HexEval
HexEval is a hex-encoded JavaScript malware loader used in the DPRK-linked Contagious Interview software supply chain campaign. It has been distributed via typosquatted and otherwise malicious npm packages targeting developers and technical job seekers, particularly in Web3, cryptocurrency, and blockchain-related contexts. The campaign uses recruiter impersonation on platforms such as LinkedIn and malicious coding assignments that cause victims to install trojanized packages.
HexEval stores its stage-two payload as long hex strings, decodes them at runtime, and executes the recovered plaintext with eval(). Reported package-install behavior includes collecting host metadata, fingerprinting the system, decoding follow-on scripts, and conditionally fetching and executing BeaverTail as a second-stage payload. Some variants perform additional reconnaissance including collection of OS platform, hostname, username, and MAC addresses. The loader has been described as decoding hex strings to recover module names and command-and-control URLs, POSTing environment data to remote infrastructure, and then evaluating the server response in memory.
HexEval is associated with North Korean threat activity tracked as Contagious Interview and linked in the content to broader DPRK supply chain operations. It is used as part of a multi-stage infection chain intended to reduce registry artifacts and evade static detection, representing an evolution from earlier campaigns that embedded obfuscated BeaverTail directly in npm packages. BeaverTail, delivered by HexEval, is described as an infostealer/loader that can lead to deployment of the InvisibleFerret backdoor.
Observed infrastructure associated with HexEval includes Vercel-hosted endpoints such as hxxps://log-server-lovat[.]vercel[.]app/api/ipcheck/703, hxxps://ip-check-server[.]vercel[.]app/api/ip-check/208, and hxxps://ip-check-api[.]vercel[.]app/api/ipcheck/703. In one related cluster, a second-stage payload was reported from 172[.]86[.]80[.]145:1224. The content notes these endpoints may selectively return only IP geolocation data or undefined, suggesting conditional payload delivery based on runtime conditions.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The activity is an expansion of an attack wave spotted last month that involved the distribution of 35 npm packages that deployed another loader referred to as HexEval.
...using them to deliver malware families like HexEval, XORIndex, and encrypted loaders that deliver BeaverTail...
Techniques & procedures
7 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueThe North Korean threat actors linked to the Contagious Interview campaign have been observed publishing another set of 67 malicious packages to the npm registry, underscoring ongoing attempts to poison the open-source ecosystem via software supply chain attacks.
Execution
1 techniqueThe attack chains using malicious npm packages are fairly straightforward in that they serve as a conduit for a known JavaScript loader and stealer called BeaverTail.
Stealth
1 techniqueMITRE ATT&CK# T1027.013 — Obfuscated Files or Information: Encrypted/Encoded File
Discovery
2 techniquesThe XORIndex Loader, like HexEval, profiles the compromised machine... with second and third-generation versions introducing rudimentary system reconnaissance capabilities.
The XORIndex Loader, like HexEval, profiles the compromised machine... Early iterations have been found to lack in obfuscation and reconnaissance capabilities, while keeping their core functionality intact, with second and third-generation versions introducing rudimentary system reconnaissance capabilities.
Command and Control
2 techniquesThe XORIndex Loader, like HexEval, profiles the compromised machine and uses endpoints associated with hard-coded command-and-control (C2) infrastructure to obtain the external IP address of the host. The collected information is then beaconed to a remote server, after which BeaverTail is launched.
The attack chains using malicious npm packages are fairly straightforward in that they serve as a conduit for a known JavaScript loader and stealer called BeaverTail... as well as deploy a Python backdoor referred to as InvisibleFerret.
IOCs tracked for this family
8 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
HexEval is a loader malware family used by North Korean threat actors to deliver additional payloads such as BeaverTail.
HexEval is a loader family used in the campaign to hide BeaverTail as hex-encoded stage-two content, decode it at runtime, and execute it in memory via eval.
A JavaScript malware loader used in malicious npm package campaigns associated with Contagious Interview. Like XORIndex, it profiles infected hosts and facilitates delivery of follow-on malware such as BeaverTail.
Hex-encoded JavaScript loader embedded in typosquatted npm packages. On install/execution it fingerprints the host (environment variables, OS/platform, hostname, username, MAC addresses), POSTs data to hardcoded C2 endpoints, retrieves a second-stage script, and executes it via eval() to deliver follow-on payloads (notably BeaverTail). Uses hex encoding of strings/URLs to evade static analysis and may conditionally serve payloads based on runtime characteristics.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.