Malware Analysis

Deep dive into what the stolen payloads actually do. Source: rubenmarcus/malicious-repositories

C2 Server Configuration

Decoded from the Golden City payload. All ports on the same IP.

mainServer

144.172.94.226:6961

Reverse shell (full remote access)

uploadServer

144.172.94.226:6966

File exfiltration

keyServer

144.172.94.226:6967

Encryption key exchange

logServer

144.172.94.226:6968

Activity logging

Attack Flow Diagram

eval() fetches obfuscated JS from npoint.io

The initial payload is hosted on a free JSON hosting service. The eval() call downloads and immediately executes the first-stage malware.

Suppresses all errors

Installs process.on('uncaughtException', () => {}) to silently swallow all errors. The victim sees no warnings, crashes, or stack traces.

Creates reverse shell to C2 every 5 seconds

Opens a persistent TCP connection to 144.172.94.226:6961. Reconnects every 5 seconds if dropped. Gives attacker full terminal access.

Monitors clipboard for passwords

Polls the system clipboard every 500ms. Captures copied passwords, seed phrases, API keys, and 2FA codes. Sends them to the C2 log server.

Scans and uploads sensitive files

Recursively searches for .env, .config, .ssh/, wallet files, browser profiles, documents, and source code. Uploads everything to the exfiltration server.

Executes arbitrary commands from C2

The reverse shell accepts any command from the attacker. Full system access: install more malware, pivot to other machines, encrypt files.

Disguise Locations

13 repositories with their malware injection points.

Repo	Malware File	Attack Type
golden-city	`backend/controllers/userController.js`	Byte-array URL obfuscation + new Function()	SCAN
multify_staking	`next.config.js`	Obfuscated code before legitimate config	SCAN
munity-game	`server/routes/paymentRoute.js`	eval() in payment route	SCAN
erc20-token-dapp	`vite.config.js`	Malicious npm package (cdn-icon-fetch)	SCAN
sarostech-assessment	`server/config/getContract.js`	new Function() with require	SCAN
web3game	`src/utils/wallet.js`	eval() + w3capi.marketing exfil	SCAN
real_estate	`server/controllers/userController.js`	Remote eval() via npoint.io	SCAN
real_estate_new	`server/controllers/paymentController.js`	Remote eval() via npoint.io	SCAN
real-estate-rental-platform	`backend/utils/authHelper.js`	Remote eval() via npoint.io	SCAN
coinpool-rental-platform1.0	`server/controllers/paymentController.js`	Remote eval() via npoint.io	SCAN
DEX-staking-project-ultrax	`src/utils/wallet.js`	Remote eval() via npoint.io	SCAN
trend-dev-preproduction	`backend/controller.js`	Remote eval() via npoint.io	SCAN
challenge-experiment-module	`setup.js`	Byte-array obfuscation	SCAN

Known C2 Domains & IPs

All known command-and-control infrastructure. Block these on your network.

144.172.94.226:6961

IPReverse shell

144.172.94.226:6966

IPFile upload

144.172.94.226:6967

IPKey exchange

144.172.94.226:6968

IPActivity log

api.npoint.io

DomainPayload hosting

w3capi.marketing

DomainData exfiltration

mglcoin.io

DomainC2 infrastructure

flickthebean.onrender.com

DomainPayload delivery

nvidia-release.org

DomainFake driver download

nvidia-release.us

DomainFake driver download

camera-drive.cloud

DomainFake interview malware

nvidia-drive.cloud

DomainFake driver download

chainlink-api-v3.com

DomainC2 infrastructure

ip-api-test.vercel.app

DomainVictim fingerprinting

vscode-config-settings.vercel.app

DomainVS Code payload

api-web3-auth.vercel.app

DomainCredential theft