ThreatFox IOC Database
You are viewing the ThreatFox database entry for ip:port 45.59.163.198:1244.
Database Entry
| IOC ID: | 1833005 |
|---|---|
| IOC: | 45.59.163.198:1244 |
| IOC Type : | ip:port |
| Threat Type : | botnet_cc |
| Malware: | BeaverTail |
| Confidence Level : | Confidence level is high (100%) |
| Is compromised? : | True |
| ASN: | AS397423 TIER-NET |
| Country: |  US |
| First seen: | 2026-06-17 05:45:31 UTC |
| Last seen: | never |
| UUID: | 576b9abd-69db-11f1-9258-42010aa4000a |
| Reporter |  IvoB |
| Reward | 5 credits from ThreatFox |
| Tags: | ContagiousInterview DPRK FakeInterview |
| Reference: | https://gitlab.com/marotino-hiring/helios-app/-/blob/main/tailwind.config.js |
IvoB
Im sorry, i first time reporting, im not sure how this goes, im following Claude instructions on how im supposed to report this.I inspected a coding challange sent to me, and decided just in case to check it, and i appears to have malware.
- Malicious file: **tailwind.config.js**. After the legitimate Tailwind config closes (`};` on
line 32), ~10,600 characters of obfuscated JavaScript are appended on the same line.
- The README instructs candidates to run `npm install` && `npm start`. Running the project causes
PostCSS to `require()` the Tailwind config, executing the payload.
- Behavior (statically decoded): loads `os/fs/path/process/request/child_process`; beacons to C2
**http://45.59.163.198:1244**; downloads a second stage to **~/.vscode/f.js**, runs
`npm i` there, and executes it detached via `nohup`/Node; POSTs host data to `/keys`. It targets
browser-saved credentials and cryptocurrency wallets.
- This matches the DPRK-linked "Contagious Interview" / BeaverTail npm-loader campaign.