On Monday, the Axios npm supply chain attack came to light where malicious packages had been inserted into one of JavaScript's most widely used libraries. Three major threat intelligence firms have now attributed the attack to North Korea's Lazarus Group, and the scale of the fallout is considerably larger than initially understood.

The attack was confirmed as North Korean state-sponsored on when Google Threat Intelligence Group published its attribution, identifying the responsible actor as UNC1069 — a financially motivated North Korea-nexus group active since at least 2018 and tracked by Mandiant, now part of Google. ThreatBook independently reached the same conclusion, attributing the campaign to Lazarus Group based on long-term APT tracking data and overlapping infrastructure artifacts.

Between March 31, 00:21 and 03:20 UTC, an attacker introduced a malicious dependency named plain-crypto-js into axios NPM releases versions 1.14.1 and 0.30.4. Axios is the most popular JavaScript library used to simplify HTTP requests, with packages that typically have over 100 million and 83 million weekly downloads, respectively.

npm is the world's largest software registry — the system JavaScript developers use to download and install code libraries their applications depend on. A postinstall hook is a script that executes automatically, silently, the moment a developer runs npm install. The attackers exploited both to devastating effect.

How the Attack Was Staged

Analysis indicates the maintainer account associated with the axios package was compromised, with the associated email address changed to an attacker-controlled ProtonMail account. The threat actor used the postinstall hook within the package.json file of the malicious dependency to achieve silent execution. Upon installation of the compromised axios package, npm automatically executed an obfuscated JavaScript dropper named setup.js in the background.

The dropper, tracked by GTIG as SILKBELL, dynamically checks the target system's operating system and delivers platform-specific payloads.

On Windows, it copies PowerShell to a renamed binary and downloads a PowerShell script to the user's Temp directory.

On macOS, it downloads a native Mach-O binary to /Library/Caches/com.apple.act.mond. On Linux, it drops a Python backdoor to /tmp/ld.py.

After successfully dropping each payload, the dropper attempts to delete itself and revert the modified package.json. This acts as an anti-forensic cleanup step designed to remove evidence of the postinstall hook entirely.

The platform-specific payloads deploy a backdoor tracked by GTIG as WAVESHAPER.V2 — a C++ backdoor that collects system information, enumerates directories, and executes additional payloads, connecting to the command-and-control server at sfrclak[.]com:8000/6202033. GTIG's attribution to UNC1069 rests specifically on WAVESHAPER.V2 being an updated version of WAVESHAPER, a backdoor previously used by this group, combined with infrastructure overlap across past UNC1069 campaigns.

All payload variants use the same anachronistic user-agent string — an Internet Explorer 8 string on Windows XP — which is highly anomalous in 2026 and a reliable detection indicator. The C2 path /6202033, when reversed, reads 3-30-2026, the date of the attack.

The Blast Radius

The malicious axios versions were removed within a few hours, but axios is present in approximately 80% of cloud and code environments and is downloaded roughly 100 million times per week, enabling rapid exposure, with observed execution in 3% of affected environments.

Mandiant CTO Charles Carmakal framed the downstream risk in serious terms. Carmakal said the blast radius of the axios npm supply chain attack is broad and extends to other popular packages that have dependencies on it, and warned that the secrets stolen over the past two weeks will enable more software supply chain attacks, SaaS environment compromises leading to downstream customer compromises, ransomware and extortion events, and crypto heists over the next several days, weeks, and months.

He noted awareness of hundreds of thousands of stolen credentials, with a variety of actors across varied motivations behind these attacks.

GTIG Chief Analyst John Hultquist said North Korean hackers have deep experience with supply chain attacks, which they have historically used to steal cryptocurrency, and that given the popularity of the compromised package, the full breadth of the incident is still unclear but far-reaching impacts are expected.

Huntress identified approximately 135 compromised devices. However, the true number affected during the three-hour window remains under investigation.

What Defenders Should Do Now

Any engineering team that ran npm install between 00:21 UTC and approximately 03:20 UTC on March 31 should treat their environment as potentially compromised.

Defenders should check for RAT artifacts at /Library/Caches/com.apple.act.mond (macOS), %PROGRAMDATA%\wt.exe (Windows), and /tmp/ld.py (Linux); downgrade to axios 1.14.0 or 0.30.3; remove plain-crypto-js from node_modules; audit CI/CD pipeline logs for the affected window; rotate all credentials on any system where RAT artifacts are found; and block egress to sfrclak[.]com.

The EclecticIQ AI features have already been helping you work faster and smarter, from using AI assistant as your on-demand research partner, to querying complex data sets using NLP search, aligning requirements with Intelligence Compass, and extracting key entities with AI entity extraction.  With the upcoming 3.6 release of Intelligence Center, we’re expanding the EclecticIQ AI Suite with the productivity-boosting features: Summarization , Content generation with templates and Translation. These tools are built to help you move faster, go broader, and stay focused on what matters most.  

The cybersecurity landscape isn’t slowing down, and neither should your security operations. With EclecticIQ Intelligence Center 3.5, we’re delivering a breakthrough release that enhances AI-embedded investigations, enables streamlined intelligence management, and unlocks precision threat prioritization. Analysts can now navigate the platform more efficiently, extract insights faster, and provide actionable intelligence for decision-makers - all in one seamless experience. 

 

Introduction

This blog is part of a cyber threat intelligence (CTI) blog series called Tracking Adversaries that investigates prominent or new threat groups.

The focus of this blog is EvilCorp, a sanctioned Russia-based cybercriminal enterprise known for launching ransomware attacks, and RansomHub, a prominent ransomware as a service (RaaS) operation run by Russian-speaking cybercriminals.

These two threat groups have been linked together through cooperation on intrusions and IOCs and TTPs shared by multiple CTI sources. The implication of this link is critical due to RansomHub being the most active ransomware gang and is working with a well-known sanctioned affiliate.

Who is RansomHub?

Active since February 2024, RansomHub is a RaaS operation formerly known as Cyclops and Knight and is run by Russian-speaking adversaries. It is currently used by more and more cybercriminals that are ex-affiliates of other RaaS operations. This includes the ALPHV/BlackCat RaaS and the LockBit RaaS, which have since shutdown or disappeared. This has made the RansomHub RaaS one of the most widespread ransomware families as of early 2025.

Due to having a high number of affiliates, the tools and TTPs observed before the final RansomHub payload is deployed can vary significantly. Each affiliate may have their own set of tools and TTPs to achieve the final objectives of data exfiltration and ransomware deployment.

Who is EvilCorp?

Evil Corp is an international cybercrime network sanctioned for orchestrating large-scale financial cyberattacks led by Maksim Yakubets. EvilCorp’s operations have evolved over time, expanding from Dridex banking trojan campaigns into developing ransomware like BitPaymer, WastedLocker, Hades, PhoenixLocker, and MacawLocker.

Notably, Aleksandr Ryzhenkov, was identified by the National Crime Agency (NCA) as a high-ranking member of EvilCorp and also LockBit affiliate. Ryzhenkov became a LockBit affiliate around 2022, contributing to over 60 LockBit ransomware builds and attempting to extort more than $100 million from victims. This discovery aligns with Mandiant’s previous reporting on EvilCorp shifting to LockBit as well.

The NCA also found that EvilCorp maintains close ties with Russian intelligence agencies through Yakubets' father-in-law, Eduard Bendersky, a former FSB officer, who is suspected of using his influence to shield the group from prosecution in Russia.

One of the TTPs that makes EvilCorp standout from the rest of the RaaS affiliates is their own affiliation to the SocGholish JavaScript malware (aka FAKEUPDATES). If ransomware deployment takes place following a SocGholish infection, then the attackers responsible for the attack will be affiliated with EvilCorp.

Reported Connections Between EvilCorp and RansomHub

On 15 July 2024, Microsoft shared a post on X stating that RansomHub was observed being deployed in post-compromise activity by Manatee Tempest (which is Microsoft’s name for EvilCorp) following initial access via SocGholish (aka FakeUpdates) infections (which Microsoft tracks as Mustard Tempest).

On 15 January 2025, Guidepoint wrote a blog on a new Python backdoor used by an affiliate of RansomHub. Notably, the new Python backdoor was delivered by SocGholish. Therefore, this Python backdoor is another potential artifact worth monitoring for its connection to known EvilCorp-related malware.

The next day, on 16 January 2025, Google shared a report on EvilCorp (which Google tracks as UNC2165) that disclosed numerous tools and malware families they have been using to deliver RansomHub, including a Python backdoor dubbed VIPERTUNNEL (see the image below). The presence of a Python backdoor following a SocGholish infection is notable TTP that overlaps with the Guidepoint blog on RansomHub.

On 14 March 2025, Trend Micro disclosed further details that also confirmed the SocGholish malware is leading to the deployment of RansomHub ransomware. The operators of SocGholish are tracked as Water Scylla by Trend Micro. The operators distribute SocGholish via the Keitaro Traffic Direction System (TDS), a legitimate service used for marketing campaigns. Trend Micro also observed SocGholish dropping the same custom Python backdoor (aka VIPERTUNNEL) as well.

So What?

EvilCorp has been under US sanctions since 2019, making it illegal for affected organisations to pay ransoms to them without facing potential fines from the US Treasury’s Office of Foreign Assets Control (OFAC). Despite these sanctions, EvilCorp has continued its cybercriminal activities by adapting its tactics to include rebranding their ransomware and becoming an affiliate of RaaS operations, such as LockBit and RansomHub. 

The key indicator of EvilCorp's involvement in ransomware attacks continues to be the use of the SocGholish malware, which employs drive-by downloads masquerading as web browser software updates to gain initial access to systems.

EvilCorp’s affiliation with RansomHub raises the possibilities that RansomHub may soon face sanctions similar to those imposed on EvilCorp. Consequently, any victim that pays a ransom to RansomHub could become significantly riskier for cyber insurance organisations, incident responders, and ransomware negotiators, as they may inadvertently violate sanctions and face legal repercussions.

Given EvilCorp's prominence as a target for international law enforcement, its association with RansomHub is likely to draw increased scrutiny. This could result in RansomHub becoming the focus of future law enforcement actions, including potential takedowns and additional sanctions, further complicating the landscape for entities involved in ransomware response and mitigation.

There is also the increased likelihood that RansomHub will now rebrand. As we saw in the BlackBasta Leaks, ransomware groups pay close attention to the news, CTI reports, and even posts on X and even blogs by researchers. This association to EvilCorp and threat of sanctions is an issue for ransomware groups as it impacts their business model and makes earning harder. Therefore, by linking the two entities together CTI analysts can impose cost on these cybercriminals.

References:

1. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a
2. https://www.bankinfosecurity.com/blogs/ransomhub-hits-powered-by-ex-affiliates-lockbit-blackcat-p-3703
3. https://www.ransomware.live/group/ransomhub#ttps
4. https://home.treasury.gov/news/press-releases/sm845
5. https://web.archive.org/web/20200213115628/https:/www.nationalcrimeagency.gov.uk/news/international-law-enforcement-operation-exposes-the-world-s-most-harmful-cyber-crime-group
6. https://www.crowdstrike.com/en-us/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/
7. https://web.archive.org/web/20241004104429/https:/www.nationalcrimeagency.gov.uk/news/further-evil-corp-cyber-criminals-exposed-one-unmasked-as-lockbit-affiliate
8. https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/#DEV-0206-DEV-0243
9. https://malpedia.caad.fkie.fraunhofer.de/details/js.fakeupdates
10. https://x.com/msftsecintel/status/1812932754947911780
11. https://www.microsoft.com/en-gb/security/security-insider/manatee-tempest
12. https://www.guidepointsecurity.com/blog/ransomhub-affiliate-leverage-python-based-backdoor/
13. https://services.google.com/fh/files/misc/threat_horizons_report_h1_2025.pdf
14. https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html
15. https://blog.bushidotoken.net/2025/02/blackbasta-leaks-lessons-from-ascension.html

Europe faces a critical juncture. Geopolitical tensions are rising, and cyber threats are growing more sophisticated. This reality has made cybersecurity a vital part of Europe’s defense strategy, along with the defense strategies of the entire world. The European Commission’s ReArm Europe/Readiness 2030 initiative, which proposes a €150 billion investment in defense (including a dedicated €3.5 billion cybersecurity fund as noted in President von der Leyen’s 3 March statement), demonstrates that there is unprecedented opportunity for unified action.

Now is the time for European cybersecurity companies to come together, strengthen the industry and protect our shared future. The reason is straightforward: Europe can no longer afford to view cybersecurity separately from traditional defense measures.

The BlackBasta ransomware group’s leaked chat logs have proven to already be another unique and fascinating opportunity for researchers to better understand the internal operations of a Russia-based organised cybercrime enterprise. These leaks followed a major leak of Conti chat logs in 2022, which also proved to be a treasure trove of intelligence on the cybercrime enterprise. The BlackBasta gang consists of former Conti ransomware members and it should come as no surprise that their operations are similar in nature and structure.

Ransomware researchers have several valuable resources to conduct investigations with nowadays. This includes ransomware.live, which contains several resources including ransomch.at, a collection of negotiation chats between ransomware gangs and their victims, as well as the ransomware tool matrix and ransomware vulnerability matrix. These resources allow to deeply understand the capabilities and motivations of these ransomware gangs. However, leaked chat logs are the final missing piece of the puzzle and offer a deeper understanding from the cybercriminal’s very own perspective and organisational structure.

Active since April 2022, BlackBasta is one of the top-tier ransomware gangs and one of the largest cybercrime enterprises in the world. According to the US Cybersecurity Infrastructure and Security Agency (CISA), BlackBasta impacted up to 500 different businesses and critical infrastructure in North America, Europe, and Australia as of May 2024.

The importance of the Ascension Health incident

This blog shall dive deep into the Ascension Health attack by BlackBasta. It is a step-by-step extraction of the conversation between the BlackBasta members while they decide how to handle the attack.

The new insights around how BlackBasta and other ransomware gangs perceive being involved with incidents at healthcare sector victim should prove useful for incident responders, law enforcement, and governments that have to resolve these types of attacks on the healthcare sector on an alarmingly regularly basis.

Background

On 9 May 2024, mainstream news organisations in the US reported about a cyberattack and significant disruption of services of Ascension Health, one of the largest healthcare providers in the country. On 11 May 2024, BleepingComputer reported that BlackBasta was to blame for the attack on Ascension Health and that ambulances had been disrupted and patients were being redirected to other hospitals.

How the Incident Began

The BlackBasta attack on Ascension Health began many months before the ransomware was deployed on their network. Reconnaissance of Ascension Health by members of BlackBasta began around 3 November 2023. They shared 14 email addresses of Ascension Health employees, which we can only assume were used for phishing or password guessing. Ransomware gangs often used Zoominfo to profile their targets to determine whether it is worth it for them to attack and get a ransom from them.

The ransomware gang themselves wrote in their Matrix chat that CBS News had written about a cyberattack on Ascension Health on 9 May 2024 and exclaimed that “it looks like one of the largest attacks of the year.”

Another BlackBasta member “gg” confirmed in the chat that it was them and appeared to be surprised that the news was writing about it.

Later, “gg” appeared to feel bad about the attack and concerned that cancer patients were suffering. However, at this stage it is hard to tell if they are serious or being sarcastic.

One member of BlackBasta who used the moniker “tinker” then stated that he wanted to be the negotiator for the BlackBasta team and began to strategize how to extract a ransom payment.

“gg” says they encrypted Ascension Health’s network using the Windows Safe Mode Boot technique, which is a function that BlackBasta is well-known to do.

The negotiator, “tinker” begins to weigh up their options. He states he believes the FBI and CISA will be involved, as well as Mandiant and begins to compare the incident to the Change Healthcare attack by ALPHV/BlackCat (and later RansomHub) who received a 22 million USD ransom payment.

“gg” shares that all the stolen data was put on a server named “ftp8” and tagged as “ALBIR_DS” and says to “tinker” that he should “look at the folder name, everything we downloaded from them is there."

The operator, “gg” also shared a summary of the target environment of Ascension Health. This includes number of servers being over 12,000, what security tools they use such as Cylance, Tanium, and McAfee. Plus, “gg” said they downloaded over 1.4TB of data to "ftp8" and used BlackBasta ransomware version 4.0 and attacked them on 8 May 2024.

Interestingly, “gg” appears to have also recommended to bluff to the victim that they stole more than 1.5TB and say to the victim that they stole 3TB instead.

Negotiation Strategizing

After having established the details of the incident, Tinker (the negotiator) began to wonder about the likelihood of getting a ransom payment as well as estimate how much Ascension Health is likely losing per day.

Tinker (negotiator) then explains to the rest of the BlackBasta members involved in the attack what course of action they should take to get the ransom from Ascension Health. Tinker says they would normally set a 3% of the annual revenue and negotiate from there. They note that there are clear problems with the victim being a hospital and that this attack followed the Change Health attack by ALPHV/BlackCat. They also noted that they are worried as they believe the US National Security Agency (NSA) attacked TrickBot's servers four years ago and that the FBI took down Qakbot more recently. Tinker is  also worried that one of Ascension Health’s patients will die and they will be blamed and labelled as a terrorist attack.

Tinker also noted that when BlackSuit attacked Octapharma that it was labelled by the news as "hostile actions by Russia" and they warned that Conti was already under sanctions and that because they are tied to Conti they may not get paid.

Tinker, ransomware negotiator for BlackBasta, ultimately recommended giving the decryptor for free to Ascension Health and resorting to data theft extortion. This is notable, as it is a similar situation to the Irish HSE ransomware attack by Conti, who also provided the decryptor for free.

Introduction to Infrastructure Pivoting

Pivoting on infrastructure is a handy skill for cyber threat intelligence (CTI) analysts to learn. It can help to reveal the bigger picture when it comes to malware, phishing, or network exploitation campaigns. Infrastructure pivoting essentially is the act of looking for more systems an adversary has created. The main benefit of this pursuit is the identification of additional targets or victims, more tools or malware samples, and ultimately new insights about the adversary’s capabilities.

If done correctly, being able to pivot on adversary infrastructure will be very useful during incident response (IR) engagements. For example, it may lead to being able to attribute the intrusion to a known adversary. This will help others during an IR engagement understand the level of threat posed to the victim organisation.

Receiving Threat Data

To be able to pivot on adversary infrastructure, threat data is needed such as the intelligence shared by threat reports put out by various researchers from public and private sector organisations. This scenario, however, involves relying on the analysis skills of other researchers to explain what the infrastructure is and when they observed it in use.

This blog will examine threat data provided by public sector organisations such as the Computer Emergency Response Team of Ukraine (CERT-UA) as well as cybersecurity vendors such as Deep Instinct, Cyble, and Fortinet. These organisations have shared indicators of compromise (IOCs) uncovered following analysis of adversary intrusion activities or upload to online malware sandboxes, such as VirusTotal, among others.

Introduction to the Ghostwriter Campaign

On 3 June 2024, Fortinet shared a report on malicious XLS macro documents leading to Cobalt Strike Beacons. Analysis of the XLS documents showed that they appeared to be targeting the Ukrainian military and linked to a known Belarusian state-sponsored APT group tracked as Ghostwriter (aka UNC1151, UAC-0057, TA445). On 4 June 2024, Cyble also shared a report on a similar campaign.  

In both reports, if the XLS was opened and the macros were executed by the target, a malicious DLL file was downloaded from an adversary-created domain. In Fortinet’s report, two similar “.shop” domains were mentioned. In Cyble’s report another “.shop” domain was also called out.

Overlapping IOCs

The first pivot on Ghostwriter APT infrastructure that will be demonstrated involves finding indicators of compromise (IOCs) such as domains and IP addresses that appear in multiple threat reports.

The fastest way to realize these overlaps is through continuous collection of reported IOCs into a Threat Intelligence Platform (TIP). This will reveal IOCs that appear in multiple threat reports through tagging and sources of where IOCs come from. Eventually, one domain or IP address will get reported by multiple entities and the connection will make itself apparent.

In Figure 1 (see below) the domain “goudieelectric[.]shop” appeared in both Cyble’s blog and Fortinet’s blog. Analysis of all three domains found that they use the same generic top-level domain (gTLD), registrar, and name servers, as well as have a robots.txt directory configured. These common infrastructure characteristics indicate that all three domains were created by the same adversary.

Domain Registration & Hosting Overlaps

When more IOCs are reported in other threat reports it is possible to link them to other known domains, this is due to adversaries reusing the same registrars, name servers, and gTLDs.

In Figure 2 (see below), Deep Instinct reported two more domains that could also be linked to the previous three domains through the mutual use of the PublicDomainsRegistry registrar, Cloudflare name servers, and the robots.txt file.

Further, CERT-UA reported three more domains (see Figure 3 below) that could be linked to the infrastructure cluster through this same method as well. This pattern of behaviour is a strong indicator that these domains were created by the same adversary.

Finding Unreported Domains

Since the domains from the above threat reports were collected and linked together through overlapping attributes, it is now possible to use these attributes to find more domains that had gone unreported.

Using a VirusTotal domain attribute query, additional domains can be found by using the following registration pattern:

• Name Servers: CLOUDFLARE
• Registrar: PublicDomainRegistry
• TLD: *.shop

This revealed up to 24 domains that matched this pattern that were likely created by Ghostwriter, a state-sponsored APT group:

• backstagemerch[.]shop
• bryndonovan[.]shop
• chaptercheats[.]shop
• clairedeco[.]shop
• connecticutchildrens[.]shop
• disneyfoodblog[.]shop
• eartheclipse[.]shop
• empoweringparents[.]shop
• foampartyhats[.]shop
• goudieelectric[.]shop
• ikitas[.]shop
• jackbenimblekids[.]shop
• kingarthurbaking[.]shop
• lansdownecentre[.]shop
• lauramcinerney[.]shop
• medicalnewstoday[.]shop
• moonlightmixes[.]shop
• penandthepad[.]shop
• physio-pedia[.]shop
• semanticscholar[.]shop
• simonandschuster[.]shop
• thevegan8[.]shop
• twisterplussize[.]shop
• utahsadventurefamily[.]shop

Note: VirusTotal domain searches are only available to VirusTotal Enterprise users. There are other providers which allow you to search for domain registration patterns such as DomainTools, Validin, and Zetalytics. There also some free OSINT sites such as nslookup.io and viewdns.info that can be useful in certain scenarios.

Finding Related Malware Samples

Using the list of similar domains that were uncovered through the registration pattern search, it is then possible to find additional malware samples communicating with them.

This can be achieved by looking at domains in VirusTotal and checking the Relations tab can show communicating files as shown in Figure 4 below.

Using a VirusTotal graph can help to reveal every communicating file with every domain discovered through the registration pattern search, as shown in Figure 5 below.

URL to the VirusTotal Graph: https://www.virustotal.com/graph/embed/gd2c04407d9ba4b75b2ce73d6155d166d3ef75eaf29894ff5ac287c90400072bc?theme=dark

URL to the VirusTotal Collection: https://www.virustotal.com/gui/collection/2aa6b36a717be8bc49f7925434ca40f3ecb9f628414b491da3e985677508ca08/iocs

Lessons Learned

In conclusion, it is important for CTI analysts to closer inspect the attributes of the IOCs they come across. It is not uncommon for state-sponsored APT groups to make such mistakes when creating their infrastructure to launch attacks from. By exploiting this fact, CTI analysts can learn much more about the adversary’s targets, capabilities, and the behaviours of the humans themselves behind such campaigns.

The importance of this type of work was demonstrated in December 2023 when the US Treasury sanctioned members of the Russian APT group known as Callisto (aka Star Blizzard, BlueCharlie, COLDRIVER, GOSSAMER BEAR). The real world identity of Andrey Korinets was revealed after he was sanctioned for fraudulently creating and registering malicious domain infrastructure for Russian federal security service (FSB) spear phishing campaigns.