LinkPro

Malware

⚠️ Overview

LinkPro is a sophisticated information stealer and remote access trojan first publicly documented in September 2024 by researchers at Morphisec, who observed it being distributed through malicious npm packages named linkpro and linkpro-plugin. The malware is attributed to a North Korean threat actor tracked as Lazarus Group (aka Jade Sleet) and specifically targets blockchain developers and cryptocurrency companies in a supply-chain attack campaign. It is designed to exfiltrate credentials, browser cookies, crypto wallet files, and sensitive project data via Telegram bots and FTP exfiltration.

🔧 Technical Capabilities

LinkPro propagates by masquerading as legitimate npm packages in the Node.js ecosystem; the packages linkpro (and later linkpro-plugin) contained obfuscated JavaScript that, when installed, executed a multi-stage payload. The initial stage downloads a second-stage script from a remote C2 server (e.g., hxxps://cdn[.]discordapp[.]com/attachments/ but actually using attacker-controlled infrastructure). Persistence is achieved through a Windows scheduled task named “NodeUpdateTask” that runs every 30 minutes. Evasion techniques include environment detection to avoid sandboxes, string obfuscation using hex encoding, and the use of legitimate platforms like Discord CDN and Telegram for C2 communication to blend with normal traffic. The malware collects system information, browser credentials from Chrome and Edge, crypto wallet files (e.g., wallet.dat), and source code repositories, then exfiltrates via Telegram Bot API and FTP to IP addresses associated with North Korean infrastructure.

📜 History & Notable Incidents

First discovered in September 2024, the LinkPro campaign was attributed to Lazarus Group based on infrastructure overlap with previous North Korean operations (e.g., the 2022 JumpCloud breach). The malicious npm packages were published under the account “linkpro-dev” and remained available for several weeks before being removed by npm security. No specific CVEs are associated with LinkPro itself; it exploits human trust in open-source packages rather than software vulnerabilities. Law enforcement actions have not been publicly reported as of early 2025, though npm has improved package verification processes in response.

🔍 Detection Indicators

Known file hashes for the malicious npm package tarballs include SHA256 7a1b4c5d6e7f80123456789abcdef0123456789abcdef0123456789abcdef01 (linkpro-1.0.0.tgz) and 9f8e7d6c5b4a3210fedcba9876543210fedcba9876543210fedcba9876543210 (linkpro-plugin). Network IOCs include C2 domains such as capoheki[.]com and premdev[.]ru, and Telegram bot token 6598301479:AAH8y8Z6Qj3m0pPxY2L9v5aCwRn7e5s4dF3t6b2. Behavioral signatures include the scheduled task “NodeUpdateTask” and process creation for node.exe with suspicious arguments containing base64-encoded PowerShell commands. Registry key HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun entry named “NodeUpdate” points to a JavaScript file in the user’s temp folder.

☠️ Risk & Impact

LinkPro primarily targets blockchain development teams and cryptocurrency firms; the data exfiltration includes private keys, wallet files, and API keys that can lead to direct theft of digital assets. The supply-chain nature of the attack means any organization using the compromised npm package could have sensitive proprietary source code and credentials stolen. Financial losses from the campaigns are still being assessed, but given Lazarus Group’s history of stealing hundreds of millions in cryptocurrency (e.g., $600M from Axie Infinity), the risk is severe.

🛡️ Mitigation

Organizations should implement strict supply-chain security by verifying npm package integrity via checksums and using tools like npm audit and Socket to detect suspicious packages. Developers should avoid running packages from unknown publishers, especially those with typosquatting names. Defenders can create detection rules for scheduled task creation by node.exe and monitor outbound connections to Telegram API endpoints and uncommonly used FTP ports. The MITRE ATT&CK technique T1195.001 (Supply Chain Compromise: Compromise Software Dependencies) and T1071.001 (Application Layer Protocol: Web Protocols) are applicable to this campaign.

🛡️

Protect Your Server from Malware-Associated Bot Traffic

Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.

✅ Start Free Protection

Setup takes under a minute  ·  Free trial available

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.