Windows RAT Uses Encrypted HTTP C2 and Registry Persistence After npm Infection

A newly discovered malware campaign is targeting Windows systems through a deceptive package on the npm registry.

Disguised as a legitimate CSS build tool, the malicious package quietly installs a full-featured Remote Access Trojan, or RAT, on developer machines.

The attack is subtle, well-crafted, and far more dangerous than it first appears.

The infection begins with a typosquatted npm package called postcss-minify-selector-parser, designed to look like the widely trusted postcss-selector-parser, which sees over 150 million weekly downloads.

When a developer installs the fake package, a hidden encoded blob inside the entry file kicks off a multi-stage attack chain.

The payload eventually drops a Windows RAT capable of stealing credentials, running shell commands, and communicating with a remote attacker.

Security researchers at JFrog identified the threat and published a detailed analysis on June 22, 2026, in a report shared with Cyber Security News (CSN).

The investigation also uncovered two related packages, postcss-minify-selector and aes-decode-runner-pro, all tied to the same npm publisher. At the time of the report, all three packages were still live and accessible on the registry.

What makes this campaign stand out is how carefully it blends in. The fake package uses the same keywords and even depends on the real postcss-selector-parser, making it easy to miss during a routine dependency review.

Developers in fast-moving projects who do not audit transitive dependencies are especially at risk, and the attacker clearly understood how trust operates in open-source ecosystems.

The real damage only becomes clear after the full payload chain executes. A PowerShell downloader fetches a ZIP archive from a lookalike domain, extracts it, and launches a VBS script to start the RAT.

The final implant runs as a bundled Python application compiled with Nuitka, making it much harder to inspect than a typical script-based threat.

Windows RAT Uses Encrypted HTTP C2 and Registry Persistence

Once the RAT is running on a victim machine, it establishes contact with a command-and-control, or C2, server over HTTP.

All traffic is encrypted using RC4/ARC4 wrapping with MD5 checksum material, making it difficult to detect on a network level. The RAT sends an initial host profile to the C2 and then enters a loop, waiting for commands from the attacker.

To survive reboots, the malware writes a registry persistence key using the entry name csshost under the Windows Run key. It also stores a persistent victim UUID and host configuration in files dropped in the TEMP directory.

This means even if the attacker loses contact, the RAT reconnects automatically the next time the machine starts.

The RAT supports a wide range of capabilities including remote shell execution, file upload and download, randomized sleep commands, and virtual machine detection.

The VM checks use WMI queries and MAC address prefix matching to avoid triggering sandbox analysis environments. This level of evasion design points to a threat actor with deliberate technical planning and real operational experience.

Chrome Credential Theft and Exfiltration

Beyond remote control, the RAT includes a dedicated module for stealing saved login data from Google Chrome.

It accesses Chrome’s local profile files, including the Login Data SQLite database, and uses Windows decryption APIs to unlock stored passwords. It also handles newer Chrome app-bound encryption, meaning even recently protected credentials are not safe.

The auto.pyd module also collects Chrome extension data, packaging results into an in-memory archive before sending it out.

Output file references found in the binary include chrome_logins_dump.txt and gather.tar.gz, suggesting the attacker designed this for organized batch exfiltration.

For developers who store API keys, tokens, or credentials in their browsers, this is a serious and immediate threat.

JFrog recommends that anyone who installed packages from this cluster remove them right away and inspect full dependency trees for transitive risks.

Security teams should block the network indicators tied to this campaign and search endpoints for related file paths and executables. All browser-stored credentials and development tokens on affected machines should be treated as compromised and rotated without delay.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
IP Address	95[.]216[.]92[.]207	C2 server IP address
Domain	nvidiadriver[.]net	Payload delivery domain
URL	hxxp[:]//95[.]216[.]92[.]207:8080	C2 communication endpoint
URL	hxxp[:]//nvidiadriver[.]net/verv1432/winpatch-xd7d[.]win	Payload download URL
File Path	%TEMP%winPatch.zip	Downloaded malware archive
File Path	%TEMP%winPatchupdate.vbs	VBS bootstrapper file
File Path	%TEMP%.store	Persistent victim UUID storage
File Path	%TEMP%.host	Host configuration storage
Registry Key	HKCUSoftwareMicrosoftWindowsCurrentVersionRuncsshost	RAT persistence registry entry
File Name	win-driver-xd7d/chost.exe	Renamed Python launcher
File Name	win-driver-xd7d/loader.py	Python loader script
File Name	win-driver-xd7d/api.cp310-win_amd64.pyd	HTTP C2 packet exchange module
File Name	win-driver-xd7d/audiodriver.cp310-win_amd64.pyd	Main RAT orchestration module
File Name	win-driver-xd7d/auto.cp310-win_amd64.pyd	Chrome credential theft module
File Name	win-driver-xd7d/command.cp310-win_amd64.pyd	Host actions and shell execution module
File Name	win-driver-xd7d/config.cp310-win_amd64.pyd	RAT configuration module
File Name	win-driver-xd7d/util.cp310-win_amd64.pyd	Archive helper module
SHA-256	164e322d6fbc62e254d73583acd7f39444c884d3f5e6a5d27db143fc25bc88b3	audiodriver.cp310-win_amd64.pyd
SHA-256	50ffce607867d8fa8eaf6ef5cd25a3c0e7e4415e881b9e55c04a67bcddb74fdf	api.cp310-win_amd64.pyd
SHA-256	17832aa629524ef6e8d8d6e9b6b902a8d324b559e3c36dbd0e221ab1690be871	auto.cp310-win_amd64.pyd
SHA-256	c8075bbff748096e1c6a1ea0aa67bb6762fdd7551427a12425b35b94c1f1ecf2	command.cp310-win_amd64.pyd
SHA-256	f6669bd504ce6b0e303be7ee47f2ebbc062989c88c41f0a3f436044a24869798	config.cp310-win_amd64.pyd
SHA-256	282b9bc318ad1234cbd1b86424b784299b8be31545802a7c6b751166b814b990	util.cp310-win_amd64.pyd
npm Package	postcss-minify-selector-parser (XRAY-1002983)	Primary malicious npm package
npm Package	postcss-minify-selector (XRAY-1003986)	Related malicious npm package
npm Package	aes-decode-runner-pro (XRAY-989675)	Related AES decoder package

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.