{
	"id": "80885297-821c-4714-acf7-597cdac64362",
	"created_at": "2026-04-06T00:20:11.030179Z",
	"updated_at": "2026-04-10T03:21:00.867537Z",
	"deleted_at": null,
	"sha1_hash": "eb7fdfae1c620cd84a1e185e9b07dc05a85fda6c",
	"title": "PublicIoC/CestLaVie at main · ssrdio/PublicIoC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2822209,
	"plain_text": "PublicIoC/CestLaVie at main · ssrdio/PublicIoC\r\nBy GregorSpagnolo\r\nArchived: 2026-04-05 15:55:28 UTC\r\nAbout\r\nThe attack primarily targets development companies with the aim of gaining initial access to their corporate\r\ninfrastructure. The attack typically begins with a LinkedIn message posing as a legitimate development\r\nopportunity or business proposal. The message is designed to entice the recipient by offering a project or job,\r\noften tailored to the company's expertise. Once the recipient engages, attackers may attempt to gather information,\r\ndeploy phishing links, or gain unauthorized access to critical systems, using this initial contact as a foothold into\r\nthe company's network.\r\nLinks:\r\nhttps://www.linkedin.com/in/merilyn-edeki/ still active ✅\r\nhttps://github.com/0xcestlaview/addingtoken removed ❌\r\nhttps://github.com/0xcompanypro/addingtoken still active ✅\r\nProcess of Removing\r\n27/09/2024: Report submitted to the Microsoft Security Response Center (MSRC)\r\n28/09/2024: Received a response from MSRC stating, \"It does not meet Microsoft’s requirements as a\r\nsecurity vulnerability for servicing.\"\r\n28/09/2024: Contacted a friend from Microsoft, resulting in the malicious GitHub account being blocked.\r\n✅\r\n04/10/2024: Attacker reached out again with a new GitHub repository shared.\r\n04/10/2024: Cotacted Microsoft again, but the new GitHub account remained active\r\nLinkedIn messages\r\nhttps://github.com/ssrdio/PublicIoC/tree/main/CestLaVie\r\nPage 1 of 20\n\nhttps://github.com/ssrdio/PublicIoC/tree/main/CestLaVie\r\nPage 2 of 20\n\nThe file, which is not malicious and contains the complete documentation and specifications for the project, can\r\nbe found within the provided link or attachment. ProjectOverviewforCestlavie\r\nUpon sending the offer, the attackers request the recipient's GitHub account information, claiming that they will\r\ngrant access to a repository where the project can be closely reviewed.\r\nhttps://github.com/ssrdio/PublicIoC/tree/main/CestLaVie\r\nPage 3 of 20\n\nWhen the invitation was received, the GitHub repository's homepage appeared quite convincing, with a\r\nprofessional layout and relevant project details. Additionally, the activity on the project, such as recent commits\r\nand contributions, seemed legitimate, further reinforcing the impression that it was a genuine opportunity\r\nhttps://github.com/ssrdio/PublicIoC/tree/main/CestLaVie\r\nPage 4 of 20\n\nAt a quick glance, reviewing the project code didn’t reveal any malicious content, so we suspected that the issue\r\nmight be in the dependencies. However, when we couldn't find anything suspicious in the dependencies, we took a\r\ncloser look at the code itself. That’s when we discovered something tricky. The entire GitHub project, including\r\nthe malicious code, can be found in the repository. AddingToken-main (password: infected)\r\nAs seen in the image, we noticed that one file had something unusual on the far right side. When we used the word\r\nwrap command, it revealed the main juice.\r\nhttps://github.com/ssrdio/PublicIoC/tree/main/CestLaVie\r\nPage 5 of 20\n\nAnd here’s where things get a lot more fun :). Deobfuscating the code didn’t reveal much, so we formatted the\r\ncode and ran it through a debugger in the lab environment. That's when we discovered that the code connects to a\r\nspecific server at hxxtp://23.106.253.221:1244/keys and posts certain data. As shown in the image, this\r\nconnection provided further insight into the malicious activity\r\nAfter this initial call, the code made a request to hxxtp://23.106.253.221:1244/j/ZU1RINz7 , which returned a\r\nfile named infected file. This file was then saved locally in the users home .vscode directory under the name\r\ntest.js . The program continued by downloading another file, package.json, from\r\nhxxtp://23.106.253.221:1244/p and stored it in the same .vscode directory.\r\nFurther debugging reveals that, later in the process, the code composes and executes three key commands. First, it\r\ninstalls the necessary npm dependencies by running cd \"C:\\\\Users\\\\heorhe\\\\.vscode\" \u0026\u0026 npm i --silent\" .\r\nOnce the dependencies are in place, it executes the same installation command again for redundancy or to ensure\r\nall packages are properly installed npm --prefix \"C:\\\\Users\\\\heorhe\\\\.vscode\" install . After that, the\r\nprogram proceeds by running executing the program node C:\\\\Users\\\\heorhe\\\\.vscode\\test.js , which\r\nexecutes the malicious test.js file downloaded earlier. This sequence of commands allows the malicious code\r\nto execute seamlessly under the guise of typical development activity, making it more difficult to detect in a\r\ndevelopment environment.\r\nhttps://github.com/ssrdio/PublicIoC/tree/main/CestLaVie\r\nPage 6 of 20\n\n\"We tested the downloaded malicious code with various antivirus programs to determine if it would be flagged as\r\nmalicious. Surprisingly, we found that only 4 antivirus programs detected the code as suspicious. This low\r\ndetection rate highlights the stealthy nature of the malware, allowing it to potentially bypass many security\r\nsolutions and remain undetected on compromised systems.\r\nThe next action the program takes is downloading a Python executable binary, which it later uses for further\r\nmalicious activities. Once the Python binary is downloaded, the program proceeds to run a Python scripts,\r\nleveraging the newly acquired binary to execute the malicious code. The associated files, including the Python\r\nhttps://github.com/ssrdio/PublicIoC/tree/main/CestLaVie\r\nPage 7 of 20\n\nbinary and script, can be found in this project under All files (password: infected).\r\nLater on the scripts that are run on the machine are\r\n1. script .npl.py original:\r\ndecoded:\r\nhttps://github.com/ssrdio/PublicIoC/tree/main/CestLaVie\r\nPage 8 of 20\n\n2. In order to achieve its final objective, the program downloads pay.py , which contains a reverse shell\r\ndesigned to connect back to the attacker's machine, allowing remote control of the compromised system.\r\nAdditionally, other files like pay.txt and any.txt are also downloaded, likely serving as configuration\r\nor supplementary files for the malicious activities\r\nReverse shell code\r\nhttps://github.com/ssrdio/PublicIoC/tree/main/CestLaVie\r\nPage 9 of 20\n\nhttps://github.com/ssrdio/PublicIoC/tree/main/CestLaVie\r\nPage 10 of 20\n\nhttps://github.com/ssrdio/PublicIoC/tree/main/CestLaVie\r\nPage 11 of 20\n\nhttps://github.com/ssrdio/PublicIoC/tree/main/CestLaVie\r\nPage 12 of 20\n\nhttps://github.com/ssrdio/PublicIoC/tree/main/CestLaVie\r\nPage 13 of 20\n\nhttps://github.com/ssrdio/PublicIoC/tree/main/CestLaVie\r\nPage 14 of 20\n\nhttps://github.com/ssrdio/PublicIoC/tree/main/CestLaVie\r\nPage 15 of 20\n\nhttps://github.com/ssrdio/PublicIoC/tree/main/CestLaVie\r\nPage 16 of 20\n\nhttps://github.com/ssrdio/PublicIoC/tree/main/CestLaVie\r\nPage 17 of 20\n\nhttps://github.com/ssrdio/PublicIoC/tree/main/CestLaVie\r\nPage 18 of 20\n\nhttps://github.com/ssrdio/PublicIoC/tree/main/CestLaVie\r\nPage 19 of 20\n\nSource: https://github.com/ssrdio/PublicIoC/tree/main/CestLaVie\r\nhttps://github.com/ssrdio/PublicIoC/tree/main/CestLaVie\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/ssrdio/PublicIoC/tree/main/CestLaVie"
	],
	"report_names": [
		"CestLaVie"
	],
	"threat_actors": [],
	"ts_created_at": 1775434811,
	"ts_updated_at": 1775791260,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/eb7fdfae1c620cd84a1e185e9b07dc05a85fda6c.pdf",
		"text": "https://archive.orkl.eu/eb7fdfae1c620cd84a1e185e9b07dc05a85fda6c.txt",
		"img": "https://archive.orkl.eu/eb7fdfae1c620cd84a1e185e9b07dc05a85fda6c.jpg"
	}
}