Six Stages Deep and an Endless Loop: Shai-Hulud Is Getting Sophisticated

The campaign that compromised Red Hat is still running, and it’s getting complicated

The npm malware affecting Red Hat recently was highly sophisticated, the amount of obfuscation, encryption and multi-stage droppers was staggering. This is an interesting point because usually npm malware has around 1 to 3 stages of execution, decoding obfuscated code, downloading a remote payload and directly infecting the machine. But in this specific malware sample, we have 6 stages that eventually come back around in a somewhat of an endless loop of malicious code execution on the machine.

On our last blog we tried to present visually how complex it is, showing the 3rd stage dropper works, where we made this flow chart –

image

But in reality this only covers a very small portion of the actual logic, which looks more like this:

image

And this is just the loading and dropper logic, excluding the sub flows of the Shai-Hulud infostealer malware itself.

This shows three very interesting details

  1. The Miasma string has two versions, depending on which Shai-Hulud logic was running at the time, this indicates that accounts could be affected by the 6th stage of the malware, or variants of the same malware that directly run the “firedalazer” logic from GitHub. Tools that automatically check for exactly the first string in GitHub repositories, will miss infections caused by the 6th stage payload.

    1. Miasma: The Spreading Blight

    2. Miasma : The Spreading Blight

  2. The malware is in an endless loop,

  3. The threat actor can dynamically change the “firedalazer” commits in GitHub, making new versions of the malware, more adaptive and more sophisticated.

    1. GitHub actually works as a malicious C2 server, but not just for uploading stolen data, but storing the malicious code as well, and letting threat actors dynamically add new variants by adding commits with the “firedalazer” string from different GitHub accounts – so it could keep functioning after the original account is blocked.

GitHub Is the C2

Most malware uses GitHub to host stolen data. Shai-Hulud uses it to run the operation.

The threat actor isn’t just uploading exfiltrated credentials to a GitHub repo — they’re storing the malicious code there, and using commits tagged with the “firedalazer” string as a live update mechanism. Every new commit is effectively a new payload delivery. Block one account, and another picks up where it left off.

This turns GitHub into something more dangerous than a dead drop. It’s an adaptive C2 — one that piggybacks on a trusted, widely whitelisted platform, making network-level detection nearly useless. Most security tools aren’t configured to treat GitHub traffic as suspicious. The threat actor knows this.

The practical implication: defenders can’t just block a domain or an IP. They need to monitor for the data being sent back and forth – which is impractical.

GitHub repositories affected by the 6th stage dropper have a space between Miasma and the “:”, while repositories affected by the 3rd stage dropper, don’t have the space:

image

The threat actor’s GitHub account was following GitHub repositories with the Chinese language, and he contributed to them. Although the actor’s account was removed, Google still archived one of the repositories names in Google search –

image

This behavior of a multi-stage dropping logic, possible Chinese connection, alongside the fact that the malware’s public encryption keys are different from the ones we’ve seen in the Telnyx and LiteLLM compromise, are strong indications that this is indeed a different threat actor. Although we can’t be 100% sure, TeamPCP’s attributed malware was more straightforward, and didn’t use heavy obfuscation and encryption techniques.

When detecting malicious code and affected repositories – we need to make sure that our signatures are highly accurate, as even now at the time of writing, we have indications that the malicious campaign is still infecting some repositories in GitHub. It could be a potential new attack in the works, or even more affected users from another ongoing supply chain attack.

You can use this link to check for the 6th stage payload infections in GitHub:

image

Self Infecting Threat Actors

The original threat actor had its own GitHub account infected with the new variant of the Shai Hulud malware.

During our analysis, we found another potentially malicious user working on spreading the next phase of the Miasma campaign, similar to the “letsgo0” user that was already removed from GitHub. This might be an indication that we are seeing the same threat actor using a new account.

image

All known IoC

Security engineers working towards protecting themselves from supply chain malware, should check for the following IoCs and relevant strings in their environment and monitoring tools.

  • Miasma: The Spreading Blight

  • Miasma : The Spreading Blight

  • IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner

  • try{eval(function(s,n){return s.replace(/[a-zA-Z]/g,function(c)

  • Encryption keys and IV (Stage 1)

    • 437c8addbcdccc1e1501429e3fcd26f5

    • b3f898f0a1f8ecde0b731dc8

    • 7771b28c6c759e57054b4e2213a400e0

    • 76814f8af5e380157253d586f19ac191

    • 2fdeaf569385a488969f6c8e

    • fb521089da55b27e53992dfa18a522e2

  • Encryption keys and IV (Stage 6)

  • 736e8d618f6526f1cc3fd8482e186d00

  • ffeace0c73b598742db65a5f

  • 2019957c8162ad85750b0d055a4202cb

  • 825c47fee7ed317d3b9f5fa3d7d1bff1

  • 9c7667c69376ee3490066e46

  • c9986b28ef80b834467209cc8217fa73

Embedded public keys:

—–BEGIN PUBLIC KEY—–

MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAy/uXzJGGCEF39GtSJk9H

34cWHM9XaRYrvMI0FnDi77ZRt1bMtva4xn/gdYS0koxVYkJBO55qCTNVf5SCxeHx

t6qdsF9Ofdh2i/HXqcRLo2M49Pw9wFGZTo15CSAaqj1SNtgjj8UvLXkVkS+Cah0d

U5xcdqV/trniKtf5Thu8hq3FGPlR+PIi9JHMedXVuNpp0U6RXeM/8KU++DFysR7U

SgBqENN1HATGi9TafjIjO47rs/lSCGJu7zt/68Goi8fij+u5vV/ML7hg28DoiAuF

NGfxzxbUNJRcuNildoWOup1E0DcimV93T8it7R+o/nd/XTGj82ncpfGQgirNILn9

xY2glt11LoFw/OikSApZP66IUE4VgoxEx22zW717La3EXcs2UTfo0mEAYi9SMuAw

ZLE+XuHV1x5VLkrVNUqs3XME0KKzbSyzoHOd/GPZNYvY5iasl7GdiaMYXEZUouNG

ZaQPp0IZ0t5Z0uI+oCre85avpAgcROBo5VxZcwi/WL9l/TXxAGdSjgfKNvCmkWvD

JWwYcrWe6sE68Q4G/LeZIHdNBjQ0G9Awkn/5UfIRfpMOPc+usLvhRbUqo37ADG4H

mvh9ZgjU3iXfSoCLxWDA7l5Bpvuoob4r6Tg/1DFld2LPboVqqj/ifiaUbjdZLrDf

hiLx1mYHyEdCkpwm5U/LSesCAwEAAQ==

—–END PUBLIC KEY—–

—–BEGIN PUBLIC KEY—–

MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAifY0q2qOZke8FTr7c23d

bn7yQlZNQB9oCWqmjtcgz8gIxv4Q+xrDjdGWTRb0q+IIjyReORkoSitE0SAgiX4b

3hgCy16BEhjPfn+VxFRW0fWWN+mTWll1TRYzRVzWXiWvsKO1AjDn1dXc+MJqdkzJ

ZT6c+hoMMlwDCzhVYGUUFi8meOl45TakK7nReM4PHf+yNk+m4pAsaJrTJVYo9TCZ

VH/kkRwpftxhiS1A1XEqSy7A4kvf23jL07/obRv2BB+nJDbghZBV+6iMCYmlTOds

6kHP0AN7PAAcyQLBwonvT3sczTOUJo/vTimXBDzXQrZfdY4n5p6PF1oLd9oFw0d7

SUeIy36cPWxA+NQDnOYlLkCmXCEHUGAvjbAWybk5ITXSNQFxZe6lebhKPsItLEX6

3j0BByRfOy8eiPm/sN1tRypZeGf8Hwgdmr3oVvg2U6rZ1aolbJuvJRWkk1ew465x

Jxfzrn+e364LsPpa7Mr4DHxVOHIYp5Ni9v04AQRUVQnZDgpOkcV9o24TSxCAwpOg

jaidcXlcajxjuDik2Cpk+3XHV3o3fJN2j0YYkdP+5XYPCJnuocl8Q3zkKmUp/GTS

9GuPr2KKH1RMAWWqk0hLPr1o/Q8O3arYPzRD72U70XFvDV+B/yZIfZGMbVK+2zGL

FJxUW1wNmX4kjCKhlFd/QLUCAwEAAQ==

—–END PUBLIC KEY—–

The post Six Stages Deep and an Endless Loop: Shai-Hulud Is Getting Sophisticated appeared first on OX Security.

readers loved this
@oxsecurity