1. Home
  2. Software
  3. HexEval Loader

HexEval Loader

HexEval Loader is a hex-encoded loader that collects host data, decodes follow-on scripts and acts as a downloader for the BeaverTail malware. HexEval Loader was first reported in April 2025. HexEval Loader has previously been leveraged by North Korea-affiliated threat actors identified as Contagious Interview. HexEval Loader has been delivered to victims through code repository sites utilizing typosquatting naming conventions of various npm packages.[1][2][3]

ID: S1249
Type: MALWARE
Platforms: Linux, macOS, Windows
Version: 1.0
Created: 22 October 2025
Last Modified: 24 October 2025
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

HexEval Loader has used HTTP and HTTPS POST requests to communicate with C2.[1][2][3]
Enterprise T1059 .007 Command and Scripting Interpreter: JavaScript

HexEval Loader has executed malicious JavaScript code.[1][3]
Enterprise T1140 Deobfuscate/Decode Files or Information

HexEval Loader has decoded its payload prior to execution.[1][2][3]
Enterprise T1041 Exfiltration Over C2 Channel

HexEval Loader has exfiltrated victim data using HTTPS POST requests to its C2 servers.[1][3]
Enterprise T1105 Ingress Tool Transfer

HexEval Loader has been used to download a malicious payload to include BeaverTail.[1][2][3]
Enterprise T1056 .001 Input Capture: Keylogging

HexEval Loader has utilized a cross-platform keylogger that has the capability to capture keystrokes on Windows, macOS and Linux systems.[3]
Enterprise T1036 .005 Masquerading: Match Legitimate Resource Name or Location

HexEval Loader has masqueraded and typosquatted as legitimate code repository packages and projects.[1][3]
Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

HexEval Loader has encoded module names and C2 URLs as hexadecimal strings in attempts to evade analysis.[1][3]
Enterprise T1082 System Information Discovery

HexEval Loader has identified the OS and MAC address of victim device through host fingerprinting scripting.[3]
Enterprise T1614 System Location Discovery

HexEval Loader has a function where the C2 endpoint can identify the geographical location of a victim host based on request headers, execution environment and runtime conditions.[3]
Enterprise T1016 System Network Configuration Discovery

HexEval Loader has leveraged server-side client configurations to identify the public IP of the victim host.[3]
Enterprise T1033 System Owner/User Discovery

HexEval Loader has collected the username from the victim host.[3]

Groups That Use This Software

ID Name References
G1052 Contagious Interview

[1][2][3]

References

  1. Kirill Boychenko. (2025, April 4). Lazarus Expands Malicious npm Campaign: 11 New Packages Add Malware Loaders and Bitbucket Payloads. Retrieved October 20, 2025.
  2. Kirill Boychenko. (2025, July 14). Contagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware Loader. Retrieved October 19, 2025.
  1. Kirill Boychenko. (2025, June 25). Another Wave: North Korean Contagious Interview Campaign Drops 35 New Malicious npm Packages. Retrieved October 19, 2025.