Nullbulge

NullBulge is a cybercriminal threat group that emerged in early 2024, active between at least April and July 2024, targeting AI-focused applications, gaming communities, and related software supply chains. The group presents itself as a pro-artist, anti-AI hacktivist collective claiming to protect artists, but reporting in the provided content assesses its activity as financially motivated and involving data theft and extortion. NullBulge targets victims through software supply chain compromises and malware distribution via public repositories and community platforms, including GitHub, Hugging Face, Reddit, Discord, ModLand, and BeamNG-related communities. Reported activity includes compromising or abusing the ComfyUI_LLMVISION extension on GitHub and distributing malicious BeamNG mods. The group weaponized code in publicly available repositories, including modified requirements.txt files that loaded trojanized Python wheels masquerading as Anthropic and OpenAI libraries, including a fake OpenAI library version 1.16.3. Observed tooling and malware include Python-based payloads that exfiltrated victim data through Discord webhooks, trojanized libraries containing components such as Fadmino.py, admin.py, and cadmino.py, and Lua scripts executing base64-encoded PowerShell. These payloads harvested browser data, geographic data, system information, installed applications, security product information, and financial data. NullBulge also delivered Async RAT and Xworm, including infections launched from malicious PowerShell downloaded from services such as pixeldrain and modsfire. Later-stage activity included deployment of customized LockBit ransomware built using the leaked LockBit 3.0/LockBit Black builder. Reported LockBit configuration features included local disk and network share encryption, process and service termination, ransom note printing, wallpaper changes, self-deletion, and event log deletion. The actor allegedly leaked Disney-related data in June and July 2024, including DuckTales files and a purported 1.2TB archive of internal Slack data, and claimed access was obtained through compromised corporate account credentials. NullBulge used its own leak infrastructure and public channels such as 4chan to announce and distribute leaks. Reported infrastructure included nullbulge.com, nullbulge.se, nullbulge.co, group.goocasino.org, and a Tor onion site. The group also maintained underground forum profiles where it sold infostealer logs and stolen OpenAI API keys. The alias AppleBotzz is associated with GitHub, Hugging Face, ModLand, and related malware distribution activity tied to NullBulge. The provided content states there is insufficient evidence to confirm whether AppleBotzz and NullBulge are separate entities, but assesses AppleBotzz as likely central to NullBulge’s delivery infrastructure. No nation-state attribution is established in the provided content.