Malicious NuGet Packages Caught Distributing SeroXen RAT Malware

Oct 31, 2023NewsroomSoftware Security / Malware

Malicious NuGet Packages

Cybersecurity researchers have discovered a new set of malicious packages published by the NuGet package manager using a lesser-known method for deploying malware.

Software supply chain security firm ReversingLabs described the campaign as coordinated and ongoing since August 1, 2023, while linking it to a host of rogue NuGet packages that were observed delivering a remote access trojan that called. SeroXen RAT.

“The threat actors behind this are strong in their desire to plant malware into the NuGet repository, and to continuously publish new malicious packages,” Karlo Zanki, reverse engineer at ReversingLabs, SAYS in a report shared by The Hacker News.


The names of some of the packages are below –

  • Pathoschild.Stardew.Mod.Build.Config
  • KucoinExchange.Net
  • Kraken. Exchange
  • DiscordsRpc
  • SolanaWallet
  • Monero
  • Modern.Winform.UI
  • MinecraftPocket.Server
  • IAmRoot
  • ZendeskApi.Client.V2
  • Betalgo.Open.AI
  • Forge.Open.AI
  • Pathoschild.Stardew.Mod.BuildConfig
  • CData.NetSuite.Net.Framework
  • CData.Salesforce.Net.Framework
  • CData.Snowflake.API

These packages, which span multiple versions, mimic popular packages and take advantage of NuGet’s MSBuild integration feature to inject malicious code into their victims, a feature called. inline tasks to achieve code execution.

Malicious NuGet Packages

“This is the first known example of malware published in the NuGet repository that exploits this inline tasks feature to execute malware,” Zanki said.

The currently deleted packages show similar characteristics in that the threat actors behind the operation tried to hide the malicious code by using spaces and tabs to move it from the perspective of the default screen width .

As previously disclosed by Phylum, the packages also artificially inflate download counts to make them appear more legitimate. The ultimate goal of the decoy packages is to act as a way to get the second stage .NET payload hosted in a dumped GitHub repository.

“The threat actor behind this campaign is careful and attention to detail, and determined to keep this malicious campaign alive and active,” Zanki said.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment