
Daniel Stepanic
320 posts

Daniel Stepanic
@DanielStepanic
Malwarez at @elasticseclabs | Macrodata Refinement






This morning I was HACKED! I’m a blockchain developer with over 8 years of experience. I’m familiar with many of the techniques hackers use, but they are often one step ahead. They strike when you are most vulnerable. What happened: - A few days ago, I was contacted on LinkedIn by Kostiantyn Pustovyi. They offered me a collaboration opportunity on a Web3 game. - I immediately suspected they would send me a suspicious link, ask me to download some software, or something similar. But they didn’t. - This morning, I started the interview. The person explained the role, how I would be expected to help manage the team, and other details. - They showed me the repository I was supposed to work on. - I cloned it and ran yarn install. That’s when they got me. - An obfuscated script sent the credentials stored in process.env to their server. - They also asked me to test their online game and connect my wallet. They almost certainly intercepted my wallet password as well. I’M DESPERATE! I haven’t finished investigating yet, and I still don’t know exactly how many wallets were drained. I’ll continue posting updates as I learn more. BTSG, the bridge, and other related systems do not appear to be affected.




















New #research together with @SBousseaden and @DanielStepanic at @elasticseclabs. We uncovered a campaign abusing Obsidian plugins and vault feature to deliver multi-platform payloads targeting both #Windows and #macOS. The final stage is #PHANTOMPULSE, an AI-built RAT that resolves its #C2 from Ethereum blockchain transactions and its loader #PHANTOMPULL A deep dive into the RAT internals is coming next. Stay tuned. elastic.co/security-labs/…



Elastic Security Labs exposes BRUSHWORM backdoor and BRUSHLOGGER keylogger targeting South Asian financial institution. Custom malware pair features USB worm spreading, broad file theft, and system-wide keystroke capture via DLL side-loading.
Key technical details:
• BRUSHWORM (paint.exe): Modular backdoor with AES-CBC encrypted config, scheduled task persistence (MSGraphics), anti-analysis checks (screen resolution, hypervisor detection), and C2 communication to resources.dawnnewsisl[.]com/updtdll
• Creates hidden directories: C:\ProgramData\Photoes\Pics\, C:\Users\Public\Libraries\, stages stolen files in C:\Users\Public\Systeminfo\
• USB spreading uses social engineering filenames (Salary Slips.exe, Documents.exe) and exfiltrates 40+ file extensions including .doc, .pdf, .pst, .py
• BRUSHLOGGER (libcurl.dll): DLL side-loading keylogger with WH_KEYBOARD_LL hook, XOR encryption (key 0x43), logs to C:\programdata\Photoes\






