In this report, we will take a look at a new malware threat that’s been discovered and discuss it’s implications for security. The world of cyber threats is always changing, so it’s important to know what they are and how to defend against them.

Malware overview:

The malware is called SeroXen RAT (Remote Access Trojan). It was found in a campaign using the NuGet package manager. SeroXen RAT was made to give unauthorized access to systems with the hopes to steal data, compromise systems, and allow further malicious actions take place.

Upgrade and new threat vector:

The way this malware gets deployed is concerning. Attackers used a less-known method through the NuGet package manager. They exploited a feature called MSBuild integrations which let them use inline tasks. This was done in order to achieve code execution. What stands out about this deployment is that it’s the first known example of malware being posted on the NuGet repository that uses this method.

Indicators of Compromise (IOCs):

The following IOCs have been associated with ExelaStealer malware, and it should be monitored within network:

Filebased IOCs:

  • sirketruhsatpdf.exe SHA256: f96bc306a0e3bc63092a04475dd4a1bac75224df242fa9fca36388a1978ce048
  • sirketruhsatpdf.exe SHA256: 95d860570b2777d7af213f9b48747d528251facada54842d7a07a5798fcbfe51
  • BNG 824 ruhsat.pdf SHA256: 5aff2c5e65d8e4e7fa0b0c310fbaef1e1da351de34fa5f1b83bfe17eeabac7ef
  • RuntimeBroker.exe SHA256: 34dca3c80cd5125091e6e4de02e86dcc6a2a6f9900e058111e457c9bce6117c0
  • RuntimeBroker.exe SHA256: c56b23602949597352d99aff03411d620b7a5996da2cab91368de275dcfbaa44

The following IOCs have been identified in connection with the SeroXen RAT campaign:

MD5 Hashes:

  • 224a95930c789d514790682054ff1605
  • 3378db6f9c6db3c9202cbc948a91d8d0
  • bd7cba9046993eafbfe9eb0de6f5aadb

SHA1 Hashes:

  • 62f688d5550bc07facc5fa19c454cdd7b44421c5
  • af0adf1e9a6310e7a13898ed27cb7624709b8344
  • e7e0027295b52a0e6ab8828bca00b7529f646204

SHA256 Hashes:

  • 075acd923103e731e91140e663756699e7379a7f63ea31487434ce04cca02b02
  • 8bf56c92865fade8d06d4a57e1d049bccd3041842b2a1c71503a29729a71073d
  • e7dc6a2f0c65a2c6f3d7cc2a11c3fd2acb4e23af1e55a8769366766ee22278c3

These IOCs can be used to detect and mitigate threats related to the SeroXen RAT campaign.

Networkbased IOC:

  • Discord webhook address: hXXps://discord[.]com/api/webhooks/1139506512302194789/X_VYZdAHscWQ NKWvya9KWqqqTK6UjVvS86_kUy8P8OyCcPhKykCQpEqf93S_qDFVuzp8

These IOCs can be valuable in threat detection and mitigation efforts.


The SeroXen RAT campaign demonstrates how persistent and adaptable threat actors are when it comes to looking for new ways to distribute malware. By being aware of this, organizations can better protect their assets by maintaining vigilance in software supply chain security and proactive threat detection. Just like this paper, staying informed and prepared is of utmost importance when it comes to effective cybersecurity.

Reference :


This threat bulletin was researched and created by Arunagiri S, a SOC analyst at Positka

Get in touch

Send us a Message

Looking for general information or have a specific question. Fill the form below or drop
us a line at