{"slug": "ixpresso-core-windows-rat-disguised-as-a-whatsapp-agent", "title": "ixpresso-core: Windows RAT Disguised as a WhatsApp Agent", "summary": "\"ixpresso-core,\" a malicious Windows Remote Access Trojan (RAT) published on npm and disguised as a WhatsApp-integrated AI agent. Once installed, it deploys persistent malware called \"Veltrix\" that steals browser credentials, Discord and Telegram sessions, cryptocurrency data, and keystrokes, while providing attackers with remote control via a Cloudflare tunnel. The package was published by a newly created account using a temporary email service, and screenshots within the package inadvertently revealed the attacker's own stolen data and development environment.", "body_md": "ixpresso-core: Windows RAT Disguised as a WhatsApp Agent\nTable of Contents\nTL;DR\nixpresso-core\nis a purpose-built Windows Remote Access Trojan, published to npm under the description “Personal AI System Agent - Control your device via WhatsApp.” There is no WhatsApp integration. Installing any version of this package deploys a persistent agent called Veltrix that steals browser credentials, Discord and Telegram sessions, crypto seed phrases, and a live keystream, while opening an authenticated remote control dashboard accessible over the internet via a Cloudflare tunnel.\nImpact:\n- All saved passwords, cookies, and credit card numbers from Chrome, Brave, and Edge extracted via Windows DPAPI\n- Discord authentication tokens ripped from LevelDB storage across Discord, Discord Canary, Discord PTB, and Chrome\n- Telegram\ntdata\nsession folder zipped and exfiltrated (full account access without password) - Desktop, Documents, and Downloads scanned for files matching wallet/seed/crypto/password keywords\n- Full system-wide keylog stream exfiltrated in real time to a hardcoded Discord webhook\n- Clipboard monitored every 15 seconds\n- Automatic screenshots triggered when focus shifts to banking, login, Discord, or browser windows\n- Remote desktop (live FFmpeg screen stream), shell execution, webcam/microphone access via WebSocket API\n- Persistence via Windows Scheduled Task (\nWindowsHealthMonitor\n) triggered at every logon\nIndicators of Compromise (IoC):\nPackage Overview\nThe loltestpad\naccount was created on 2026-04-14, the same day as the first publish. The email domain opemails.com\nis a temporary mail service. Three packages exist under this account, all published within 48 hours:\nThree ixpresso-core\nversions shipped in under 40 minutes:\nThe package shipped 64 PNG screenshots from the attacker’s own testing machine inside the public/screenshots/\ndirectory. Two of them were taken at 22:27 and 22:31 UTC on 2026-04-14, six minutes before v1.0.2 published. The earliest batch dates to 2026-03-30, putting development at least two weeks before release.\nThe vault harvest screenshot from that same session tells its own story: the attacker ran Veltrix against their own machine and exfiltrated 94 passwords, 2 credit cards, and 16 autofill entries from their own browser profiles before publishing.\nThe Veltrix dashboard, running on the attacker’s own machine, shows their own stolen data in the VAULT tab: 118 passwords and 125 cookies harvested from their browser profiles:\nThe attacker’s browser address bar autocomplete reveals the default master password in plain text — admin123\nembedded in a trycloudflare.com URL from a prior session:\nThe autocomplete history also shows 127.0.0.1:5500/public/index.html\n— port 5500 is the VS Code Live Server default, confirming the attacker developed and tested the dashboard locally in VS Code before deploying via tunnel.\nThe cookie table in the VAULT screenshots contains RFIHUB.COM\nas an active session domain. No name or email is directly visible in any screenshot. VS Code Live Server in the browser history confirms local development in VS Code before tunnel deployment.\nExecution\nNo postinstall\nhook. The package is positioned as a developer utility the victim runs directly. The bin launcher (bin/ixpresso.js\n) spawns the main payload with detached: true\n, stdio: 'ignore'\n, and windowsHide: true\n, unrefs the child, and exits. From the terminal’s perspective, the command finishes cleanly.\nOn startup, src/index.js\npasses a PowerShell block via -EncodedCommand\nbefore loading any application modules:\nThree actions, one call: a firewall inbound rule named “Windows Security Handler” on TCP 3000, a SetThreadExecutionState(0x80000041)\ncall that prevents sleep and away mode, and ShowWindow(hWnd, 0)\nto hide the console. The base64-encoded command avoids any string matching on the PowerShell command line.\nOnce the server is up and the Cloudflare tunnel connects, the attacker’s Discord channel receives the access link automatically:\nPersistence\nPersistenceManager.init()\nruns the moment the Express server is ready:\nThe node runtime is renamed WebSecureSystem.exe\nand placed inside %APPDATA%\\Microsoft\\Windows\\Protect\\\n, a directory legitimately used by Windows DPAPI credential protection services. The scheduled task fires at every user logon. A PersistenceService\nclass with a registry Run\nkey mechanism (WindowsSecuritySync\n) is present in the codebase but never invoked in v1.0.2 — likely staged for a future version.\nCredential Theft\nAt T+35 seconds, SessionHijacker.executeSweep()\nruns three operations:\nDiscord token extraction. Four LevelDB paths are scanned:\nClassic plaintext tokens and v10 DPAPI-encrypted tokens (dQw4w9WgXcQ:\nprefix) are both extracted. Encrypted tokens are decrypted using the browser’s master key, recovered via ProtectedData.Unprotect\nthrough PowerShell. The resulting token report is uploaded to the Discord webhook.\nCrypto loot sweep. Desktop, Documents, and Downloads are crawled for .txt\n, .docx\n, .csv\n, .xlsx\n, .pdf\n, and .json\nfiles under 2 MB whose names match /wallet|seed|phrase|password|secret|crypto|backup|metamask|phantom/i\n. Matches are zipped and uploaded.\nTelegram session. The tdata\nfolder (%APPDATA%\\Telegram Desktop\\tdata\n) is zipped if under 24 MB and sent to Discord. That folder alone is sufficient to take over the account without the user’s password.\nThe vault harvest summary from the attacker’s own test machine on April 14, the day of publication, shows 94 passwords and 2 credit cards extracted:\nA second session from the same machine shows 69 credential bundles, with Google, YouTube, and google.co.in domains visible in the attacker’s own exfiltrated cookie set:\nAt T+45 seconds, VaultScraper.harvest()\ntargets Chrome, Brave, and Edge. Each browser’s DPAPI master key is decrypted:\nAll profiles under each browser are enumerated. Login Data, Cookies, and Web Data SQLite databases are scanned with AES-256-GCM decryption on every v10\nprefix found. Passwords, cookies, credit card numbers, and autofill entries are serialized to a JSON report and sent to Discord.\nSurveillance\nScoutService.start()\nactivates at T+45 seconds. It registers a system-wide keydown hook via uiohook-napi\n, flushes the keylog buffer every 10 characters or after 1 second of idle, prefixes each flush with the active window title, and delivers to both Discord and MQTT. Clipboard is polled every 15 seconds via Get-Clipboard\n. The keylog stream, window titles, and clipboard contents all land in the same Discord channel in real time:\nThe window watcher checks the foreground process every 5 seconds and takes an automatic screenshot when it matches chrome\n, msedge\n, opera\n, banking\n, login\n, password\n, discord\n, or telegram\n.\nRemote Control\nA Cloudflare tunnel exposes the local port 3000 server publicly. The attacker receives the URL in a Discord embed (“Cloudwale Tunnel Active”). The dashboard requires a master password (admin123\nby default, overridable by VELTRIX_PASSWORD\n).\nThe dashboard itself is a browser-based command center served over the tunnel, protected by a master password prompt:\nThe WebSocket API handles live remote desktop via FFmpeg screen streaming, mouse and keyboard injection, webcam and microphone streaming. The HTTP API covers arbitrary PowerShell execution (POST /api/shell/exec\n), full filesystem access (list, download, upload, delete any path), process list and kill, on-demand credential harvest, webcam snapshot, 10-second audio capture, and self-destruct (POST /api/elite/purge\n), which wipes the stealth directory and sends a final Discord message.\nC2 Architecture\nThe Discord webhook is hardcoded in ConfigManager.js\nas the defaultWebhook\n:\nMQTT runs alongside. Each victim publishes heartbeats every 5 seconds for the first minute, then every 30 seconds, to veltrix/signals/VELTRIX-SIGNAL-KEY-SET/<machineId>\n. The attacker can send a kill command by publishing stopassholeshit\nto the device-specific command topic. Because HiveMQ’s public broker is shared infrastructure, anyone who knows the topic string can observe beacon traffic from all victims of this campaign.\nOperator and Telegram credentials are configurable via CLI flags (--webhook=\n, --tgtoken=\n, --tgchatid=\n) or environment variables, allowing the package to be redeployed with different C2 endpoints.\nQuerying the webhook endpoint directly confirms the channel is still active as of this writing. The webhook belongs to guild 1480992515933868257\n, delivers to channel 1480992664232136805\n(#system\n), and the bot is named Captain Hook. The Discord server also contains a #apk\nchannel, which suggests an Android variant of the tooling is either planned or already in development.\nConclusion\nThree packages, one account, 48 hours from creation to takedown. The attacker hardcoded the Discord webhook, used HiveMQ’s public broker for C2, and shipped 64 screenshots from their own test session inside the tarball. None of that reduces what Veltrix can do: full DPAPI credential extraction from Chrome, Brave, and Edge; Discord and Telegram session theft; system-wide keylogging; and authenticated remote control over a Cloudflare tunnel.\nThe attacker ran Veltrix against their own machine before publishing. The default password is admin123\n, visible in browser autocomplete history. Anyone with the MQTT topic string can observe victim beacon traffic on HiveMQ’s public broker. The webhook is still live.\nnpm removed all three packages. Treat any system that ran ixpresso-core\n, godsplan\n, or eyevox\nduring the 48-hour window as compromised: rotate all browser-stored credentials, revoke Discord tokens, wipe Telegram sessions from the affected machine. Check Task Scheduler for WindowsHealthMonitor\nand %APPDATA%\\Microsoft\\Windows\\Protect\\\nfor WebSecureSystem.exe\n.\nThe #apk\nchannel on the attacker’s Discord server suggests an Android payload is in development or already deployed outside npm. This campaign is not done.\nRun vet\nagainst your lockfiles to flag packages from newly created accounts before install.\n- malware\n- npm\n- supply-chain\n- rat\n- credential-theft\nAuthor\nSafeDep Team\nsafedep.io\nShare\nThe Latest from SafeDep blogs\nFollow for the latest updates and insights on open source security & engineering\nMalicious durabletask on PyPI: Multi-Cloud Credential Stealer with Worm Capabilities\nThree compromised versions of the Microsoft durabletask Python SDK (1.4.1, 1.4.2, 1.4.3) were published to PyPI, each downloading a stage-2 payload that steals credentials from AWS, Azure, GCP,...\nCompromised node-ipc on npm: Credential Stealer via DNS Exfiltration\nAnalysis of compromised node-ipc versions 9.1.6, 9.2.3, and 12.0.1 on npm: a maintainer account takeover injects an 80KB obfuscated credential stealer that targets 100+ sensitive files (SSH keys,...\nMini Shai-Hulud Strikes Again: 317 npm Packages Compromised\nA compromised npm maintainer account published 637 malicious versions across 317 packages including size-sensor, echarts-for-react, timeago.js, and hundreds of @antv scoped packages, affecting 15M+...\nMalicious npm Packages Backdoor Claude Code Sessions\nFive typosquatting npm packages ship a hidden ELF binary that fires on install and re-runs via Claude Code's SessionStart hook on every developer session. C2 is 207.90.194.2:443.\nShip Code.\nNot Malware.\nStart free with open source tools on your machine. Scale to a unified platform for your organization.", "url": "https://wpnews.pro/news/ixpresso-core-windows-rat-disguised-as-a-whatsapp-agent", "canonical_source": "https://safedep.io/malicious-ixpresso-core-npm-rat", "published_at": "2026-04-16 00:00:00+00:00", "updated_at": "2026-05-19 22:34:09.162851+00:00", "lang": "en", "topics": ["cybersecurity"], "entities": ["ixpresso-core", "Veltrix", "WhatsApp", "Chrome", "Brave", "Edge", "Discord", "Telegram"], "alternates": {"html": "https://wpnews.pro/news/ixpresso-core-windows-rat-disguised-as-a-whatsapp-agent", "markdown": "https://wpnews.pro/news/ixpresso-core-windows-rat-disguised-as-a-whatsapp-agent.md", "text": "https://wpnews.pro/news/ixpresso-core-windows-rat-disguised-as-a-whatsapp-agent.txt", "jsonld": "https://wpnews.pro/news/ixpresso-core-windows-rat-disguised-as-a-whatsapp-agent.jsonld"}}