S1249: HexEval Loader
HexEval Loader is a hex-encoded loader that collects host data, decodes follow-on scripts and acts as a downloader for the BeaverTail malware. HexEval Loader was first reported in April 2025. HexEval Loader has previously been leveraged by North Korea-affiliated threat actors identified as Contagious Interview. HexEval Loader has been delivered to victims through code repository sites utilizing typosquatting naming conventions of various npm packages.[1][2][3]
Analyst context for executives and security teams
HexEval Loader matters because it connects software supply-chain exposure with endpoint compromise across Linux, macOS, and Windows. MITRE describes it as a hex-encoded loader that collects host data, decodes follow-on scripts, and downloads BeaverTail malware, with delivery reported through typosquatted npm packages on code repository sites. For leaders, the key issue is not only malware detection; it is whether developer workstations and package consumption paths are monitored well enough to catch suspicious JavaScript execution, encoded payload handling, host discovery, and follow-on downloads.
Executive priority
Prioritize this as a developer and software supply-chain risk. The ATT&CK relationships point to discovery, credential collection via keylogging, web-based command and control, tool transfer, and exfiltration over C2. Security leaders should ask whether package governance, endpoint telemetry on developer systems, network egress visibility, and incident response playbooks can prove what package was installed, what script executed, what data was collected, and whether BeaverTail or other follow-on payloads were retrieved.
Technical view
SOC and IR teams should validate coverage around npm/package-install activity, JavaScript execution outside expected development workflows, hex or encoded script content, decode/deobfuscation behavior, system/user/network/location discovery, web-protocol C2, and external downloads. Because no official ATT&CK detection text is provided for S1249, detections should be built from the related techniques: T1059.007, T1027.013, T1140, T1082, T1033, T1016, T1614, T1071.001, T1105, T1041, and T1056.001. Relationship context to Contagious Interview and BeaverTail should be used for triage enrichment, not as proof of attribution in a local incident without corroborating evidence.
Likely telemetry
- Endpoint process execution for node/npm and JavaScript runtimes on Linux, macOS, and Windows
- Package manager and code repository access logs, including npm package names and install events
- File creation and script content metadata for encoded, hex-like, or newly decoded files
- Command-line and child-process telemetry showing host, user, network, and location discovery
- Network proxy, DNS, firewall, and TLS metadata for unusual web-protocol egress
Detection direction
- Tune for suspicious npm or repository-sourced packages that execute JavaScript and then perform discovery or external downloads.
- Correlate encoded-file indicators with subsequent decode/deobfuscation and script execution rather than relying on static signatures alone.
- Watch for developer endpoints making unusual outbound web connections shortly after package installation or script execution.
- Prioritize multi-signal detections: package install plus host discovery plus web egress plus new payload creation is stronger than any single event.
- Account for false positives from legitimate development tooling, build scripts, package post-install hooks, and normal dependency downloads.
Mitigation priorities
- Strengthen package governance for npm and code repository use, including review of similarly named or newly introduced dependencies.
- Limit and monitor script execution from package install workflows, especially on developer workstations and build systems.
- Improve endpoint visibility across Linux, macOS, and Windows where developers work, because the malware object lists all three platforms.
- Apply egress monitoring and policy controls for unexpected web-protocol communications from development tools and scripts.
- Maintain IR procedures to rapidly identify affected packages, executed scripts, downloaded payloads, collected host data, and potential credential exposure.
Analyst notes and limits
The most decision-useful context is the combination of typosquatted npm delivery, encoded loader behavior, host discovery, web C2, and downloader activity for BeaverTail. This makes coverage dependent on both supply-chain controls and runtime telemetry from developer endpoints. Teams should validate whether they can reconstruct the full chain from package acquisition to JavaScript execution, decoding, discovery, outbound communications, and follow-on file retrieval.
MITRE provides no official detection guidance for this object, and the supplied object does not specify ATT&CK tactics directly. The assessment relies on the official description, external references, and stated relationships to techniques, BeaverTail, and Contagious Interview. Local environment evidence is required to determine exposure, compromise, attribution, data loss, or detection coverage.
HexEval Loader
HexEval Loader is a hex-encoded loader that collects host data, decodes follow-on scripts and acts as a downloader for the BeaverTail malware. HexEval Loader was first reported in April 2025. HexEval Loader has previously been leveraged by North Korea-affiliated threat actors identified as Contagious Interview. HexEval Loader has been delivered to victims through code repository sites utilizing typosquatting naming conventions of various npm packages.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1082 | System Information Discovery | HexEval Loader has identified the OS and MAC address of victim device through host fingerprinting scripting.CitationSocket HexEval BeaverTail Contagious Interview June 2025 |
| Enterprise | T1056.001 | Keylogging Sub-technique | HexEval Loader has utilized a cross-platform keylogger that has the capability to capture keystrokes on Windows, macOS and Linux systems.CitationSocket HexEval BeaverTail Contagious Interview June 2025 |
| Enterprise | T1105 | Ingress Tool Transfer | HexEval Loader has been used to download a malicious payload to include BeaverTail.CitationSocket Contagious Interview NPM April 2025CitationSocket BeaverTail XORIndex HexEval Contagious Interview July 2025CitationSocket HexEval BeaverTail Contagious Interview June 2025 |
| Enterprise | T1059.007 | JavaScript Sub-technique | HexEval Loader has executed malicious JavaScript code.CitationSocket Contagious Interview NPM April 2025CitationSocket HexEval BeaverTail Contagious Interview June 2025 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | HexEval Loader has encoded module names and C2 URLs as hexadecimal strings in attempts to evade analysis.CitationSocket Contagious Interview NPM April 2025CitationSocket HexEval BeaverTail Contagious Interview June 2025 |
| Enterprise | T1016 | System Network Configuration Discovery | HexEval Loader has leveraged server-side client configurations to identify the public IP of the victim host.CitationSocket HexEval BeaverTail Contagious Interview June 2025 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | HexEval Loader has exfiltrated victim data using HTTPS POST requests to its C2 servers.CitationSocket Contagious Interview NPM April 2025CitationSocket HexEval BeaverTail Contagious Interview June 2025 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | HexEval Loader has masqueraded and typosquatted as legitimate code repository packages and projects.CitationSocket Contagious Interview NPM April 2025CitationSocket HexEval BeaverTail Contagious Interview June 2025 |
| Enterprise | T1033 | System Owner/User Discovery | HexEval Loader has collected the username from the victim host.CitationSocket HexEval BeaverTail Contagious Interview June 2025 |
| Enterprise | T1614 | System Location Discovery | HexEval Loader has a function where the C2 endpoint can identify the geographical location of a victim host based on request headers, execution environment and runtime conditions.CitationSocket HexEval BeaverTail Contagious Interview June 2025 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | HexEval Loader has used HTTP and HTTPS POST requests to communicate with C2.CitationSocket Contagious Interview NPM April 2025CitationSocket BeaverTail XORIndex HexEval Contagious Interview July 2025CitationSocket HexEval BeaverTail Contagious Interview June 2025 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | HexEval Loader has decoded its payload prior to execution.CitationSocket Contagious Interview NPM April 2025CitationSocket BeaverTail XORIndex HexEval Contagious Interview July 2025CitationSocket HexEval BeaverTail Contagious Interview June 2025 |
Groups, software, and campaigns
G1052: Contagious Interview
Contagious Interview is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials. Contagious Interview targets Windows, Linux, and macOS systems, with a particular focus on individuals engaged in software development and cryptocurrency-related activities. [1][2][3][4][5][6][7][8]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 44c1b09bab54… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Socket Contagious Interview NPM April 2025
Kirill Boychenko. (2025, April 4). Lazarus Expands Malicious npm Campaign: 11 New Packages Add Malware Loaders and Bitbucket Payloads. Retrieved October 20, 2025.
Open source URL -
[2]
Socket BeaverTail XORIndex HexEval Contagious Interview July 2025
Kirill Boychenko. (2025, July 14). Contagious Interview Campaign Escalates With 67 Malicious npm Packages and New Malware Loader. Retrieved October 19, 2025.
Open source URL -
[3]
Socket HexEval BeaverTail Contagious Interview June 2025
Kirill Boychenko. (2025, June 25). Another Wave: North Korean Contagious Interview Campaign Drops 35 New Malicious npm Packages. Retrieved October 19, 2025.
Open source URL -
[4]
mitre-attack S1249Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.