MalwareUsed by 1 actor

NYX

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

LofyGang

The separadordeinfocc package weighs 157 KB... The result: 5,092 lines of fully functional JavaScript that constitute one of the most complete infostealers we have analyzed from the npm ecosystem. They call it NYX.

via breakglass intelintel.breakglass.tech

MITRE ATT&CK

Techniques & procedures

16 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1195.002Compromise Software Supply ChainEvidence1

On March 29, 2026, the npm maintainer consolelofy published a package called undicy-http -- a typosquat of undici, Node.js's official HTTP client library. Two days later, on April 1, the same account published separadordeinfocc.

Execution

3 techniques

T1053.005Scheduled TaskEvidence1

Scheduled task: ScreenLiveClient, triggered ONLOGON with HIGHEST privileges

T1059.001PowerShellEvidence1

NYX reads leveldb databases and Local State files, decrypts tokens protected by DPAPI using a PowerShell helper...

T1059.005Visual BasicEvidence1

It writes a VBScript file (_nyx_launch.vbs) to the temp directory, sets the environment variable _NYX_HIDDEN=1, and executes the script windowless.

Persistence

2 techniques

T1053.005Scheduled TaskEvidence1

Scheduled task: ScreenLiveClient, triggered ONLOGON with HIGHEST privileges

T1547.001Registry Run Keys / Startup FolderEvidence1

Registry Run key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ScreenLiveClient Startup folder: Copies itself to %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\

Privilege Escalation

2 techniques

T1053.005Scheduled TaskEvidence1

Scheduled task: ScreenLiveClient, triggered ONLOGON with HIGHEST privileges

T1547.001Registry Run Keys / Startup FolderEvidence1

Registry Run key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ScreenLiveClient Startup folder: Copies itself to %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\

Stealth

2 techniques

T1027Obfuscated Files or InformationEvidence1

Inside is a single index.js file: an IIFE wrapping a Base64-encoded blob that, when decoded, produces 214,900 bytes of XOR-encrypted data. The key is hardcoded in the clear.

T1497Virtualization/Sandbox EvasionEvidence1

Buried in the code (lines 4630-4800) is a comprehensive anti-VM detection suite: 13 checks covering MAC address prefixes, BIOS strings, disk identifiers, running processes... It is also disabled.

Credential Access

3 techniques

T1528Steal Application Access TokenEvidence1

NYX reads leveldb databases and Local State files, decrypts tokens protected by DPAPI using a PowerShell helper, and validates every recovered token against the Discord API...

T1539Steal Web Session CookieEvidence1

Roblox: Extracts .ROBLOSECURITY cookies... Instagram: Extracts the sessionid cookie... TikTok: Same approach -- session cookie to API enumeration. Spotify: Extracts the sp_dc cookie...

T1555.003Credentials from Web BrowsersEvidence1

chromelevator.exe operates independently of the Node.js payload. It harvests browser cookies, saved passwords, and Discord tokens from the local filesystem...

Discovery

1 technique

T1497Virtualization/Sandbox EvasionEvidence1

Buried in the code (lines 4630-4800) is a comprehensive anti-VM detection suite: 13 checks covering MAC address prefixes, BIOS strings, disk identifiers, running processes... It is also disabled.

Collection

3 techniques

T1113Screen CaptureEvidence1

NYX captures screenshots at 80-millisecond intervals -- roughly 12 frames per second -- compresses them to JPEG (1280px width, quality 55), and streams them over the WebSocket.

T1123Audio CaptureEvidence1

inline C# compilation produces a native binary using the waveIn API (16kHz, 16-bit PCM) to record audio from the victim's microphone.

T1125Video CaptureEvidence1

Using the Windows Media Foundation API, compiled from inline C# at runtime, NYX activates the victim's camera and streams MJPEG frames to the operator.

Command and Control

1 technique

T1071Application Layer ProtocolEvidence1

NYX connects via WebSocket to ws://18[.]231[.]131[.]246:80 -- an AWS EC2 instance in the sa-east-1 region (Sao Paulo, Brazil). This is not a simple beacon. It is a bidirectional command-and-control channel supporting real-time interactive operations.

Exfiltration

1 technique

T1567Exfiltration Over Web ServiceEvidence1

Every piece of stolen data is sent through two independent channels simultaneously: Channel 1: Discord webhook... Channel 2: Telegram bot... For large files... NYX uploads to GoFile or Catbox and sends the download link through both channels.

Other

1 technique

T1562.001Disable or Modify ToolsEvidence1

a suite of system control actions: disable UAC, disable Windows Defender, disable Task Manager, and kill the shutdown button -- all via registry manipulation.

INDICATORS OF COMPROMISE

IOCs tracked for this family

15 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

4 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

8 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other

3 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app3 months ago

hash.sha1●●●●●●●●●●●●View more in app3 months ago

hash.sha256●●●●●●●●●●●●View more in app3 months ago

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

breakglass intelNews

Apr 1, 2026

LofyGang Is Back: A Credit Card Separator Named After What It Does, a Full RAT With Bidirectional Audio, and Two npm Packages Still Live - Breakglass Intelligence - Breakglass Intelligence

NYX is a dual-stage malware platform delivered via malicious npm packages. It relaunches itself hidden, establishes WebSocket-based C2, provides real-time RAT capabilities including screen streaming, webcam and microphone capture, bidirectional audio, remote shell execution, file upload, system control actions, persistence, and extensive credential/data theft from browsers, Discord, crypto wallets, gaming and social platforms. It also downloads a native companion stealer payload.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching15

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping16

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.