{"campaign":{"name":"procwire / deltajohnsons Windows Dropper","slug":"procwire-deltajohnsons-windows-dropper","href":"/ti/campaigns/procwire-deltajohnsons-windows-dropper","description":"Single operator published five coordinated npm packages in a 12-minute burst on 2026-06-16 (14:44:00-14:56:56 UTC) to deliver a Windows binary dropper split across packages. Two fabricated GitHub orgs (akuznetsov-oss, vpetrov-oss, now 404), throwaway maintainer emails under custom domain deltajohnsons.com (one random local-part per package), and two invented author personas (Anton Kuznetsov <akuznetsov-dev@protonmail.com>, Viktor Petrov <vpetrov-node@protonmail.com>). Weaponized: procwire (dropper) + routecraft (Express typosquat on-Windows trigger). Tooling: bytecraft (XOR helper), endpointmap (metadata-only C2 store), staticlayer (the operator's own payload server side, UA-gated). Assessed NET-NEW operator/cluster (high confidence); not a known actor. The only shared atom with prior KB campaigns is catbox.moe (broadly-abused shared infra, used here for inbound payload staging vs LofyGang outbound exfil) — coincidental, NOT attribution.","objective":"Deliver and execute a hidden Windows binary payload on developer/CI machines via npm install, splitting the dropper across multiple packages to evade per-package detection.","aliases":[],"discovered_at":"2026-06-17"},"packages":[{"ecosystem":"npm","name":"procwire","href":"/ti/packages/npm/procwire","threat_types":["c2_agent","persistence","other"],"versions":["1.3.0"]},{"ecosystem":"npm","name":"routecraft","href":"/ti/packages/npm/routecraft","threat_types":["typosquat","other"],"versions":["4.2.0"]},{"ecosystem":"npm","name":"endpointmap","href":"/ti/packages/npm/endpointmap","threat_types":["c2_agent","other"],"versions":["2.1.0"]},{"ecosystem":"npm","name":"bytecraft","href":"/ti/packages/npm/bytecraft","threat_types":["other"],"versions":["1.5.0"]},{"ecosystem":"npm","name":"staticlayer","href":"/ti/packages/npm/staticlayer","threat_types":["c2_agent","other"],"versions":["1.1.0"]}],"indicators":[{"kind":"domain","value":"deltajohnsons.com","href":"/ti/ioc/domain/deltajohnsons.com","context":"Custom throwaway email domain shared across all five npm maintainer accounts (one unique random local-part per package). Strongest cluster fingerprint for this operator."},{"kind":"github_repo","value":"akuznetsov-oss","href":"/ti/ioc/github_repo/github_repo-c2638f053756","context":"Fabricated GitHub organization (now 404) for procwire and routecraft."},{"kind":"github_repo","value":"vpetrov-oss","href":"/ti/ioc/github_repo/github_repo-f219a1772e7c","context":"Fabricated GitHub organization (now 404) for bytecraft, endpointmap, staticlayer."},{"kind":"email","value":"akuznetsov-dev@protonmail.com","href":"/ti/ioc/email/akuznetsov-dev@protonmail.com","context":"Invented author persona 'Anton Kuznetsov' (akuznetsov-oss org packages: procwire, routecraft)."},{"kind":"email","value":"vpetrov-node@protonmail.com","href":"/ti/ioc/email/vpetrov-node@protonmail.com","context":"Invented author persona 'Viktor Petrov' (vpetrov-oss org packages: bytecraft, endpointmap, staticlayer)."},{"kind":"url","value":"https://files.catbox.moe/j4loim.chk","href":"/ti/ioc/url/url-5c84395b1a04","context":"Decoded C2 / payload URL, reconstructed from endpointmap's _ep+_p byte arrays XOR-decoded with the name-derived key 'endpoint'. catbox.moe is a public anonymous file host abused for inbound payload staging."},{"kind":"domain","value":"files.catbox.moe","href":"/ti/ioc/domain/files.catbox.moe","context":"Payload staging host. catbox.moe flagged by 6/92 VirusTotal vendors at analysis time. Shared atom with LofyGang (lofygang-undicy-http) but used here for INBOUND payload staging vs LofyGang's OUTBOUND exfil — coincidental shared infra, NOT attribution."},{"kind":"file_path","value":"lib/setup.js","href":"/ti/ioc/file_path/file_path-eebe441416ca","context":"procwire preinstall entrypoint: win32 guard, name-derived XOR key, C2 decode, worker.init()."},{"kind":"email","value":"avu2mglrijzlnu4ujkca@deltajohnsons.com","href":"/ti/ioc/email/avu2mglrijzlnu4ujkca@deltajohnsons.com","context":"procwire maintainer email."},{"kind":"email","value":"sg5kcaiezwyf9umsphqc@deltajohnsons.com","href":"/ti/ioc/email/sg5kcaiezwyf9umsphqc@deltajohnsons.com","context":"routecraft maintainer email."},{"kind":"file_path","value":"lib/registry.js","href":"/ti/ioc/file_path/file_path-c76cf141522a","context":"endpointmap metadata-only C2 store: XOR-encoded _ep and _p byte arrays disguised as endpoint constants."},{"kind":"email","value":"hmlfyhj29biz62gkvxbh@deltajohnsons.com","href":"/ti/ioc/email/hmlfyhj29biz62gkvxbh@deltajohnsons.com","context":"endpointmap maintainer email."},{"kind":"email","value":"dstc2xvtq7fszbvmbvic@deltajohnsons.com","href":"/ti/ioc/email/dstc2xvtq7fszbvmbvic@deltajohnsons.com","context":"bytecraft maintainer email."},{"kind":"email","value":"ynn47wq89mvauxti9zgf@deltajohnsons.com","href":"/ti/ioc/email/ynn47wq89mvauxti9zgf@deltajohnsons.com","context":"staticlayer maintainer email."}],"ttps":[{"name":"Compromise Software Supply Chain","mitre_attack_id":"T1195.002","href":"/ti/ttps/T1195.002"},{"name":"Command and Scripting Interpreter: JavaScript","mitre_attack_id":"T1059.007","href":"/ti/ttps/T1059.007"},{"name":"Deobfuscate/Decode Files or Information","mitre_attack_id":"T1140","href":"/ti/ttps/T1140"},{"name":"Obfuscated Files or Information","mitre_attack_id":"T1027","href":"/ti/ttps/T1027"},{"name":"Ingress Tool Transfer","mitre_attack_id":"T1105","href":"/ti/ttps/T1105"},{"name":"BITS Jobs","mitre_attack_id":"T1197","href":"/ti/ttps/T1197"},{"name":"Command and Scripting Interpreter: PowerShell","mitre_attack_id":"T1059.001","href":"/ti/ttps/T1059.001"},{"name":"Command and Scripting Interpreter: Windows Command Shell","mitre_attack_id":"T1059.003","href":"/ti/ttps/T1059.003"},{"name":"Subvert Trust Controls: Mark-of-the-Web Bypass","mitre_attack_id":"T1553.005","href":"/ti/ttps/T1553.005"},{"name":"Masquerading: Match Legitimate Name or Location","mitre_attack_id":"T1036.005","href":"/ti/ttps/T1036.005"},{"name":"Hide Artifacts: Hidden Window","mitre_attack_id":"T1564.003","href":"/ti/ttps/T1564.003"},{"name":"Application Layer Protocol: Web Protocols","mitre_attack_id":"T1071.001","href":"/ti/ttps/T1071.001"},{"name":"Web Service","mitre_attack_id":"T1102","href":"/ti/ttps/T1102"}],"related_campaigns":[],"reports":[{"title":"Five npm Packages That Hide a Windows Binary Dropper","url":"https://safedep.io/procwire-npm-windows-dropper-campaign","published_at":"2026-06-17"}]}