























Socket proactively blocks malicious open source packages in your code.
Secure your dependencies with us
Socket's Threat Research Team discovered five malicious NuGet packages published under the account bmrxntfj that typosquat widely used Chinese .NET UI and infrastructure libraries. Each package grafts a .NET Reactor protected infostealer payload onto a decompiled copy of a legitimate open source library. The stealer targets saved credentials across 12 browsers, 8 desktop cryptocurrency wallets, 5 browser wallet extensions and exfiltrates to a newly-registered C2 domain. Across all versions, the five packages have accumulated approximately 65,000 downloads, putting tens of thousands of developer workstations and CI/CD build servers in scope of credential and crypto wallet theft. All five packages remain available on NuGet at the time of writing. We’ve submitted takedown requests to the NuGet Gallery security team.
Each package claims to wrap a legitimate Chinese .NET library. IR.DantUI and IR.OscarUI wrap AntdUI, an MIT-licensed WinForms component library maintained on Gitee. The name "DantUI" is a one-character anagram of "AntdUI." IR.Infrastructure.Core, IR.Infrastructure.DataService.Core, and IR.iplus32 contain functional .NET code in namespaces (iplus32.*, infrastructure service patterns) consistent with internal Chinese enterprise libraries. Instead of directly typosquatting any package names, they appear to impersonate private or internally distributed libraries that targeted organizations may already be consuming, making the package names plausible to developers in those environments.

The threat actor bmrxntfj NuGet profile showing all five IR.* packages
Developers who work in Chinese enterprise .NET ecosystems, integrate WinForms UI components from Gitee-sourced mirrors, or pull packages from curated Chinese corporate registries are the intended victims. The library surface is functional: Reactor decrypts the original IL at JIT time, so the package both compiles cleanly and executes its payload.
The bmrxntfj account owns exactly these five package IDs and no others. There are no benign cover packages and no packages predating the campaign. A publishing history audit via the NuGet registration API shows 224 total versions across the five IDs. 219 of those versions carry listed: false, hiding them from public search while keeping them fetchable via direct version-pinned install commands. The operator keeps only one version listed per package at a time, creating a false appearance of a low-volume, possibly legitimate library while silently accumulating install counts across a long unlisted version history.
This version rotation is an active evasion technique. The operator published version 2.1.55 on 2026-04-14, then rotated to 2.1.56 and 2.1.57 after analysis began. By unlisting the previously analyzed version and listing a new one, the operator invalidates file-hash-based IOCs: security tools blocking the 2.1.55 DLL hashes will not catch 2.1.57 because the DLL bytes differ. The campaign has followed this same pattern across all 219 prior versions, suggesting the operator has been running this rotation cycle for at least seven months.
The five 2.1.55 versions were published in sequence on 2026-04-14:
IR.Infrastructure.Core at 08:00:53 UTCIR.Infrastructure.DataService.Core at 08:00:56 UTCIR.DantUI at 08:01:00 UTCIR.iplus32 at 08:01:03 UTCIR.OscarUI at 08:01:06 UTCThe 12.78-second total window, combined with a dependency-graph-respecting publish order (Core packages before consumers), is consistent with a scripted release pipeline. A diff of IR.DantUI's DantUI/Svg/Transforms/SvgTransform.cs against the upstream AntdUI source confirms the repackaging technique for the AntdUI-derived packages: every AntdUI.* namespace is renamed to DantUI.*, every method body is replaced by a Reactor-Necrobit native decrypt stub (represented as return null; in the decompiled output), a 230-field Reactor module state machine is injected into the static constructor of every type, and the Reactor bootstrap hook is inserted at the top of every type initializer. The three remaining packages contain equivalent Reactor-wrapped functional .NET code with no confirmed public upstream.

Socket's AI scanner flagging ir.iplus32@2.1.56 as known malware, identifying the in-memory payload loader, anti-tamper checks, RWX memory allocation via native interop, and Linux /proc/self/mem access consistent with malicious supply chain behavior.
The payload fires through the .NET module initializer, which the CLR invokes automatically before any application code runs on first load. No explicit API call, user interaction, or Visual Studio session is required. Any build server, CI runner, or developer workstation that runs nuget restore and then loads the assembly is in scope.
On DLL load the CLR fires the module initializer. The initializer calls into the Reactor bootstrap, which:
VirtualAlloc(PAGE_EXECUTE_READWRITE).clrjit.dll!getJit with a 4-byte JMP, replacing the CLR JIT compiler's dispatch pointer with a hook that owns every subsequent method compilation in the process.After step 4, the hook decrypts each encrypted method body on demand before the JIT compiles it. The legitimate library code resumes running normally. The payload has control of the JIT pipeline.
The same module initializer includes fully wired cross-platform code paths: on Linux it writes to /proc/self/mem and uses mmap and mprotect; on macOS it resolves libSystem and libclrjit symbols and calls the same primitives. Loading any IR.* package on Linux or macOS CI infrastructure activates the same hook chain.
The P/Invoke stubs for the Windows API calls use string-split evasion to avoid static analysis:
// Analyst note: the API name is reassembled at runtime from a trimmed string literal
// plus a concatenated suffix, evading scanners that search for "OpenProcess" in the DLL.
// The same pattern is applied to WriteProcessMemory and VirtualAlloc.
string apiName = "Open ".Trim() + "Process";Payload analysis draws from we4ftg.exe, a 786 KB .NET MSIL assembly recovered from the memory dump described in the Attribution section. The dump, which was captured while the stealer was live after .NET Reactor decryption, so all runtime class names and configuration strings are in plaintext in the managed-object heap.
Reactor's Necrobit mode encrypts method bodies but does not touch the .NET metadata streams (#~, #Strings) unless the operator enables Type Name Obfuscation. Running ilspycmd --list assemblies against the rebuilt PE produces a complete class graph that names every capability without decrypting a single method body:

ilspycmd --listassemblies output forwe4ftg.exeshowing stealer class names recovered from unencrypted .NET metadata, with all method bodies still Reactor-encrypted.
Browser credential harvesting: BrowserKeyDecryptor targets Chromium Login Data and Web Data SQLite databases. It unseals the Chromium master key by invoking the Chromium IElevator com inference; the Microsoft Edge IElevator IID {c9c2b807-7731-4f34-81b7-44ff7779522b} was recovered intact from the memory dump. Both Chrome encryption versions are handled: v10 (legacy DPAPI-wrapped master key) and v20 (AppBound encryption, introduced in Chrome 127 in mid-2024). Handling v20 confirms the payload was built or updated after July 2024.
The 12 targeted Chromium-family browsers are: Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, Epic Privacy, Torch, Comodo, Slimjet, Iridium, 7Star, and AVG Secure Browser. AVG Secure Browser is special-cased by user-data path (avgbrowser / avg\\browser) rather than handled by generic Chromium profile enumeration, indicating deliberate targeting. Firefox, Mozilla, and Thunderbird are also in scope.
Cryptocurrency wallet extraction: Five Chromium extension IDs are hardcoded:
nkbihfbeogaeaoehlefnkodbefgpgknn (MetaMask)ibnejdfjmmkpcnlpebklmnkoeoihofec (TronLink)bfnaelmomeimhlpmgjnjophhpkkoljpa (Phantom)egjidjbpglichdcondbcbdnbeeppgdph (Trust Wallet)hnfanknocfeofbddgcijnmhnfnkdnaad (Coinbase Wallet)Desktop wallet directories for Exodus, Electrum, Atomic, Guarda, Coinomi, Ledger, Jaxx, and Binance are also walked.
Document and credential theft: SSH private keys (id_rsa), Outlook profiles, Steam session configuration, and the full file tree under Documents, Desktop, and Downloads are harvested.
Process injection: SharpInjector with InjectionStatusCode return codes and a DllArchitecture enumeration supports architecture-matched injection into long-lived processes. InternalStructs32 and InternalStructs64 implement PEB-walking manual LdrLoadDll-style module loading for both bitnesses, consistent with migration into dllhost.exe or explorer.exe for persistence.
Staging and exfiltration: All harvested material is staged under C:\\ProgramData\\Microsoft OneDrive\\keys.dat. This path abuses the real Microsoft OneDrive installation directory to blend with expected filesystem state. Legitimate OneDrive never writes a keys.dat file there. The staged archive is POSTed to https://dns-providersa2[.]com/upload; text logs are hex-encoded and sent to the same endpoint. Each HTTP request carries a dynamically generated header named X-{3 random lowercase letters} to avoid static header-name matching in network appliances.
Anti-analysis: 22 hardcoded uppercase SHA-256 hex strings form an internal blocklist in we4ftg.exe. Enumeration attempts against common sandbox usernames, computer names, and analyst-tool process names returned no matches, suggesting the hashes cover HWIDs, specific cryptocurrency wallet addresses, or file hashes of known analyst binaries.
Every copy of .NET Reactor is licensed with a unique RSA-1024 key pair. The public half is embedded in every assembly the operator protects and is used for Anti-Tamper signature verification. It is operator-specific: two different Reactor customers will have different RSA moduli even when using identical Reactor settings.
Extracting the RSA public key from IR.iplus32's Reactor bootstrap yields a modulus with a base64 representation beginning zlUkMywGKDNbeJxH. A VirusTotal Intelligence content search for that base64 string returns exactly four files:
s4.exe (first seen 2026-04-04, 10 days before the NuGet burst): a 100 MB Rip-scraper process memory dump containing a live stealer executionCRYPT32.DLL.MUI (96 MB, first seen 2026-04-05)mscorrc.dll (99 MB, first seen 2026-04-05)All four files share the same Reactor modulus and are operator-owned artifacts from the same campaign. The crowdsourced YARA labels across the cluster include Lumma, Quantum, AgentRacoon, and ArrowRAT. These family labels reflect shared obfuscation technique (Reactor packing) rather than definitive family classification; the RSA modulus is the precise attribution signal.

VirusTotal detection results for s4.exe, the memory dump sharing the IR. campaign's Reactor RSA signing key, showing crowdsourced YARA family labels consistent with an active infostealer.
One query detail worth noting: searching VT for the raw hex-encoded bytes of the modulus returns zero results, because Reactor embeds the modulus only as base64 inside an <RSAKeyValue> XML literal at runtime. Searching for the hex form is a common miss in Reactor attribution work; the base64 prefix is the correct pivot query.
s4.exe is a raw process memory dump captured by the Rip scraper tool while a Reactor-packed stealer was already running. The dump contains 61 page-aligned PE images and approximately 10 MB of live .NET heap. Because the Reactor runtime had already decrypted the payload before the capture, all runtime strings are recoverable by regex sweep over the raw dump bytes without any unpacking step.
A regex for HTTP URLs against the 100 MB file surfaces the complete C2 configuration at heap offset 0x84e36c, stored as a length-prefixed UTF-16LE serialized dictionary:
# Analyst note: pattern applied to s4.bin as a raw byte scan.
# Both UTF-8 and UTF-16LE forms of the C2 domain appear in the heap.
# 20 UTF-16LE hits, 2 ASCII hits, spanning offsets 0x84e000 to 0x8f0000.
import re
pattern = re.compile(rb'(?i)(?:https?|wss?|ftp)://[\w.\-:/%?=&#]+')
with open("s4.bin", "rb") as f:
data = f.read()
hits = pattern.findall(data)The extracted configuration covers the C2 endpoints, the random X-{abc} header obfuscation scheme, the Chromium elevation CLSID, the OneDrive staging path, both Chrome v10 and v20 encryption version strings, the full browser user-data path list, and the browser wallet extension ID list. The threat actor also left a test victim identity in the dump: hostname NEW-4V, username oljwe4y98, consistent with a developer sandbox used for payload testing before deployment.
This technique generalizes to any Reactor-Necrobit sample for which a live memory dump is available: the .NET managed-object heap always contains the post-decrypt string values between the page-aligned PE images, recoverable by regex without any Reactor-specific tooling.
The primary C2 is dns-providersa2[.]com, registered 2026-03-12, 33 days before the NuGet publish burst. It resolves to 62[.]84[.]102[.]85, a VDSINA VPS on ASN 216071 fronted in Amsterdam with a UAE shell-company registrant. Nameserver authority is delegated to Njalla (1-you.njalla[.]no, 2-can.njalla[.]in, 3-get.njalla[.]fo), a Nevis-incorporated privacy registrar routinely used by ransomware, stealer, and phishing operators to prevent WHOIS-based takedown requests. The domain has no MX record and no AAAA record, consistent with a bare HTTPS C2 with no mail or IPv6 surface. The domain name is engineered to resemble a legitimate DNS provider in firewall and netflow logs.
The two C2 endpoints recovered from the heap are https://dns-providersa2[.]com/check (beacon and operator validation) and https://dns-providersa2[.]com/upload (exfiltration upload).
Two of the five nuspec files list git[.]justdotrip[.]com as the <RepositoryUrl>. This resolves to 47[.]100[.]60[.]237 on Alibaba Cloud Shanghai. It is a private git server with no public repository surface. The same domain produces zero hits in public malware databases or GitHub commit searches and likely hosts the threat actor's development environment. It was not observed as an active C2 in the heap dump and is included here as an operator infrastructure indicator.
Any build machine, CI runner, or developer workstation that ran nuget restore against a project listing any of the five IR.* package IDs loaded a DLL whose module initializer fires before application code. Installing a package is not required for execution: restoring the package to the local cache and loading the DLL in any .NET host process is sufficient.
The total download count across all versions and all five package IDs is approximately 64,784. This figure covers the maximum exposure window dating back to September 2025, when the oldest recoverable version of IR.iplus32 was first published. Any machine that restored and loaded any of the 219 listed: false prior versions is equally at risk.
Confirmed data categories in scope for exfiltration, based on the recovered target list and staging path: browser saved passwords, browser cookies and session tokens, browser autofill data and stored payment cards, browser wallet extension storage (MetaMask, TronLink, Phantom, Trust Wallet, Coinbase Wallet), desktop wallet seed files and wallet.dat files for Exodus, Electrum, Atomic, Guarda, Coinomi, Ledger, Jaxx, and Binance, SSH private keys, Outlook email profiles, Steam session credentials, and files in Documents, Desktop, and Downloads.
Check project files and packages.lock.json for any reference to IR.DantUI, IR.Infrastructure.Core, IR.Infrastructure.DataService.Core, IR.iplus32, or IR.OscarUI at any version. If any of these package IDs appear in your dependency graph, treat the restoring machine as compromised and rotate all credentials accessible from it: browser-saved passwords, API keys, SSH private keys, cryptocurrency wallet seeds, and cloud provider credentials.
If you need the legitimate upstream libraries, install them directly from their canonical NuGet identities and publishers, not any IR.* variant.
Add the following to your detection stack:
dns-providersa2[.]com.62[.]84[.]102[.]85.C:\\ProgramData\\Microsoft OneDrive\\keys.dat. Legitimate OneDrive never writes this file.CoCreateInstance calls requesting the Microsoft Edge IElevator interface (IID {c9c2b807-7731-4f34-81b7-44ff7779522b})by any process outside the Edge browser family.X-[a-z]{3} with a short random value from build or developer machines, which is the stealer's per-request C2 header obfuscation pattern.The bmrxntfj account published 224 versions across five typosquatting package IDs with no benign publishing history and no disclosed affiliation with the upstream libraries being imitated. The account should be suspended and all five package IDs delisted. The shared Git commit hash efb675de4b3af3dac3c9cae91075fd7cc2f4f98e, the Iplusus NuGet tag, and the git[.]justdotrip[.]com repository URL should be searched across the full registry for additional packages from the same campaign.
Socket detects threats like this across the full dependency graph, including JIT-hooking module initializers, typosquatted package metadata, and encrypted payload resources, before they reach developer environments. The Socket GitHub App scans pull request dependency changes and flags malicious packages before merge. The Socket CLI enforces allow and deny rules in CI pipelines. Socket Firewall blocks known malicious packages before they are fetched. The Socket browser extension surfaces risk signals while browsing NuGet. Socket MCP prevents AI-assisted coding workflows from introducing suspicious dependencies into your codebase.
IR.DantUIIR.Infrastructure.CoreIR.Infrastructure.DataService.CoreIR.iplus32IR.OscarUIbmrxntfjdns-providersa2[.]com (primary C2 domain)https://dns-providersa2[.]com/check (C2 beacon endpoint)https://dns-providersa2[.]com/upload (exfiltration endpoint)62[.]84[.]102[.]85 (VDSINA, ASN 216071, Amsterdam)justdotrip[.]com / 47[.]100[.]60[.]237 (operator development infrastructure, Alibaba Cloud Shanghai)1-you.njalla[.]no, 2-can.njalla[.]in, 3-get.njalla[.]fo (Name Servers)X-[a-z]{3} with random 3-letter value per requestC:\\ProgramData\\Microsoft OneDrive\\keys.dats4.exe : e1869d6571894f058dd4ab2b66f060628dc364ee8e29afbd2323c95e5002fb8ewe4ftg.exe : 8f7aa15c77bde94087bb74dfc072e25212797b313731b4cad0ded3e152268dcfIR.DantUI(v.2.1.55) : 34e2d63b5db7e24c808711c2ca0c0a42afde97a0086d7d81609110c002d18d7cIR.Infrastructure.Core(v.2.1.55): b8543b2a1ad8862ebfef18924cf5444d2adfee996939963f4fc2748c582cf9a9IR.Infrastructure.DataService.Core(v.2.1.55) : b8fa1b2fade45304c003909e375d2519ea447b498b7d93fe7c50db014d30f4faIR.iplus32(v2.1.55) : 019e6c2cf58386039133981f3377b085fbd70c98ae8613c7c6a4f10a9f2d9824IR.OscarUI(v2.1.55): 596c453c9dbb7240f1ce05cc025496524ce7c538c23a9b2171174bf32b5691a1nkbihfbeogaeaoehlefnkodbefgpgknn (MetaMask)ibnejdfjmmkpcnlpebklmnkoeoihofec (TronLink)bfnaelmomeimhlpmgjnjophhpkkoljpa (Phantom)egjidjbpglichdcondbcbdnbeeppgdph (Trust Wallet)hnfanknocfeofbddgcijnmhnfnkdnaad (Coinbase Wallet)此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。