Socket's Threat Research Team uncovered five malicious NuGet packages published under the account bmrxntfj that impersonate popular Chinese .NET UI and infrastructure libraries. The packages use .NET Reactor to encrypt and hide an infostealer payload that fires automatically via the .NET module initializer — no user interaction required. The stealer targets saved credentials from 12 browsers, 8 desktop crypto wallets, 5 browser wallet extensions, SSH keys, Outlook profiles, Steam sessions, and local files, exfiltrating everything to a C2 domain registered 33 days before the campaign launched. With ~65,000 downloads across 224 versions (219 of which are unlisted to evade detection), the campaign has been active since at least September 2025. The operator rotates listed versions to invalidate file-hash-based IOCs. Developers using Chinese enterprise .NET ecosystems are the primary targets. Remediation steps include checking dependency graphs for IR.DantUI, IR.Infrastructure.Core, IR.Infrastructure.DataService.Core, IR.iplus32, and IR.OscarUI, and rotating all credentials on any machine that restored these packages.
Table of contents
Background #The Five Packages #Attack Chain #Attribution: The .NET Reactor RSA Pivot #Runtime Configuration Recovered from Memory #C2 Infrastructure #Impact #Outlook and Recommendations #MITRE ATT&CK #Indicators of Compromise (IOCs) #Sort: