Over 14,000 Devs Affected by Stealthy Malware Packaged

Cybersecurity researchers discover a malicious Rust package that targets Windows, macOS, and Linux systems. Moreover, the package features functionality that stealthily executes on developer machines by masquerading as an Ethereum Virtual Machine (EVM) unit helper tool.

The Rust crate, named “evm-units,” appears on crates.io in mid-April 2025 through an uploader named “ablerust,” and it attracts more than 7,000 downloads over the past eight months. Additionally, another package created by the same author, “uniswap-utils,” lists “evm-units” as a dependency and reaches more than 7,400 downloads. The package repository later removes both packages.

Malware Behavior and Targeting

“Based on the victim’s operating system and whether Qihoo 360 antivirus is running, the package downloads a payload, writes it to the system temp directory, and silently executes it,” Socket security researcher Olivia Brown said. “The package appears to return the Ethereum version number, so the victim is none the wiser.”

A notable aspect of the package is that it explicitly checks for the presence of the “qhsafetray.exe” process, an executable file associated with 360 Total Security, an antivirus software developed by Chinese security vendor Qihoo 360.

Specifically, the package invokes a seemingly harmless function named “get_evm_version(),” which decodes and reaches out to an external URL (“download.videotalks[.]xyz”) to fetch a next-stage payload depending on the operating system that runs it. Consequently, the behavior varies:

• On Linux, it downloads a script, saves it in /tmp/init, and runs it in the background using the nohup command, enabling the attacker to gain full control.
• On macOS, it downloads a file called init and runs it using osascript in the background with the nohup command.
• On Windows, it downloads and saves the payload as a PowerShell script file (“init.ps1”) in the temp directory and checks running processes for “qhsafetray.exe” before invoking the script.

If the process is not present, it creates a Visual Basic Script wrapper that runs a hidden PowerShell script with no visible window. Alternatively, if the antivirus process is detected, it slightly alters its execution flow by directly invoking PowerShell.

Indicators of Targeting and Attribution

“This focus on Qihoo 360 is a rare, explicit, China-focused targeting indicator, because it is a leading Chinese internet company,” Brown said. “It fits the crypto-theft profile, as Asia is one of the largest global markets for retail cryptocurrency activity.”

The references to EVM and Uniswap, a decentralized cryptocurrency exchange protocol built on the Ethereum blockchain, indicate that the threat actor designed the supply chain incident to target developers in the Web3 space by passing off the packages as Ethereum-related utilities.

“Ablerust, the threat actor responsible for the malicious code, embedded a cross-platform second-stage loader inside a seemingly harmless function,” Brown said. “Worse, the dependency was pulled into another widely used package (uniswap-utils), allowing the malicious code to execute automatically during initialization.”

Source: TheHackerNews

Read more at Impreza News