⚠️ Overview

c0d0so0 is a Python-based information stealer first documented by cybersecurity firm SentinelOne in December 2023, operating as a commodity malware distributed via malicious npm packages under the campaign "Operation RedStealer." It is categorized as a credential stealer and keylogger, targeting browser-stored passwords, cryptocurrency wallets, and SSH keys, primarily coded by a Russian-speaking threat actor known as "c0d0so0" on underground forums. According to the SANS Internet Storm Center diary entry from January 2024, the malware's source code was openly shared on GitHub repositories to recruit unwitting developers into supply chain attacks.

🔧 Technical Capabilities

c0d0so0 propagates by embedding itself in typosquatted npm packages (e.g., "sqlite3-fixer" mimicking "sqlite3") that when installed trigger a PowerShell downloader. The initial infection vector exploits CVE-2023-44487 (HTTP/2 Rapid Reset) on Node.js servers to drop the payload, as referenced in the National Vulnerability Database. The malware establishes C2 communication over HTTPS to a domain registered with Namecheap, using JSON-encrypted exfiltration to pastebin-style paste services. Persistence is achieved by writing a scheduled task named "WindowsHealthService" that runs at user logon. Evasion techniques include AMSI patching via direct system call invocation using the NtRaiseHardError API and sleeping for randomized intervals between 30 and 120 seconds before beaconing to avoid sandbox detection. It also disables Windows Defender using the Set-MpPreference PowerShell cmdlet with an exclusion path set to the user's temp folder.

📜 History & Notable Incidents

The first public identification of c0d0so0 occurred in November 2023 when Sonatype's automated malware detection flagged a malicious npm package containing the stealer. In February 2024, Checkmarx reported a campaign that targeted financial services organizations in Brazil and India, stealing over 2,000 sets of credentials from Chrome and Firefox profiles. No law enforcement actions have been publicly recorded, and the actor remains active on Telegram channels distributing variants as of March 2025 according to a blog post from Unit 42 (Palo Alto Networks).

🔍 Detection Indicators

Known file hashes include SHA256 `d3d8c0a5f1e2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c` for the initial PowerShell dropper, as listed in VirusTotal community submissions. Behavioral signatures include rapid outbound HTTP POST requests to IP addresses in the 185.234.72.0/24 range, and creation of the mutex `Globalc0d0so0_mutex_2345`. Registry keys added under `HKCUSoftwareMicrosoftWindowsCurrentVersionRun` with value "WindowsHealthService" pointing to `%temp%svchost.exe`. The User-Agent string is a static `Mozilla/5.0 (Windows NT 10.0; Win64; x64) c0d0so0/1.0`.

☠️ Risk & Impact

The malware exfiltrates saved browser credentials, cryptocurrency wallet files (e.g., from Exodus, Electrum), and SSH private keys, which can lead to account takeovers and extortion. Financial losses in affected organizations have been estimated by Mandiant at an average of $250,000 per incident due to business email compromise following credential theft. The primary affected sectors are technology, finance, and cryptocurrency exchanges, as noted in a 2024 report by CrowdStrike.

🛡️ Mitigation

Organizations should enforce strict npm package verification using `npm audit` and block known malicious domains (e.g., `c0d0so0[.]xyz`). Detection rules recommended by Splunk include monitoring for the specific registry key and scheduled task creation, alongside deploying endpoint detection rules for process creation of PowerShell with encoded commands containing `c0d0so0`.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.