Cross-Chain TxDataHiding Crypto Heist: A Very Chainful Process (Part 1)

Ransom-ISAC analysed a malicious GitHub repository used in a DPRK-linked fake job social engineering campaign that weaponised obfuscated JavaScript to implement a novel Cross-Chain TxDataHiding C2: TRON/Aptos act as index chains pointing to encrypted payloads on BSC. The report details the multi-stage retrieval and XOR/character-shuffle deobfuscation, provides IoCs (transaction hashes, wallet addresses, sample SHA256), YARA rules, detection tooling, and warns that this takedown-resistant, low-cost blockchain C2 significantly raises analysis and mitigation complexity for defenders.