← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
nailproxy.space — GitHub typosquats delivering StealC v2 via custom loader
March 2026: 19 typosquat GitHub repos impersonating popular OSS (incl. UNICORN Binance WebSocket API).
3-stage chain:
1. Python utils/ dropper — 4 of 5 modules byte-identical across all 19; compat.py polymorphic 2154 B.
2. Custom delivery loader ~11 MB PE (MSVC 2019, FNV+ChaCha+embedded VM, Rich-Header). Masquerades as sysconf.exe, drops to %TEMP%, self-deletes after 180 s. Rhadamanthys-style, no YARA match.
3. StealC v2 stealer DLL msedgeview.dll — confirmed via MurmurHash3+Chaskey (capa) + Chrome ABE bypass.
Delivery C2: api.nailproxy.space (Cloudflare-fronted). Real exfil: 62.60.226.113:6673 (DE/AS214351, known StealC C2) + spellmarketplace.club. URL pattern /<24-char>/[h|g|u].
Loader and stealer have distinct authors. Operator likely rents StealC v2. Sibling Stage-2 (155dc737...) shares exfil infra via unknown delivery. 17 of 19 typosquats listed in indicators; full count = 19. Full write-up: see Reference.
MITRE ATT&CK & Malware Families
Indicators of Compromise (41)
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| FileHash-SHA256 | 54111f7e5f7aa425704fb45bf79d4e354cfb959f2c22aee6cbb79730d5a6a3aa | Stage-1 utils/bootstrap.py (byte-identical across all 19 samples) | 2026-05-05 | |
| FileHash-SHA256 | b3668182408c4078e20c04d03a04804bc9640238361af9a15d44c3950192eedc | Stage-1 utils/http.py (byte-identical across all 19 samples) | 2026-05-05 | |
| FileHash-SHA256 | 041f48d92b7b410c93c83d8352e3b0c18ca2e10dfce8cbc38748ab862b08982e | Stage-1 utils/integrity.py (byte-identical across all 19 samples) | 2026-05-05 | |
| FileHash-SHA256 | 37380d20800d196e3a20fc98fba80d1365a63acbf9dadad7debc48e157520edd | Stage-1 utils/__init__.py (byte-identical across all 19 samples) | 2026-05-05 | |
| FileHash-SHA256 | c5866b202eb5fc7009ee045952d893c1b373d965f9491f8502075de11c132d62 | Stage-1 run.bat (byte-identical across all 19 samples) | 2026-05-05 | |
| FileHash-SHA256 | 251037ceebfbacd419b663ebcf0e01ec80a2c46dbfc85f66492c8585b481fb8c | Stage-2 sysconf.exe — primary loader (nailproxy delivery) | 2026-05-05 | |
| FileHash-MD5 | 803385cf25070740f5b09e685d2f531c | Stage-2 sysconf.exe MD5 | 2026-05-05 | |
| FileHash-IMPHASH | 32adf4487a233e7ec314d5edce298b50 | Stage-2 imphash | 2026-05-05 | |
| FileHash-SHA256 | 155dc73761ebaab0e4f5c0e18cf09dbd5728ce61361db218a5727355ca8adc1a | Sibling Stage-2 — System Configuration Utility masquerade, unknown delivery | 2026-05-05 | |
| FileHash-SHA256 | 474da56a96c0a12c231badb991dc084c542cc419dde2ea8c14b0001fd54205c4 | Sibling Stage-2 candidate (spellmarketplace.club cluster) | 2026-05-05 | |
| FileHash-SHA256 | b19fb2c70aa244fc25d8bebe0031788b5613d2daec6dcd9906e04d44190de65f | Sibling Stage-2 candidate (spellmarketplace.club cluster) | 2026-05-05 | |
| FileHash-SHA256 | e6984d0d1b9a7cc70ae432aec6ee5741cbb518c31f0e7b088375ad5ee3391d58 | Sibling Stage-2 candidate (spellmarketplace.club cluster) | 2026-05-05 | |
| FileHash-SHA256 | c27590c766583599eac98ed3e20c54e49c792be409f126577e7475294affac1f | Stage-3 msedgeview.dll — StealC v2 | 2026-05-05 | |
| FileHash-IMPHASH | 22d829dd94ec40489826174cc3015ac6 | Stage-3 DLL imphash | 2026-05-05 | |
| domain | nailproxy.space | Apex domain (Namecheap, registered 2026-03-12) | 2026-05-05 | |
| hostname | api.nailproxy.space | Stage-1/2 delivery C2 endpoint | 2026-05-05 | |
| URL | https://api.nailproxy.space/api/v1/auth/session | Delivery C2 path 1 | 2026-05-05 | |
| URL | https://api.nailproxy.space/api/v1/data/sync | Delivery C2 path 2 | 2026-05-05 | |
| IPv4 | 62.60.226.113 | StealC exfil C2 (DE / AS214351 Femo IT Solutions, port 6673) | 2026-05-05 | |
| domain | spellmarketplace.club | StealC exfil C2 (Dynadot, registered 2026-03-05) | 2026-05-05 | |
| FilePath | %LocalAppData%\Microsoft\EdgeWebView\msedgeview.dll | Stage-3 DLL drop path | 2026-05-05 | |
| FilePath | %LocalAppData%\Temp\v20_0000FF100B60 | Chrome ABE-bypass scrape workspace | 2026-05-05 | |
| FilePath | %TEMP%\~DF<rand>.exe | Stage-2 loader drop path (random suffix) | 2026-05-05 | |
| Mutex | Local\{8F6E2A14-C9D1-4bdd-B8CF-92F04E6B3E9F} | Stage-3 single-instance mutex | 2026-05-05 | |
| URL | https://github.com/gesine1541ro7 | Typosquat account — UNICORN-Binance-WebSocket-API impersonation (delivery vector, not C2) | 2026-05-05 | |
| URL | https://github.com/lucija8320nhung4 | Typosquat account (delivery vector, not C2) | 2026-05-05 | |
| URL | https://github.com/MarCmcbri1982 | Typosquat account (delivery vector, not C2) | 2026-05-05 | |
| URL | https://github.com/Kaleighc793 | Typosquat account (delivery vector, not C2) | 2026-05-05 | |
| URL | https://github.com/Janis174756 | Typosquat account (delivery vector, not C2) | 2026-05-05 | |
| URL | https://github.com/lauraevz6y70 | Typosquat account (delivery vector, not C2) | 2026-05-05 | |
| URL | https://github.com/Jamie3t1991 | Typosquat account (delivery vector, not C2) | 2026-05-05 | |
| URL | https://github.com/FrankDavis236869 | Typosquat account (delivery vector, not C2) | 2026-05-05 | |
| URL | https://github.com/CrystALqsxvk39 | Typosquat account (delivery vector, not C2) | 2026-05-05 | |
| URL | https://github.com/Courtneybake80 | Typosquat account (delivery vector, not C2) | 2026-05-05 | |
| URL | https://github.com/courtneyb8345 | Typosquat account (delivery vector, not C2) | 2026-05-05 | |
| URL | https://github.com/Della38840 | Typosquat account (delivery vector, not C2) | 2026-05-05 | |
| URL | https://github.com/charlo1492charlo14928 | Typosquat account (delivery vector, not C2) | 2026-05-05 | |
| URL | https://github.com/Giuditta8 | Typosquat account (delivery vector, not C2) | 2026-05-05 | |
| URL | https://github.com/Jessica74016 | Typosquat account (delivery vector, not C2) | 2026-05-05 | |
| URL | https://github.com/fernandez81188studio | Typosquat account (delivery vector, not C2) | 2026-05-05 | |
| URL | https://github.com/Annehuqr0Craft96 | Typosquat account (delivery vector, not C2) | 2026-05-05 |