Graphalgo Fake Recruiter Campaign Returns

    Monday, April 13, 2026 In: Threat Research Print

    Date: 04/13/2026

    Severity: High

    Summary

    The Graphalgo campaign has resurfaced with more sophisticated tactics, using fake companies and GitHub organizations to create legitimacy for fraudulent job offers targeting developers. Victims are lured through coding tasks that include malicious dependencies from platforms like npm or PyPI, which execute during setup to deliver a remote access trojan (RAT). The campaign’s modular structure and use of trusted platforms enable it to persist and evolve, maintaining effectiveness even when parts of the operation are disrupted.

    Indicators of Compromise (IOC) List

    Domains/Urls

    huvaret.art

    https://github.com/expessjs/body-parser/releases/download/v2.2.0/body-parser-2.2.0.tgz

    https://github.com/experss-js/body-parser/releases/download/v2.2.1/body-parser-2.2.1.tgz

    https://github.com/expess-js/body-parser/releases/download/v2.2.1/body-parser-2.2.1.tgz

    https://github.com/ljharb-js/parseurl/releases/download/v1.3.3/parseurl-1.3.3.tgz

    https://github.com/Ijharb/side-channel-weakmap/releases/download/1.0.2/side-channel-weakmap-1.0.2.tgz

    Hash

    eea702ebc53a4b9f8c1b511fffce16f6874de666

    e3a71d70a5a5d3790a352955edb3bb7a003dd6d5

    e4bf38b28b7aeec2685d1d2581d271c965ee6b84

    f6c574baf05234284966abba25377eee589bba6a

    d75b3abbdd7af3b18be945caa721f1e4e076146c

    679fdccecfed0e5cc2c2636fe649a668d50f63ea

    7a35c8b0e1182b1fd12a8acb49cfeaeb22eae1d6

    7af1065e7e6fb6184f99541d142132ba6db03a41

    65de94d3eb0524fc17df5fdec8c20afada2d0119

    173bb313e6e29525fd6b04407c1c6e8a4a29c7a0

    c4326153401904e82b17726864be65cac0c97fd1

    d531769223f468f93e42e19dea74cb16443ba0b8

    cb7ac56cf1c3c1aac9fe4c86a9a323be0698de6c

    ebb4630024764bdf5e5c1013166cc461d3df7550

    c7692a6816cc0eb61216358ff0367d7469125192

    5c30d58dc44182f959c8035e990153b3553deace

    f1487451933a05a680e71dde7a2b11560d2d33a7

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "huvaret.art" or url like "huvaret.art" or siteurl like "huvaret.art" or domainname like "https://github.com/expessjs/body-parser/releases/download/v2.2.0/body-parser-2.2.0.tgz" or siteurl like "https://github.com/expessjs/body-parser/releases/download/v2.2.0/body-parser-2.2.0.tgz" or url like "https://github.com/expessjs/body-parser/releases/download/v2.2.0/body-parser-2.2.0.tgz" or domainname like "https://github.com/experss-js/body-parser/releases/download/v2.2.1/body-parser-2.2.1.tgz" or siteurl like "https://github.com/experss-js/body-parser/releases/download/v2.2.1/body-parser-2.2.1.tgz" or url like "https://github.com/experss-js/body-parser/releases/download/v2.2.1/body-parser-2.2.1.tgz" or domainname like "https://github.com/expess-js/body-parser/releases/download/v2.2.1/body-parser-2.2.1.tgz" or siteurl like "https://github.com/expess-js/body-parser/releases/download/v2.2.1/body-parser-2.2.1.tgz" or url like "https://github.com/expess-js/body-parser/releases/download/v2.2.1/body-parser-2.2.1.tgz" or domainname like "https://github.com/ljharb-js/parseurl/releases/download/v1.3.3/parseurl-1.3.3.tgz" or siteurl like "https://github.com/ljharb-js/parseurl/releases/download/v1.3.3/parseurl-1.3.3.tgz" or url like "https://github.com/ljharb-js/parseurl/releases/download/v1.3.3/parseurl-1.3.3.tgz" or domainname like "https://github.com/Ijharb/side-channel-weakmap/releases/download/1.0.2/side-channel-weakmap-1.0.2.tgz" or siteurl like "https://github.com/Ijharb/side-channel-weakmap/releases/download/1.0.2/side-channel-weakmap-1.0.2.tgz" or url like "https://github.com/Ijharb/side-channel-weakmap/releases/download/1.0.2/side-channel-weakmap-1.0.2.tgz"

    Detection Query 2 :

    sha1hash IN ("c7692a6816cc0eb61216358ff0367d7469125192","679fdccecfed0e5cc2c2636fe649a668d50f63ea","5c30d58dc44182f959c8035e990153b3553deace","173bb313e6e29525fd6b04407c1c6e8a4a29c7a0","f1487451933a05a680e71dde7a2b11560d2d33a7","eea702ebc53a4b9f8c1b511fffce16f6874de666","e3a71d70a5a5d3790a352955edb3bb7a003dd6d5","e4bf38b28b7aeec2685d1d2581d271c965ee6b84","f6c574baf05234284966abba25377eee589bba6a","d75b3abbdd7af3b18be945caa721f1e4e076146c","7a35c8b0e1182b1fd12a8acb49cfeaeb22eae1d6","7af1065e7e6fb6184f99541d142132ba6db03a41","65de94d3eb0524fc17df5fdec8c20afada2d0119","c4326153401904e82b17726864be65cac0c97fd1","d531769223f468f93e42e19dea74cb16443ba0b8","cb7ac56cf1c3c1aac9fe4c86a9a323be0698de6c","ebb4630024764bdf5e5c1013166cc461d3df7550")

    Reference:    

    https://www.reversinglabs.com/blog/graphalgo-campaign-respawned                  


    Tags

    MalwareGitHubNode Package Manager (NPM)RAT

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.