Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 2 actors

XORIndex

XORIndex is a malware loader used in the North Korea-linked Contagious Interview supply-chain campaign. It has been distributed through malicious npm packages, including a reported wave of 67 packages that accumulated more than 17,000 downloads, with XORIndex itself exceeding 9,000 downloads between June and July 2025. The campaign targets software developers, especially in Web3, cryptocurrency, and blockchain environments, as well as technical job seekers, using fake recruiter personas, LinkedIn outreach, and booby-trapped coding assignments or typosquatted/open-source packages.

XORIndex is described as a previously undocumented loader that builds on the earlier HexEval loader, and the two have operated in parallel. Its code hides strings and logic as XOR-encoded byte tables and reconstructs them with simple index arithmetic before execution. More recent variants added rudimentary host reconnaissance and machine profiling. The loader collects host information, obtains the victim’s external IP address, and communicates with hard-coded command-and-control infrastructure to beacon system details and receive or trigger follow-on payload delivery.

In the observed infection chain, XORIndex serves as an initial-stage loader for BeaverTail, a JavaScript stealer/loader, and may lead to deployment of the Python backdoor InvisibleFerret. Associated downstream capabilities described in the campaign include theft of browser credentials, cryptocurrency wallet data, macOS Keychain contents, clipboard data, keystrokes, and screenshots, along with persistent access via additional payloads. Execution is user-driven through npm package installation or import-time behavior rather than exploitation of a software vulnerability.

High-confidence associations in the reporting tie XORIndex to North Korean threat actors and the broader Contagious Interview cluster, also tracked as DeceptiveDevelopment, Famous Chollima, Gwisin Gang, Tenacious Pungsan, UNC5342, and Void Dokkaebi.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Contagious Interview

The packages, per Socket, have attracted more than 17,000 downloads, and incorporate a previously undocumented version of a malware loader codenamed XORIndex.

via the hacker newsthehackernews.com
North Korean threat actors

...using them to deliver malware families like HexEval, XORIndex, and encrypted loaders that deliver BeaverTail...

via the hacker newsthehackernews.com
MITRE ATT&CK

Techniques & procedures

7 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1195Supply Chain CompromiseEvidence2

The North Korean threat actors linked to the Contagious Interview campaign have been observed publishing another set of 67 malicious packages to the npm registry, underscoring ongoing attempts to poison the open-source ecosystem via software supply chain attacks.

Execution

1 technique
T1059.007JavaScriptEvidence2

The attack chains using malicious npm packages are fairly straightforward in that they serve as a conduit for a known JavaScript loader and stealer called BeaverTail.

Stealth

1 technique
T1027.013Encrypted/Encoded FileEvidence1

MITRE ATT&CK# T1027.013 — Obfuscated Files or Information: Encrypted/Encoded File

Discovery

2 techniques
T1033System Owner/User DiscoveryEvidence1

The XORIndex Loader, like HexEval, profiles the compromised machine... with second and third-generation versions introducing rudimentary system reconnaissance capabilities.

T1082System Information DiscoveryEvidence1

The XORIndex Loader, like HexEval, profiles the compromised machine... Early iterations have been found to lack in obfuscation and reconnaissance capabilities, while keeping their core functionality intact, with second and third-generation versions introducing rudimentary system reconnaissance capabilities.

Command and Control

2 techniques
T1071Application Layer ProtocolEvidence1

The XORIndex Loader, like HexEval, profiles the compromised machine and uses endpoints associated with hard-coded command-and-control (C2) infrastructure to obtain the external IP address of the host. The collected information is then beaconed to a remote server, after which BeaverTail is launched.

T1105Ingress Tool TransferEvidence1

The attack chains using malicious npm packages are fairly straightforward in that they serve as a conduit for a known JavaScript loader and stealer called BeaverTail... as well as deploy a Python backdoor referred to as InvisibleFerret.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

Malware distributed via malicious npm packages in a North Korea-linked supply chain campaign (per summary).

Read more
sentinelone blogNews
Dec 25, 2025
The Best, the Worst and the Ugliest in Cybersecurity | 2025 Edition

Malicious NPM package used to deliver multi-stage malware payloads.

Read more
the hacker newsNews
Oct 14, 2025
npm, PyPI, and RubyGems Packages Found Sending Developer Data to Discord Channels

XORIndex is a loader malware family used to deliver other malicious payloads, including BeaverTail, as part of North Korean supply chain attacks.

Read more
socket blogNews
Oct 10, 2025
North Korea’s Contagious Interview Campaign Escalates: 338 Malicious npm Packages, 50,000 Downloads

XORIndex is a loader family that obfuscates strings and code as XORed byte tables, reconstructs them at runtime, and executes BeaverTail in memory.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping7

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.