Malicious NuGet Packages Impersonate Chinese UI Libraries, Steal Credentials

Socket's Threat Research Team has identified five malicious NuGet packages that impersonate legitimate Chinese .NET UI and infrastructure libraries. Published under the account bmrxntfj, the packages have accumulated approximately 65,000 downloads while deploying a .NET Reactor protected infostealer payload.

This is another entry in the growing list of package repository supply chain attacks targeting developers as an initial access vector.

The Malicious Packages

The five typosquatting packages are:

• IR.DantUI
• IR.OscarUI
• IR.Infrastructure.Core
• IR.Infrastructure.DataService.Core
• IR.iplus32

These names mimic legitimate private corporate libraries used in Chinese enterprise .NET environments. Rather than obvious misspellings, the attackers created names that look exactly like internal packages, making them highly plausible to targeted organizations.

The packages specifically typosquat AntdUI, an MIT-licensed WinForms component library popular on Gitee.

Technical Analysis

The payload uses .NET Reactor protection with a sophisticated execution chain:

1. Verifies anti-tamper integrity using embedded RSA-1024 keys
2. Allocates read-write-execute memory via VirtualAlloc(PAGE_EXECUTE_READWRITE)
3. Decrypts the Necrobit stage-2 payload
4. Patches clrjit.dll!getJit with a 4-byte JMP to hook the JIT compiler

This execution happens through .NET module initializers before application code runs—no explicit API calls required. Any machine that ran nuget restore and loaded these DLLs is at risk, even without explicit installation.

Data Theft Scope

The stealer targets an extensive list of sensitive data:

Browsers (12): Chrome, Edge, Brave, Opera, Vivaldi, Epic Privacy, Torch, Comodo, Slimjet, Iridium, 7Star, AVG Secure Browser

Browser Wallet Extensions (5): MetaMask, TronLink, Phantom, Trust Wallet, Coinbase Wallet

Desktop Wallets (8): Exodus, Electrum, Atomic, Guarda, Coinomi, Ledger, Jaxx, Binance

Additional Targets: SSH private keys, Outlook profiles, Steam credentials, Documents/Desktop/Downloads folders

The scope here is broader than typical infostealers and reflects the high value of developer workstations as targets.

Evasion Tactics

The attackers employed several techniques to avoid detection:

• Version rotation: 219 of 224 total versions marked listed: false, hiding from search while remaining installable via direct version-pinned commands
• Hash evasion: Regular version updates invalidate file-hash IOCs
• API obfuscation: String concatenation like "Open ".Trim() + "Process" to avoid static analysis

All five packages were published sequentially on April 14, 2026 within a 12.78-second window, suggesting an automated release pipeline.

C2 Infrastructure

• Domain: dns-providersa2[.]com (registered March 12, 2026)
• IP: 62.84.102.85 (VDSINA VPS, Amsterdam)
• Endpoints: /check (beacon) and /upload (exfiltration)
• Staging path: C:\ProgramData\Microsoft OneDrive\keys.dat

Indicators of Compromise

SHA-256 hashes (v2.1.55):

Package	Hash
IR.DantUI	34e2d63b5db7e24c808711c2ca0c0a42afde97a0086d7d81609110c002d18d7c
IR.Infrastructure.Core	b8543b2a1ad8862ebfef18924cf5444d2adfee996939963f4fc2748c582cf9a9
IR.Infrastructure.DataService.Core	b8fa1b2fade45304c003909e375d2519ea447b498b7d93fe7c50db014d30f4fa
IR.iplus32	019e6c2cf58386039133981f3377b085fbd70c98ae8613c7c6a4f10a9f2d9824
IR.OscarUI	596c453c9dbb7240f1ce05cc025496524ce7c538c23a9b2171174bf32b5691a1

Mitigations

1. Audit your NuGet dependencies for any packages from the bmrxntfj account
2. Check C:\ProgramData\Microsoft OneDrive\keys.dat for unexpected files
3. Monitor for connections to the C2 domain and IP listed above
4. Rotate credentials for any developers who may have installed affected packages
5. Consider implementing package allowlisting in CI/CD pipelines

Organizations dealing with aftermath of supply chain compromises should review our coverage of PyPI supply chain attacks for additional remediation guidance.