← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
nailproxy.space — GitHub typosquats delivering StealC v2 via custom loader
WHITE oliver-zehentleitner 2026-05-05 Modified: 2026-05-05
41
IOCs
MEDIUM VOLUME
March 2026: 19 typosquat GitHub repos impersonating popular OSS (incl. UNICORN Binance WebSocket API). 3-stage chain: 1. Python utils/ dropper — 4 of 5 modules byte-identical across all 19; compat.py polymorphic 2154 B. 2. Custom delivery loader ~11 MB PE (MSVC 2019, FNV+ChaCha+embedded VM, Rich-Header). Masquerades as sysconf.exe, drops to %TEMP%, self-deletes after 180 s. Rhadamanthys-style, no YARA match. 3. StealC v2 stealer DLL msedgeview.dll — confirmed via MurmurHash3+Chaskey (capa) + Chrome ABE bypass. Delivery C2: api.nailproxy.space (Cloudflare-fronted). Real exfil: 62.60.226.113:6673 (DE/AS214351, known StealC C2) + spellmarketplace.club. URL pattern /<24-char>/[h|g|u]. Loader and stealer have distinct authors. Operator likely rents StealC v2. Sibling Stage-2 (155dc737...) shares exfil infra via unknown delivery. 17 of 19 typosquats listed in indicators; full count = 19. Full write-up: see Reference.
typosquattingsupply-chaingithubstealcstealc-v2malware-as-a-servicepython-dropperwindows-stealercrypto-stealerchrome-abe-bypassnailproxyunicorn-binance-suiteubwa
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
StealC StealC v2
Indicators of Compromise (3 / 41 total)
All FileHash-SHA256 FileHash-MD5 FileHash-IMPHASH domain hostname URL IPv4 FilePath Mutex
TYPEINDICATORDESCRIPTIONCREATED
FilePath %LocalAppData%\Microsoft\EdgeWebView\msedgeview.dll Stage-3 DLL drop path 2026-05-05
FilePath %LocalAppData%\Temp\v20_0000FF100B60 Chrome ABE-bypass scrape workspace 2026-05-05
FilePath %TEMP%\~DF<rand>.exe Stage-2 loader drop path (random suffix) 2026-05-05
References (1)
↗ https://blog.technopathy.club/nailproxy-space-github-malware-campaign