Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 2 actors

levex-refa

levex-refa is a malicious npm package used in the Contagious Trader campaign, a large cryptocurrency-themed malware operation assessed with high confidence as linked to North Korea and overlapping with Lazarus/FAMOUS CHOLLIMA tradecraft. It was distributed as a dependency of the typosquatted package ts-bign and appeared in malicious GitHub trading-bot repositories, including hijacked dev-protocol Polymarket bot projects. The package is described as an SSH implant malware component.

Observed behavior includes collecting the victim’s local IP address and recursively searching the current working directory for sensitive files, specifically including .env and *.env files, id.json, config.toml, and Config.toml. It then exfiltrates each discovered file to attacker-controlled command-and-control infrastructure via POST requests. Reported exfiltration infrastructure for levex-refa is https://cloudflareguard.vercel.app/api/v1. Related campaign infrastructure also used Vercel-hosted domains named to resemble Cloudflare services.

The malware was delivered through npm dependency chains in fake cryptocurrency trading bot projects themed around Polymarket and similar platforms, targeting cryptocurrency users and likely seeking wallet keys, secrets, and other sensitive configuration data. In the broader campaign context, associated malicious packages also fingerprinted victims via api.ipify.org and, on Linux systems, enabled SSH access by modifying ~/.ssh/authorized_keys and allowing inbound SSH on port 22, though the provided content attributes the recursive file theft behavior specifically to levex-refa. StepSecurity flagged levex-refa@1.0.0 as Critical risk.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Lazarus

the figure below displays a emailinator inbox from npm user l.os.t.k.yl.e184 , who published ts-bign (benign intermediary) and levex-refa (SSH implant malware)

via kmseckmsec.uk
Contagious Interview

the figure below displays a emailinator inbox from npm user l.os.t.k.yl.e184 , who published ts-bign (benign intermediary) and levex-refa (SSH implant malware)

via kmseckmsec.uk
MITRE ATT&CK

Techniques & procedures

13 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1195Supply Chain CompromiseEvidence2

The npm malware is fairly consistent across repositories ... The table below shows a variety of trading bot repositories and their malicious npm dependencies.

Execution

2 techniques
T1053Scheduled Task/JobEvidence1

The infection chain is invoked by a postinstall script that executes /test.js , which invokes the malicious from_str() function.

T1059Command and Scripting InterpreterEvidence1

On Windows, it uses wmic to enumerate local disks. On Linux systems, it creates a backdoor by appending an SSH public key to the user’s ~/.ssh/authorized_keys file. It also permits SSH (port 22) using ufw.

Persistence

3 techniques
T1037Boot or Logon Initialization ScriptsEvidence1

On Linux systems, it creates a backdoor by appending an SSH public key to the user’s ~/.ssh/authorized_keys file.

T1053Scheduled Task/JobEvidence1

The infection chain is invoked by a postinstall script that executes /test.js , which invokes the malicious from_str() function.

T1098.004SSH Authorized KeysEvidence1

On Linux systems, it creates a backdoor by appending an SSH public key to the user’s ~/.ssh/authorized_keys file. It also permits SSH (port 22) using ufw.

Privilege Escalation

3 techniques
T1037Boot or Logon Initialization ScriptsEvidence1

On Linux systems, it creates a backdoor by appending an SSH public key to the user’s ~/.ssh/authorized_keys file.

T1053Scheduled Task/JobEvidence1

The infection chain is invoked by a postinstall script that executes /test.js , which invokes the malicious from_str() function.

T1098.004SSH Authorized KeysEvidence1

On Linux systems, it creates a backdoor by appending an SSH public key to the user’s ~/.ssh/authorized_keys file. It also permits SSH (port 22) using ufw.

Stealth

2 techniques
T1027Obfuscated Files or InformationEvidence1

The following other trading themed repositories implement similar encoded exfiltration endpoint implementations ... Base64-encoded exfiltration endpoint ... Some trading bots utilise a really neat method to exfiltrate data with some good misdirection to evade a cursory glance.

T1036MasqueradingEvidence1

The malware uses two Vercel-hosted endpoints, both named to impersonate Cloudflare services: cloudflareguard.vercel.app ... cloudflareinsights.vercel.app ... The naming strategy is deliberate: both cloudflareguard and cloudflareinsights are plausible Cloudflare service names.

Discovery

3 techniques
T1016System Network Configuration DiscoveryEvidence1

Gets the victim's local IP by creating a UDP socket to 8.8.8.8:80 and reading the assigned address ... Fingerprint IP — GET api.ipify.org/?format=json — records victim's public IP address

T1033System Owner/User DiscoveryEvidence1

Gets the username from the USER environment variable

T1580Cloud Infrastructure DiscoveryEvidence1

The repo's package.json includes two typosquatted npm packages that look like legitimate libraries but pull in obfuscated malware as transitive dependencies: Chain 1: ts-bign → levex-refa ... Chain 2: big-nunber → lint-builder

Collection

1 technique
T1005Data from Local SystemEvidence1

Recursively searches the current working directory for sensitive files: .env and *.env ... id.json ... config.toml and Config.toml

Command and Control

1 technique
T1105Ingress Tool TransferEvidence1

The SSH key is retrieved dynamically from the exfiltration server ... Path Purpose / (root) Returns the actor’s SSH key to be added /api/scan-patterns Scan patterns for enumerating files to steal /api/block-patterns Blocklist of patterns when enumerating files.

Exfiltration

1 technique
T1567Exfiltration Over Web ServiceEvidence2

The infection vector can vary: Direct exfiltration to HTTP endpoint ... Direct exfiltration to an actor-controlled database ... The Base64-encoded content is http://65.109.25[.]6:6000/api/polymarket-copytrading-bot-api-key/validate.

INDICATORS OF COMPROMISE

IOCs tracked for this family

2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
1 tracked

IPs, domains, and DNS infrastructure linked to this family.

Other
1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app3 months ago
uri●●●●●●●●●●●●View more in app3 months ago
ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching2

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping13

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.