{ "Event": { "analysis": "1", "date": "2026-05-11", "extends_uuid": "", "info": "[Threat Intel] Needle: Inside a Modular Crypto-Stealing C2 That Left Its Keys in the Malware", "protected": false, "publish_timestamp": "1779546971", "published": true, "threat_level_id": "3", "timestamp": "1779546970", "uuid": "ddaa6a5b-b336-4e40-bd89-a509c2d2a561", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#72ee33", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"", "relationship_type": "" }, { "colour": "#ed66f6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Web Session Cookie - T1539\"", "relationship_type": "" }, { "colour": "#7da4ad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Match Legitimate Resource Name or Location - T1036.005\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#5539fe", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#68f2ff", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#62e1b7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Browser Session Hijacking - T1185\"", "relationship_type": "" }, { "colour": "#bf01b7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"", "relationship_type": "" }, { "colour": "#8ed4a7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Web Browsers - T1555.003\"", "relationship_type": "" }, { "colour": "#1cbe6b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Virtualization/Sandbox Evasion - T1497\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#b76d96", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"", "relationship_type": "" }, { "colour": "#c84641", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"GUI Input Capture - T1056.002\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#356c41", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Security Software Discovery - T1518.001\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#1a0065", "local": false, "name": "rectifyq:topic=\"crypto-related\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778497222", "to_ids": false, "type": "link", "uuid": "d32030fa-0bbd-440e-9128-ca45d720fedc", "value": "https://beelzebub.ai/blog/needle-c2-crypto-stealer-analysis/", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1778497222", "to_ids": false, "type": "text", "uuid": "df63ab5d-7e91-4e0c-9ccd-f6f6233a8dd5", "value": "A modular Malware-as-a-Service crypto-stealing platform called Needle has been discovered actively targeting cryptocurrency wallets through two main attack vectors: a browser extension spoofer targeting MetaMask, Phantom, and Trust Wallet, and a Rust-based desktop agent impersonating Exodus, Trezor, and Ledger applications. The campaign compromised 1,932 victims, including 111 browser extension users and 1,821 desktop sessions. The Rust agent embedded its C2 API key without protection, enabling complete enumeration of victims and withdrawal configurations across six blockchains. The operator's EVM hot wallet moved approximately $148 in ETH to cold storage. The panel's React SPA performed authentication entirely client-side, and the same credential used by infected machines could potentially redirect future auto-withdrawals. Infrastructure is hosted on ASN 202412, a known bulletproof hosting provider in Amsterdam." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1778497222", "to_ids": false, "type": "text", "uuid": "c16e8c48-a303-4cf1-8ca0-cb06965af138", "value": "Name: Needle: Inside a Modular Crypto-Stealing C2 That Left Its Keys in the Malware\nAuthor: AlienVault\nAdversary: \nTags: [\"maas\", \"cryptocurrency-theft\", \"crypto-stealer\", \"needle\", \"phorpiex\", \"bulletproof-hosting\", \"wallet-spoofer\", \"rustystealer\"]\nTgtd countries: []\nMlwr families: [\"ThreatNeedle - S0665\", \"RustyStealer\"]\nAttack_ids: [\"T1056.001\", \"T1539\", \"T1036.005\", \"T1204.002\", \"T1566.001\", \"T1082\", \"T1005\", \"T1140\", \"T1185\", \"T1112\", \"T1555.003\", \"T1497\", \"T1041\", \"T1547.001\", \"T1056.002\", \"T1027\", \"T1573\", \"T1518.001\", \"T1071.001\"]\nIndustries: []" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778981795", "to_ids": true, "type": "ip-dst", "uuid": "4d923df9-e954-44de-a046-12360c599931", "value": "130.12.180.135", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:17/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546970", "to_ids": true, "type": "sha1", "uuid": "a49b4693-ee8c-4c7f-9484-911bc0fd77da", "value": "0d681bd160db1b1df5db321a6d2dd9ae81b2609b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] } ] } }