Anatomy of a Failed (Nation-State?) Attack
6 days ago
- #social-engineering
- #cybersecurity
- #malware-analysis
- The author describes a targeted fake-interview scam that attempted to backdoor their machine through a TypeScript repository named 'Ticket Harbor'.
- The attack used a malicious patch file (typescript+5.9.2.patch) containing a base64-blob that injected a RAT (PinpinRAT) into the system upon running typecheck or build commands.
- The malware employed multiple obfuscation layers, including XOR decryption and WASM stubs, to evade detection and executed a remote-access trojan with capabilities like file exfiltration and arbitrary command execution.
- Indicators of compromise include C2 server 89.124.107.161:80, specific process masquerades, and environment variables like NODT_PAYLOAD_PATH.
- The attacker used a fabricated persona with a fake LinkedIn profile and defunct company (Lua Ventures) to appear legitimate, but red flags included LLM-generated text, lack of calendar invites, and suspicious domain choices.