← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
nailproxy.space — GitHub typosquats delivering StealC v2 via custom loader
WHITE oliver-zehentleitner 2026-05-05 Modified: 2026-05-05
41
IOCs
MEDIUM VOLUME
March 2026: 19 typosquat GitHub repos impersonating popular OSS (incl. UNICORN Binance WebSocket API). 3-stage chain: 1. Python utils/ dropper — 4 of 5 modules byte-identical across all 19; compat.py polymorphic 2154 B. 2. Custom delivery loader ~11 MB PE (MSVC 2019, FNV+ChaCha+embedded VM, Rich-Header). Masquerades as sysconf.exe, drops to %TEMP%, self-deletes after 180 s. Rhadamanthys-style, no YARA match. 3. StealC v2 stealer DLL msedgeview.dll — confirmed via MurmurHash3+Chaskey (capa) + Chrome ABE bypass. Delivery C2: api.nailproxy.space (Cloudflare-fronted). Real exfil: 62.60.226.113:6673 (DE/AS214351, known StealC C2) + spellmarketplace.club. URL pattern /<24-char>/[h|g|u]. Loader and stealer have distinct authors. Operator likely rents StealC v2. Sibling Stage-2 (155dc737...) shares exfil infra via unknown delivery. 17 of 19 typosquats listed in indicators; full count = 19. Full write-up: see Reference.
typosquattingsupply-chaingithubstealcstealc-v2malware-as-a-servicepython-dropperwindows-stealercrypto-stealerchrome-abe-bypassnailproxyunicorn-binance-suiteubwa
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
StealC StealC v2
Indicators of Compromise (2 / 41 total)
All FileHash-SHA256 FileHash-MD5 FileHash-IMPHASH domain hostname URL IPv4 FilePath Mutex
TYPEINDICATORDESCRIPTIONCREATED
FileHash-IMPHASH 32adf4487a233e7ec314d5edce298b50 Stage-2 imphash 2026-05-05
FileHash-IMPHASH 22d829dd94ec40489826174cc3015ac6 Stage-3 DLL imphash 2026-05-05
References (1)
↗ https://blog.technopathy.club/nailproxy-space-github-malware-campaign