Security researchers have uncovered a sophisticated new wave of “logic bombs” hidden within commonly used software components, engineered to lie dormant for years before activating to disrupt critical industrial systems and corrupt databases. This delayed-action malware poses a significant challenge for detection and forensic investigation, as its true impact may only materialize long after initial installation.
The findings, detailed by software supply chain security company Socket, reveal nine malicious NuGet packages published between 2023 and 2024 by an entity identified as “shanhai666.” These packages, downloaded nearly 9,500 times, were designed to deliver payloads on specific trigger dates in 2027 and 2028, or, in one particularly potent case, to immediately begin stealthy sabotage of industrial control systems.
Among the identified packages, `Sharp7Extend` stands out for its immediate threat to industrial programmable logic controllers (PLCs), which are essential for manufacturing and infrastructure operations. “The most dangerous package, Sharp7Extend, targets industrial PLCs with dual sabotage mechanisms: immediate random process termination and silent write failures that begin 30-90 minutes after installation,“ stated security researcher Kush Pandya. This package specifically targets users of the legitimate Sharp7 library, a .NET implementation for Siemens S7 PLCs, leveraging the trust associated with its name.
The other eight packages, including `MCDbRepository` and `SqlUnicornCore`, are tailored to disrupt database operations across various SQL platforms, with their malicious functions set to activate on dates like August 8, 2027, and November 29, 2028. This staggered activation strategy, as Mr. Pandya noted, “gives the threat actor a longer window to collect victims before the delayed-activation malware triggers, while immediately disrupting industrial control systems.“
The attackers exploited C# extension methods, a powerful feature allowing developers to add new methods to existing types without modifying original code. Mr. Pandya explained that the threat actor “weaponizes [this feature] for interception,” allowing the malicious code to execute automatically each time an application performs a database query or PLC operation. The malware then checks the current date against hardcoded trigger dates or, in the case of `Sharp7Extend`, encrypted configurations.
Once activated, the malware can terminate the entire application process with a 20% probability. For `Sharp7Extend`, this termination mechanism operates until June 6, 2028, alongside a feature designed to sabotage 80% of write operations to PLCs after a randomized delay. This dual-pronged attack ensures both immediate disruption and long-term data integrity issues, making it exceedingly difficult for organizations to trace the origin or timeline of the compromise.
While the identity of “shanhai666” remains unknown, Socket’s analysis of the source code and the chosen username suggests a possible Chinese origin. The sophisticated nature of this campaign, combining delayed activation with probabilistic execution, aims to obscure its tracks, making incident response and forensic investigations “nearly impossible,” according to the company.