S1249 HexEval Loader
HexEval Loader is a hex-encoded loader that collects host data, decodes follow-on scripts and acts as a downloader for the BeaverTail malware. HexEval Loader was first reported in April 2025. HexEval Loader has previously been leveraged by North Korea-affiliated threat actors identified as Contagious Interview. HexEval Loader has been delivered to victims through code repository sites utilizing typosquatting naming conventions of various npm packages.123
| Item | Value |
|---|---|
| ID | S1249 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 22 October 2025 |
| Last Modified | 24 October 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | HexEval Loader has used HTTP and HTTPS POST requests to communicate with C2.123 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.007 | JavaScript | HexEval Loader has executed malicious JavaScript code.13 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | HexEval Loader has decoded its payload prior to execution.123 |
| enterprise | T1041 | Exfiltration Over C2 Channel | HexEval Loader has exfiltrated victim data using HTTPS POST requests to its C2 servers.13 |
| enterprise | T1105 | Ingress Tool Transfer | HexEval Loader has been used to download a malicious payload to include BeaverTail.123 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | HexEval Loader has utilized a cross-platform keylogger that has the capability to capture keystrokes on Windows, macOS and Linux systems.3 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Resource Name or Location | HexEval Loader has masqueraded and typosquatted as legitimate code repository packages and projects.13 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.013 | Encrypted/Encoded File | HexEval Loader has encoded module names and C2 URLs as hexadecimal strings in attempts to evade analysis.13 |
| enterprise | T1082 | System Information Discovery | HexEval Loader has identified the OS and MAC address of victim device through host fingerprinting scripting.3 |
| enterprise | T1614 | System Location Discovery | HexEval Loader has a function where the C2 endpoint can identify the geographical location of a victim host based on request headers, execution environment and runtime conditions.3 |
| enterprise | T1016 | System Network Configuration Discovery | HexEval Loader has leveraged server-side client configurations to identify the public IP of the victim host.3 |
| enterprise | T1033 | System Owner/User Discovery | HexEval Loader has collected the username from the victim host.3 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1052 | Contagious Interview | 123 |
References
-
Kirill Boychenko. (2025, April 4). Lazarus Expands Malicious npm Campaign: 11 New Packages Add Malware Loaders and Bitbucket Payloads. Retrieved October 20, 2025. ↩↩↩↩↩↩↩↩↩
-
Kirill Boychenko. (2025, July 14). Contagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware Loader. Retrieved October 19, 2025. ↩↩↩↩↩
-
Kirill Boychenko. (2025, June 25). Another Wave: North Korean Contagious Interview Campaign Drops 35 New Malicious npm Packages. Retrieved October 19, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩