SIFT.Glass

v1.0.1 — FIND EVIL!

DEMO MODE

●CORRELATING

Objective

Investigate anomalous outbound traffic from 192.168.1.42

Reasoning

Tracing supply-chain compromise via malicious npm package → reverse shell → C2 communication

Active Tool

VirusTotal Lookup

Confidence

91%

🌐ip

192.168.1.42

85%

Internal workstation — unusual outbound traffic detected at 03:42 UTC

🔑hash

evil-pkg@2.1.0

95%

SHA256: a1b2c3...f9e8 — matches known supply-chain backdoor signature

🔗domain

cdn.legit-analytics.com

15%

Initially suspected C2 domain — self-corrected: legitimate CDN provider

🔗domain

data-exfil.darknet.io

98%

Confirmed C2 server — TLS cert fingerprint matches APT-41 infrastructure

📄file

/tmp/.hidden_shell

92%

Reverse shell binary — dropped by evil-pkg post-install script

👤user

svc_deploy

70%

Service account used for CI/CD — investigating lateral movement

⚙️process

npm install

88%

PID 4821 — triggered malicious postinstall script

Investigation Terminal

--:--:--[INFO][OpenClaw] Starting investigation — target: 192.168.1.42

--:--:--[AGNT][Agent] Pulling NetFlow logs for last 24h...

--:--:--[WARN][Alert] Unusual DNS query volume from 192.168.1.42 — 847 queries in 5 min

--:--:--[AGNT][Agent] Hypothesis: possible C2 beaconing. Checking package artifacts...

--:--:--[ OK ][MCP:VirusTotal] evil-pkg@2.1.0 flagged by 23/71 engines — Trojan.GenericKD.71498234

--:--:--[ALRT][Alert] cdn.legit-analytics.com initially flagged as C2 by heuristic model

--:--:--[AGNT][Agent] Constraint Mismatch... Self Correcting. cdn.legit-analytics.com is Cloudflare CDN.

--:--:--[ OK ][Agent] Pivoting → real C2 identified: data-exfil.darknet.io (TLS cert match APT-41)

--:--:--[WARN][MCP:FileHash] /tmp/.hidden_shell — ELF reverse shell, connects to data-exfil.darknet.io:443

--:--:--[AGNT][Agent] Kill chain reconstructed: npm install → postinstall → drop shell → exfil to C2

--:--:--[INFO][Agent] Investigating lateral movement via svc_deploy service account...

--:--:--[ OK ][Agent] Investigation confidence: 91% — supply-chain attack confirmed. 4 IOCs extracted.