ALL MENU

Technology
S2W's Technology
AI
Big Data
Security
Products
SAIP
QUAXAR
XARVIS
EYEZ
Services
AI Data Consulting
Analyst On Demand
Incident Response
Resources
Event
Webinar
SIS
Conference
About S2W
About S2W
History
News

QUICK LINKS

Resources
  • Research
  • Threat Intelligence Reports
Analysis of TraderTraitor’s GopherGrabber Malware observed by Willo Campaign
2025.04.21

✅ Report Title:


Detailed Analysis of TraderTraitor’s GopherGrabber Malware observed by Willo Campaign



The S2W Threat Intelligence Center has published an analysis report on the Willo Campaign, which is linked to the North Korean-backed APT group TraderTraitor. This report provides advanced threat intelligence on the GopherGrabber malware, which has been difficult to identify in previous cases.



✅ Executive Summary:


1) Supply Chain Attack

The malicious packages associated with the Willo Campaign were first distributed through the official NPM repository in June 2024.

- cors-app: A loader that imports the “cors-parser” package.

- cors-parser: A malicious package containing the index.js script responsible for executing the actual malicious activities.


2) Fake Installer

In July 2024, an installer disguised as the setup program for a service called “Versus X” was distributed, with GopherGrabber as the final payload.

The S2W Threat Intelligence Center has identified and tracked GopherGrabber, a malicious code distributed as a directly executable source code in the form of a Go project that can operate in a multi platform environment and has a backdoor function and a stealer function that performs HTTP/S communication with a C2 server using MD5 hashing and RC4 encrypted packets.


3) Spear Phishing via LinkedIn

Since December 2024, an attack campaign has been distributing the GopherGrabber malware on LinkedIn by luring targets through job offers that lead to a video interview phishing page and trick targets into executing malicious commands. This campaign is being tracked under the name Willo Campaign.

The campaign has been identified as a target attack against employees in the cryptocurrency industry, including IT developers and sales managers.


4) Threat Actor

Multiple characteristics of a North Korean based APT group TraderTraitor were observed in the malware distribution methods and attack objectives. However, a potential connection to UNC5221, a Chinese based APT group may exist as an SSL certificate used in infrastructure matches that of WARPWIRE, a malware associated with UNC5221.


5) Impact

A cryptocurrency theft incident linked to the Willo Campaign has been reported, with total estimated losses amounting to approximately 64,020.



📌 What is the Willo Campaign?


December 2024, is a widespread phishing campaign targeting employees in the cryptocurrency industry. To distribute the malware, the threat actors were observed to use sophisticated social engineering techniques, such as offering targets jobs through job search platforms such as LinkedIn or tricking them into executing commands to download the malware via Github issue pages, and creating a phishing page impersonating the video interview platform Willo to avoid suspicion and only distributing the malware after the targets answered questions related to the job interview.



📌 What are the specific details of the malicious installer and the GopherGrabber malware?


GopherGrabber: A malware distributed in the form of compressed project source code written in Go, which steals browser credentials and user information. It operates as a backdoor malware that performs HTTP/S communication with the C2 server using MD5 hashing and RC4 encrypted packets.


The S2W Threat Analysis Team identified an additional malicious installer, compiled on July 12, 2024, while investigating further threat intelligence related to the domain “api.jz aws[.]info.”


Although the exact distribution method of the installer file has not been identified, it was found that the malicious installer was distributed under the file name “VersusxSetup.exe” and the icon within the resource section of the installer matches that of the Versus X service. Considering that the official social media account of the service announced a closed beta test on July 11, it is assessed that this malware was designed to target users interested in the Versus X service.

When executed, the malicious installer downloads and installs Go on the infected device, drops embedded Go source code from the binary, and executes it. This infection method and the use of Go based malware were later observed in the Willo Campaign as well. The executed Go source code is identified as malware with backdoor and stealer functionalities. The S2W Threat Analysis Team has named this malware family GopherGrabber and is actively tracking its activities.



✅ Recommended Threat Detection and Mitigation Actions


The contents of the report can be summarized into four categories as follows.


1) Threat Detail

The Willo Campaign refers to a phishing campaign targeting workers in the cryptocurrency industry, utilizing sophisticated social engineering techniques. It is primarily characterized by the use of the GopherGrabber malware, which is written in the Go programming language.


2) Activities

There are incidents of malware distribution through the official NPM package repository in June 2024 and the spread of GopherGrabber malware disguised as an installation file for the Versus㎿X service in July 2024. However, widespread attack activities through phishing campaigns have been found to have sharply increased since December 2024.


3) Features

It has been confirmed that the malware samples distributed in this campaign have been circulating since around June 2024. According to S2W’s analysis, it is estimated that the malware was created by a different developer than the one responsible for creating the BeaverTail/InvisibleFerret malware, and therefore, it has been classified as a separate malware cluster.

The malware samples used in the Willo Campaign are believed to be designed to operate across multiple platforms, including Windows and macOS. Significant efforts have been made to establish persistence mechanisms within the infection chain caused by the malware.


4) Threat Profile

The threat campaign discussed in this report is strongly assessed to be backed by the North Korean APT group TraderTraitor. However, there is a weak association with the network infrastructure used by the WARPWIRE malware, which is linked to the Chinese APT group UNC5221, based on the observed indicators.

Based on the alignment with previously known North Korean APT attack methods and objectives TTPs, the attack is assessed with moderate confidence to be attributed to North Korea. However, there is a possibility of a connection with a Chinese APT group.




🧑‍💻 Author: S2W TALON (Updated. 2025-03-07)


👉 Contact us: https://s2w.inc/en/contact


*The full report is available upon request.


News Highlights
Weekly Darkweb in April W2
2025.04.16
Previous
News Highlights
Weekly Darkweb in April W3
2025.04.23
Next
List