Socket Uncovers Malicious NuGet Typosquat “Netherеum.All” Exfiltrating Wallet Keys via Solana-Themed C2
Do Son 
Image: Socket
Researchers from Socket’s Threat Research Team have uncovered an active homoglyph typosquat on NuGet impersonating the widely used Nethereum project, a .NET library for Ethereum.
The malicious package — Netherеum.All — replaced the Latin letter “e” with a Cyrillic lookalike (U+0435), successfully deceiving developers and injecting a wallet exfiltration routine hidden within legitimate-looking code. The campaign is part of a broader trend of Unicode-based supply chain attacks on open-source registries.
“Netherеum.All swaps a Cyrillic ‘e’ (U+0435) into the name to pass casual inspection, then uses an XOR routine to decode a command and control (C2) endpoint (solananetworkinstance[.]info/api/gads),” Socket’s analysts wrote. “When invoked, the code sends an HTTPS POST with a single field named ‘message,’ which can carry mnemonics, private keys, keystore JSON, or signed transaction data.”
The fraudulent package, published under the username nethereumgroup on October 16, 2025, mimicked the trusted Nethereum project’s structure and namespaces so closely that even experienced developers could be fooled.
The deception extended to installation commands and metadata, which visually matched the legitimate package’s entries.
“Now removed, the NuGet page for Netherеum.All used a Cyrillic ‘e’ (U+0435) to impersonate Nethereum, a homograph typosquat that looked identical in the title and in the copyable install commands,” Socket noted.
This allowed the malicious package to quickly climb search rankings on NuGet, aided by automated download inflation, a tactic that artificially boosts download counts to simulate popularity.
“NuGet search results show the malicious Netherеum.All with 11.6 million total downloads, just days after publication — a hallmark of scripted download inflation,” the report stated.
The malicious functionality resided within the method Nethereum.Accounts.EIP70221TransactionService.Shuffle(string), a class that appeared identical to legitimate transaction helpers from the original Nethereum library.
Socket’s analysis revealed that this method used an XOR mask to decode the C2 URL at runtime:
The resulting decoded URL — https://solananetworkinstance[.]info/api/gads — was used to POST sensitive wallet data as a form field labeled “message.”
Since the malicious code was embedded in a real transaction module, the exfiltration would silently trigger during normal wallet operations like importing mnemonics, decrypting keystores, or signing transactions.
“Because this method sits inside a credible transaction service and the surrounding library does real work, a developer can see the app function normally while sensitive strings quietly leave the process,” the Socket team warned.
Further investigation linked Netherеum.All to an earlier malicious package named NethereumNet, which used identical exfiltration logic and contacted the same C2 endpoint.
Both were published by the same actor, using the aliases nethereumgroup and NethereumCsharp, suggesting a coordinated supply chain intrusion campaign.
“During the investigation we linked this sample to an earlier typosquat, NethereumNet, that used the same exfiltration codebase and had already been taken down by NuGet,” Socket confirmed.
Socket’s AI Scanner also flagged the reused Shuffle() routine, which invoked across wallet constructors and signing helpers — confirming the presence of a persistent backdoor.
Related Posts:
- Malicious NuGet Campaign Exploits Homoglyphs and Code Injection to Fool Developers
- NuGet’s Stealth Malware: The Hidden SeroXen RAT Threat
- Shadowy NuGet Package Raises Red Flags: Industrial Espionage Suspected
- Malicious Go Packages Target Developers with Hidden Loader Malware on Linux and macOS
- Typosquatting & Backdoors: Lazarus’ Latest npm Campaign
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
