XCTDH Crypto Heist Part 2 - Ellis Stannard
The XCTDH Crypto Heist Part 2 is a medium-severity threat involving multiple MITRE ATT&CK techniques such as exploitation of external remote services, automated data exfiltration, user execution, and compromise of software dependencies. It appears linked to North Korean threat actors and involves persistence, payload delivery, and network activity. No specific affected products or versions are identified, and no patches or known exploits in the wild are reported. The attack likely leverages social engineering and supply chain compromise to infiltrate targets and exfiltrate sensitive data. European organizations could be impacted if targeted via compromised software dependencies or remote service vulnerabilities. Mitigation requires enhanced supply chain security, strict remote access controls, user awareness training, and network monitoring for unusual exfiltration patterns. Countries with significant financial sectors and software development industries, such as Germany, France, and the UK, are more likely to be affected. The threat is assessed as medium severity due to the complexity of exploitation, potential data loss, and moderate ease of execution requiring user interaction and supply chain compromise.
AI Analysis
Technical Summary
The XCTDH Crypto Heist Part 2 threat is characterized by a combination of attack techniques mapped to MITRE ATT&CK patterns including T1133 (External Remote Services), T1020 (Automated Exfiltration), T1204 (User Execution), and T1195.001 (Compromise Software Dependencies and Development Tools). This indicates a multi-faceted attack involving initial access through external remote services, likely exploiting weak or compromised credentials or vulnerabilities in remote access infrastructure. The attacker then delivers payloads that require user execution, suggesting social engineering or phishing tactics to trick users into running malicious code. The compromise of software dependencies and development tools points to a supply chain attack vector, where attackers inject malicious code into widely used libraries or development environments, enabling persistence and widespread impact. Automated exfiltration techniques imply that once inside, the attacker systematically extracts sensitive data, potentially cryptocurrency assets or related credentials. The threat is associated with North Korean actors, known for sophisticated cyber operations targeting financial assets and intellectual property. No specific affected software versions or patches are available, and no known exploits in the wild have been reported, indicating this may be an emerging or observed campaign rather than a disclosed vulnerability. The threat involves persistence mechanisms and network activity, suggesting long-term presence and stealthy data theft. The lack of concrete technical indicators limits precise detection but highlights the need for vigilance in monitoring remote services, software supply chains, and user behavior.
Potential Impact
For European organizations, the XCTDH Crypto Heist Part 2 poses significant risks to confidentiality and integrity, particularly for entities involved in cryptocurrency, software development, and financial services. The compromise of software dependencies can lead to widespread infiltration across multiple organizations using the same libraries or tools, amplifying the impact. Automated exfiltration threatens sensitive data loss, including intellectual property and financial information. The use of external remote services as an attack vector increases the risk for organizations with remote access infrastructure, especially if security controls are weak. User execution requirements mean social engineering remains a critical risk, potentially leading to credential theft or malware deployment. Persistent network activity can degrade system availability over time and complicate incident response. The association with North Korean threat actors suggests a strategic targeting of high-value financial and technological assets, which could disrupt operations and cause reputational damage. Overall, the threat could lead to financial losses, regulatory penalties, and erosion of trust in affected organizations.
Mitigation Recommendations
To mitigate this threat, European organizations should implement a multi-layered security approach focused on supply chain security by rigorously vetting and monitoring software dependencies and development tools for integrity and authenticity. Employ software composition analysis (SCA) tools to detect compromised libraries early. Strengthen external remote service security by enforcing multi-factor authentication (MFA), limiting access via VPNs or zero-trust network access (ZTNA), and regularly auditing remote access logs. Conduct targeted user awareness training to reduce the risk of successful social engineering and user execution of malicious payloads. Deploy advanced endpoint detection and response (EDR) solutions capable of identifying suspicious execution patterns and persistence mechanisms. Implement network segmentation and monitor for unusual exfiltration patterns using data loss prevention (DLP) and network traffic analysis tools. Establish incident response plans that include supply chain compromise scenarios. Regularly update and patch all software components, even if no direct patch is available for this threat, to reduce overall attack surface. Collaborate with threat intelligence sharing communities to stay informed on emerging indicators related to this campaign.
Affected Countries
Germany, United Kingdom, Netherlands, France, Sweden
Indicators of Compromise
- file: C250618A
- hash: ee3cc7c6bd58113f4a654c74052d252bfd0b0a942db7f71975ce698101aec305
- hash: ce47fef68059f569d00dd6a56a61aa9b2986bee1899d3f4d6cc7877b66afc2a6
- hash: eefe39fe88e75b37babb37c7379d1ec61b187a9677ee5d0c867d13ccb0e31e30
- hash: 8c0233a07662934977d1c5c29b930f4acd57a39200162cbd7d2f2a201601e201
- hash: 7a62286e68d879b45da710e1daa495978dcae31ae8f0709018a7d82343ec57e8
- ip: 23.27.20.143
- ip: 136.0.9.8
- ip: 23.27.202.27
- ip: 166.88.4.2
- email: karsy117@gmail.com
- email: dmgoodner@gmail.com
- hash: c330c5328746c38e1873874263e5349c
- hash: 5340dacf1deb8c2f1a7278622d4c32ef9c05c89f
- hash: eefe39fe88e75b37babb37c7379d1ec61b187a9677ee5d0c867d13ccb0e31e30
- tlsh: t18a63094b26dab5ea112f26b332d7667cb51e9cd1b80c9145e805ecbcbe212bdd1d3c18
- ssdeep: 1536:clLLpB2wmEgljJeBUsVuhfFBAE+MiyVjt3bQtsDrDbuuRB4R/+u:clLDyVe67hNBzRZQe3HuY2
- link: https://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-2/
- text: Detailed analysis of the DEV#POPPER.js RAT and OmniStealer malware used in the sophisticated cross-chain attack campaign, revealing the complete kill chain from initial compromise through data exfiltration.
- text: Cross-Chain TxDataHiding Crypto Heist: A Very Chainful Process (Part 2)
- text: Blog
XCTDH Crypto Heist Part 2 - Ellis Stannard
Description
The XCTDH Crypto Heist Part 2 is a medium-severity threat involving multiple MITRE ATT&CK techniques such as exploitation of external remote services, automated data exfiltration, user execution, and compromise of software dependencies. It appears linked to North Korean threat actors and involves persistence, payload delivery, and network activity. No specific affected products or versions are identified, and no patches or known exploits in the wild are reported. The attack likely leverages social engineering and supply chain compromise to infiltrate targets and exfiltrate sensitive data. European organizations could be impacted if targeted via compromised software dependencies or remote service vulnerabilities. Mitigation requires enhanced supply chain security, strict remote access controls, user awareness training, and network monitoring for unusual exfiltration patterns. Countries with significant financial sectors and software development industries, such as Germany, France, and the UK, are more likely to be affected. The threat is assessed as medium severity due to the complexity of exploitation, potential data loss, and moderate ease of execution requiring user interaction and supply chain compromise.
AI-Powered Analysis
Technical Analysis
The XCTDH Crypto Heist Part 2 threat is characterized by a combination of attack techniques mapped to MITRE ATT&CK patterns including T1133 (External Remote Services), T1020 (Automated Exfiltration), T1204 (User Execution), and T1195.001 (Compromise Software Dependencies and Development Tools). This indicates a multi-faceted attack involving initial access through external remote services, likely exploiting weak or compromised credentials or vulnerabilities in remote access infrastructure. The attacker then delivers payloads that require user execution, suggesting social engineering or phishing tactics to trick users into running malicious code. The compromise of software dependencies and development tools points to a supply chain attack vector, where attackers inject malicious code into widely used libraries or development environments, enabling persistence and widespread impact. Automated exfiltration techniques imply that once inside, the attacker systematically extracts sensitive data, potentially cryptocurrency assets or related credentials. The threat is associated with North Korean actors, known for sophisticated cyber operations targeting financial assets and intellectual property. No specific affected software versions or patches are available, and no known exploits in the wild have been reported, indicating this may be an emerging or observed campaign rather than a disclosed vulnerability. The threat involves persistence mechanisms and network activity, suggesting long-term presence and stealthy data theft. The lack of concrete technical indicators limits precise detection but highlights the need for vigilance in monitoring remote services, software supply chains, and user behavior.
Potential Impact
For European organizations, the XCTDH Crypto Heist Part 2 poses significant risks to confidentiality and integrity, particularly for entities involved in cryptocurrency, software development, and financial services. The compromise of software dependencies can lead to widespread infiltration across multiple organizations using the same libraries or tools, amplifying the impact. Automated exfiltration threatens sensitive data loss, including intellectual property and financial information. The use of external remote services as an attack vector increases the risk for organizations with remote access infrastructure, especially if security controls are weak. User execution requirements mean social engineering remains a critical risk, potentially leading to credential theft or malware deployment. Persistent network activity can degrade system availability over time and complicate incident response. The association with North Korean threat actors suggests a strategic targeting of high-value financial and technological assets, which could disrupt operations and cause reputational damage. Overall, the threat could lead to financial losses, regulatory penalties, and erosion of trust in affected organizations.
Mitigation Recommendations
To mitigate this threat, European organizations should implement a multi-layered security approach focused on supply chain security by rigorously vetting and monitoring software dependencies and development tools for integrity and authenticity. Employ software composition analysis (SCA) tools to detect compromised libraries early. Strengthen external remote service security by enforcing multi-factor authentication (MFA), limiting access via VPNs or zero-trust network access (ZTNA), and regularly auditing remote access logs. Conduct targeted user awareness training to reduce the risk of successful social engineering and user execution of malicious payloads. Deploy advanced endpoint detection and response (EDR) solutions capable of identifying suspicious execution patterns and persistence mechanisms. Implement network segmentation and monitor for unusual exfiltration patterns using data loss prevention (DLP) and network traffic analysis tools. Establish incident response plans that include supply chain compromise scenarios. Regularly update and patch all software components, even if no direct patch is available for this threat, to reduce overall attack surface. Collaborate with threat intelligence sharing communities to stay informed on emerging indicators related to this campaign.
Affected Countries
Technical Details
- Uuid
- e73730af-7409-4d76-aa96-f174ece74809
- Original Timestamp
- 1761834843
Indicators of Compromise
File
| Value | Description | Copy |
|---|---|---|
fileC250618A | payload marker |
Hash
| Value | Description | Copy |
|---|---|---|
hashee3cc7c6bd58113f4a654c74052d252bfd0b0a942db7f71975ce698101aec305 | — | |
hashce47fef68059f569d00dd6a56a61aa9b2986bee1899d3f4d6cc7877b66afc2a6 | — | |
hasheefe39fe88e75b37babb37c7379d1ec61b187a9677ee5d0c867d13ccb0e31e30 | DEV#POPPER.js RAT | |
hash8c0233a07662934977d1c5c29b930f4acd57a39200162cbd7d2f2a201601e201 | OmniStealer Stager | |
hash7a62286e68d879b45da710e1daa495978dcae31ae8f0709018a7d82343ec57e8 | Python OmniStealer | |
hashc330c5328746c38e1873874263e5349c | — | |
hash5340dacf1deb8c2f1a7278622d4c32ef9c05c89f | — | |
hasheefe39fe88e75b37babb37c7379d1ec61b187a9677ee5d0c867d13ccb0e31e30 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip23.27.20.143 | C2 | |
ip136.0.9.8 | C2 | |
ip23.27.202.27 | C2 | |
ip166.88.4.2 | C2 |
| Value | Description | Copy |
|---|---|---|
emailkarsy117@gmail.com | — | |
emaildmgoodner@gmail.com | — |
Tlsh
| Value | Description | Copy |
|---|---|---|
tlsht18a63094b26dab5ea112f26b332d7667cb51e9cd1b80c9145e805ecbcbe212bdd1d3c18 | — |
Ssdeep
| Value | Description | Copy |
|---|---|---|
ssdeep1536:clLLpB2wmEgljJeBUsVuhfFBAE+MiyVjt3bQtsDrDbuuRB4R/+u:clLDyVe67hNBzRZQe3HuY2 | — |
Link
| Value | Description | Copy |
|---|---|---|
linkhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-2/ | — |
Text
| Value | Description | Copy |
|---|---|---|
textDetailed analysis of the DEV#POPPER.js RAT and OmniStealer malware used in the sophisticated cross-chain attack campaign, revealing the complete kill chain from initial compromise through data exfiltration. | — | |
textCross-Chain TxDataHiding Crypto Heist: A Very Chainful Process (Part 2) | — | |
textBlog | — |
Threat ID: 6903ded8aebfcd54749e6436
Added to database: 10/30/2025, 9:55:36 PM
Last enriched: 12/27/2025, 10:38:09 AM
Last updated: 2/7/2026, 7:08:56 PM
Views: 968
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.