ThreatFox IOC Database

You are viewing the ThreatFox database entry for domain y-hazel-ten.vercel.app.

Database Entry

Add tag Delete this IOC  Report False Positive Export IOC (JSON)    Export IOC (CSV)
IOC ID:1802064
IOC: y-hazel-ten.vercel.app
IOC Type :domain
Threat Type :botnet_cc
Malware: BeaverTail
Confidence Level : Confidence level is high (100%)
Is compromised? : False
ASN:AS16509 AMAZON-02
Country:- US
First seen:2026-04-29 11:37:13 UTC
Last seen:never
UUID:b3fe09ad-43b8-11f1-8759-42010aa4000a
Reporter o_zehentleitner
Reward 5 credits from ThreatFox
Tags:base64-obfuscated-c2 BeaverTail ContagiousInterview DPRK env-exfiltration function-eval jackpot Lazarus Novara1o1 npm-prepare-hook Web3-targeting
Reference: https://github.com/Novara1o1/jackpot

Avatar
o_zehentleitner
Stage-2 BeaverTail C2 of Novara1o1/jackpot Contagious-Interview campaign. Base64-hidden in .env as AUTH_API (aHR0cHM6Ly95LWhhemVsLXRlbi52ZXJjZWwuYXBwL2FwaQ==). Exfiltrates full process.env via POST with fake header 'x-app-request: ip-check', and response body is evaluated via 'new Function(require, response.data); executor(require)'. Triggered automatically when victim runs npm install (package.json prepare hook -> node server/server.js -> routes/api/auth.js validateApiKey).