NullBulge Actor Leaks Disney’s Private Slack Chats – Tools Revealed

A new cybercriminal group, NullBulge, targets AI and gaming companies by injecting malicious code into public software repositories (GitHub, Hugging Face) and game mods, which compromises victims’ systems and deploys tools like Async RAT and Xworm to establish persistence. 

LockBit ransomware, built with a leaked builder, is then delivered to encrypt critical data. NullBulge’s tactic of weaponizing open-source code highlights a concerning trend where cybercriminals exploit trust in the developer community for financial gain. 

The NullBulge group emerged, targeting AI-centric application and gaming communities, by distributing malware through extensions and modifications of commonly used AI-art-adjacent applications and games. 

The attacks target the software supply chain by injecting malicious code into legitimate software distribution platforms like GitHub, Reddit, and Hugging Face. 

The group announces their attacks via their own DLS/blog site and 4chan threads, by using customized LockBit ransomware builds to maximize the impact of their attacks.  

The group compromised AI/ML platforms like GitHub (ComfyUI_LLMVISION extension) and Hugging Face (SillyTavern Character Generator, Image Description tools) by injecting malicious Python libraries (trojanized Anthropic/OpenAI wheels) into popular tools. 

These libraries contained scripts (e.g., Fadmino.py) that stole browser data (logins, passwords) and system information (geography, applications, security products, financial data) via Network Security Services (NSS). The stolen data was exfiltrated to the attacker’s server using Discord webhooks.  

Malicious actors behind the NullBulge threat campaign compromised legitimate repositories on GitHub and Hugging Face using the AppleBotzz identity, which was used to host malware and spread it through platforms like ModLand. 

NullBulge claims AppleBotzz is a separate entity whose accounts they hijacked. However, the lack of legitimate activity from the compromised accounts and the widespread use of AppleBotzz for malware distribution suggests NullBulge might be behind both identities. 

Hackers targeted BeamNG game users with malicious mods containing LUA code, distributed through social media links, forums, and the ModLand community, and injected an obfuscated PowerShell upon execution. 

Decoded PowerShell downloaded Async RAT or Xworm, which deployed LockBit ransomware. The LUA code, hidden within BeamNG mod files (e.g., VersionCheck.lua), leveraged base64-encoded strings to download the malicious payloads from services like Pixeldrain. 

The attacker group NullBulge utilizes the LockBit 3.0 builder to create custom ransomware payloads for their Async and Xworm victims, which leverage a modified config.json file alongside standard builder components. The configuration enables encryption of local disks and network shares while excluding hidden folders. 

It also terminates processes and services, wipes event logs, and sets a self-destruct timer, while ransom notes are printed locally and the payload leverages Group Policy for lateral spread within the network.  

The NullBulge hacking group has been active since late May 2024, operating on multiple leak sites, including.com,.se, and.co domains and a dark web address, which claim to target companies involved with AI and have targeted artists through infostealer malware sales. 

According to SentinelOne, they recently announced a large leak of Disney’s internal Slack data (1.2 TB) and released a smaller archive containing design files for the DuckTales series. 

NullBulge appears financially motivated, selling stolen credentials and API keys in underground forums and maintaining a presence on various platforms, including 4chan, Discord, GitHub, and mysellix.io. 

Also Read:

• Ultra Malware Devastates Symantec, Microsoft, SentinelOne EDR Tools
• Ivanti Endpoint Manager Flaw Let Hackers Gain Full Control EPM Server