Full Report
Cybersecurity researchers have uncovered a new supply chain attack targeting the NuGet package manager with malicious typosquats of Nethereum, a popular Ethereum .NET integration platform, to steal victims' cryptocurrency wallet keys. The package, Netherеum.All, has been found to harbor functionality to decode a command-and-control (C2) endpoint and exfiltrate mnemonic phrases, private keys, and
Analysis Summary
# Tool/Technique: Fake Nethereum NuGet Package (Netherеum.All)
## Overview
This refers to a supply chain attack leveraging the NuGet package manager by distributing malicious packages designed to impersonate the legitimate Nethereum library (an Ethereum .NET integration platform) using homoglyph substitution to trick developers into installing them. The primary goal is to steal cryptocurrency wallet keys (mnemonic phrases, private keys, and keystore data).
## Technical Details
- Type: Malware (Malicious Package/Supply Chain Payload)
- Platform: .NET/NuGet ecosystem (Windows/Cross-platform development environments)
- Capabilities: Command-and-Control (C2) communication, XOR-encoded data extraction, data exfiltration of cryptocurrency wallet credentials.
- First Seen: October 2025 (based on upload date of the initial package).
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel
- TA0001 - Initial Access
- T1195 - Supply Chain Compromise
- T1195.002 - Compromise Software Supply Chain
## Functionality
### Core Capabilities
- **Impersonation:** Utilizing the homoglyph "e" (U+0435) in place of the standard Latin "e" to create typosquatted package names (e.g., `Netherеum.All`).
- **Payload Execution:** Hiding malicious code within a function named `EIP70221TransactionService.Shuffle`.
- **Data Theft:** Parsing an XOR-encoded string within the payload to extract credentials.
- **Exfiltration:** Sending stolen cryptocurrency wallet data (mnemonic phrases, private keys, keystore data) to an attacker-controlled C2 endpoint.
### Advanced Features
- **Deception:** Artificially inflating download counts to suggest popularity and legitimacy to unsuspecting developers.
- **Obfuscation:** Using XOR encoding to hide the C2 infrastructure within the package payload.
## Indicators of Compromise
- File Hashes: [Not explicitly provided in the context]
- File Names: `Netherеum.All` (Package ID, containing the Cyrillic 'e'); potentially `NethereumNet` (previously observed package).
- Registry Keys: [Not applicable/mentioned]
- Network Indicators: `solananetworkinstance[.]info/api/gads` (Defanged C2 server)
- Behavioral Indicators: Unauthorized network connections originating from development environment build processes after installing the targeted package; execution of code within obscure library functions performing network communication.
## Associated Threat Actors
- [Not explicitly named, but described as "threat actors" targeting cryptocurrency data.] The user profile associated with the upload was "[nethereumgroup]".
## Detection Methods
- Signature-based detection: Targeting specific strings related to the hardcoded C2 domain or unique function names in assembly/scripts.
- Behavioral detection: Flagging unusual outbound network traffic initiated by package restoration/build processes (`nuget.exe install` or `dotnet restore`) to suspicious external domains.
- YARA rules: Could be developed to detect the structure of the XOR-encoded strings or import/usage patterns associated with the malicious function.
## Mitigation Strategies
- **Scrutinize Downloads:** Developers must carefully inspect package names for subtle character differences (homoglyphs) before installing.
- **Verify Publisher Identity:** Check the profile/publisher details on NuGet for legitimacy.
- **Monitor Download Metrics:** Be highly suspicious of brand new libraries claiming millions of downloads in a short timeframe.
- **Restrict Network Access:** Implement network segmentation to prevent development environments from connecting to external, untrusted URLs during package restore operations.
- **Use Package Scanning:** Employ automated tools to scan dependencies for known malicious patterns or anomalies.
## Related Tools/Techniques
- Typosquatting/Homoglyph Attacks (general technique, previously seen in PyPI, npm, etc.)
- Supply Chain Compromise via Malicious Packages (e.g., dependency confusion, malicious updates).