T1055.003

Process Injection: Thread Execution Hijacking

discovered 2026-06-01

Downloads shellcode from C2, XOR-decodes with key 0xAA, spawns suspended dllhost.exe, injects via VirtualAllocEx + WriteProcessMemory + CreateRemoteThread. All Win32 API calls made through koffi FFI from Electron/Node.js runtime.

View on MITRE ATT&CK

Seen in packages

npm faster-axiosuses

Campaigns

Epsilon Axios Typosquat Campaignattributed-to