusing legitimate JSON storage services, thereby weaponizing trusted developer platforms. Defenders should treat code provenance as security hygiene, run code in isolated sandboxes, audit external URLs and keys, and block unusual outbound requests to known JSON-storage endpoints and IOCs.
Read at InfoWorld
Unable to calculate read time
Collection
[
|
...
]