Back to Intelligence

ASO RAT Surveillance & NKAbuse Blockchain Botnet: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
May 16, 2026
6 min read

Recent OTX pulses indicate a surge in sophisticated, platform-specific malware campaigns leveraging legitimate infrastructure for stealth. The primary threats identified include ASO RAT, a comprehensive Android surveillance platform masquerading as government applications in Syria, and NKAbuse, a blockchain-based botnet exploiting the marimo Python notebook vulnerability (CVE-2026-39987) to propagate via HuggingFace Spaces. Concurrently, the threat actor alh1mik has re-emerged with notnullOSX, a modular macOS stealer exclusively targeting high-value cryptocurrency wallets ($10K+) using social engineering (ClickFix) and malicious DMGs. These campaigns collectively demonstrate a shift toward using trusted platforms (app stores, ML repositories) for initial access and blockchain networks for resilient C2 infrastructure.

Attack Chain & Objectives

  1. Initial Access: Malicious APKs (ASO RAT), poisoned ML repositories (NKAbuse), and social engineering via DMGs (notnullOSX).
  2. Execution: Droppers unpack payloads that establish persistence (ASO RAT on Android; LaunchAgents on macOS).
  3. C2 & Exfiltration: ASO RAT uses DDNS (aso.ddns.net); NKAbuse uses the NKN blockchain for C2; notnullOSX exfiltrates wallet data to specific domains.
  4. Objective: Intelligence gathering/Surveillance (Syria), Infrastructure hijacking (Blockchain), and Financial Theft (Cryptocurrency).

Threat Actor / Malware Profile

Malware FamilyActorDistributionPayload BehaviorC2 & Persistence
ASO RATUnknownDisguised as PDF readers/Syrian gov apps via APKSMS interception, GPS tracking, camera/mic access, DDoSC2: aso.ddns.net (Frankfurt infra); Pers: System App installation
NKAbuse / kagentUnknownExploits CVE-2026-39987 via marimo on HuggingFaceBlockchain node participation, DDoS, RCEC2: NKN Blockchain network; Pers: Python notebook persistence
notnullOSXalh1mik (0xFFF)ClickFix social engineering, malicious DMG filesSteals crypto wallets, browser cookies, system infoC2: coockie.pro and related domains; Pers: macOS LaunchAgents

Key Techniques

  • ASO RAT: Requests extensive permissions on installation; utilizes CVE-2023-44487 (HTTP/2) and CVE-2025-23419 in its infrastructure stack.
  • NKAbuse: Typosquatting on HuggingFace Spaces to deliver payloads; leverages decentralized blockchain for command and control to avoid takedowns.
  • notnullOSX: Written in Go; bypasses Gatekeeper via ad-hoc signing or malformed DMGs; specifically filters for wallets with high balances.

IOC Analysis

The provided IOCs span multiple vectors, requiring a layered defense approach:

  • Network Hostnames/Domains: aso.ddns.net and coockie.pro are critical C2 nodes. DNS Sinkholing or firewall blocking is immediately required.
  • File Hashes (MD5/SHA1/SHA256): A large volume of hashes are provided for droppers and payloads. These should be uploaded to EDR quarantine lists and SIEM correlation engines.
  • CVEs: CVE-2026-39987 is a critical RCE in marimo. Vulnerability scanning for Python notebook environments is essential to prevent NKAbuse propagation.

Operational Guidance: SOC teams should enrich these hashes using VirusTotal and hash-lookup services. Network logs (DNS, HTTP/2 flows) should be queried for the listed domains and the HTTP/2 Rapid Reset attack pattern associated with CVE-2023-44487.

Detection Engineering

YAML
---
title: Potential ASO RAT Android Activity
description: Detects potential C2 communication patterns associated with ASO RAT based on known hostnames and suspicious Android APK installation behavior.
status: stable
date: 2026/05/16
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6651a13f7918290d0b12d435
tags:
    - attack.command_and_control
    - attack.mobile_equipment
logsource:
    product: android
    definition: 'Requires Google Play Protect or Mobile EDR logs'
detection:
    selection_dns:
        query|contains:
            - 'aso.ddns.net'
    selection_package:
        packageName|contains:
            - 'com.adobe.pdf'
            - 'com.syria.gov'
    condition: 1 of selection_
falsepositives:
    - Legitimate government apps (unlikely in non-Syria regions)
    - Benign PDF readers
level: high

---
title: NKAbuse Botnet via Marimo Exploit
status: stable
description: Detects exploitation attempts of CVE-2026-39987 in marimo notebooks or suspicious Python process execution related to HuggingFace Space typosquatting.
date: 2026/05/16
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6651a13f7918290d0b12d436
logsource:
    category: process_creation
    product: linux
detection:
    selection_exploit:
        CommandLine|contains:
            - 'marimo'
            - 'huggingface'
    selection_malware:
        ImagePath|endswith:
            - '/python'
        CommandLine|contains:
            - 'nkn'
            - 'blockchain'
    condition: 1 of selection_
falsepositives:
    - Legitimate data science usage of marimo/huggingface
level: critical

---
title: notnullOSX macOS Stealer Execution
description: Detects execution characteristics of notnullOSX stealer, including unusual DMG mounts and Go binary execution accessing cryptocurrency wallet paths.
date: 2026/05/16
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6651a13f7918290d0b12d437
tags:
    - attack.credential_access
    - attack.execution
logsource:
    category: process_creation
    product: macos
detection:
    selection_dmg:
        ImagePath|contains: '/Volumes/'
        ImagePath|endswith: '.app/Contents/MacOS/'
    selection_crypto:
        CommandLine|contains:
            - 'Library/Application Support/Bitcoin'
            - 'Library/Application Support/Ethereum'
            - '.wallet'
    selection_network:
        DestinationHostname|contains:
            - 'coockie.pro'
    condition: 1 of selection_
falsepositives:
    - Legitimate wallet management software opening wallets
    - Standard DMG installations
level: high


kql
// Hunt for NKAbuse indicators and marimo exploitation activity
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has "huggingface" or RemoteUrl has "marimo"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| union (DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any ("nkn", "blockchain", "marimo")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, FileName)
| summarize count() by DeviceName, bin(Timestamp, 1h)


powershell
# IOC Hunt Script for ASO RAT (Network) and notnullOSX (macOS Artifacts)
# Note: This script is designed to run on endpoints or via an EDR tool.

Write-Host "Starting IOC Hunt for ASO RAT and notnullOSX..." -ForegroundColor Cyan

# 1. Check for ASO RAT C2 Domains in DNS Cache (Windows)
$ASO_Domains = @("aso.ddns.net")
Write-Host "Checking DNS Cache for ASO RAT C2 domains..." -ForegroundColor Yellow
Get-DnsClientCache | Where-Object { $ASO_Domains -contains $_.Entry } | Select-Object Entry, Data

# 2. macOS specific checks (Requires PS-Core or bash wrapper)
# Checking for common persistence locations used by stealers like notnullOSX
if ($IsMacOS) {
    Write-Host "macOS Detected. Checking LaunchAgents for suspicious persistence..." -ForegroundColor Yellow
    $LaunchAgentsPath = "$env:HOME/Library/LaunchAgents"
    if (Test-Path $LaunchAgentsPath) {
        Get-ChildItem -Path $LaunchAgentsPath -Filter *.plist | ForEach-Object {
            $content = Get-Content $_.FullName -Raw
            if ($content -match "coockie.pro" -or $content -match "/tmp/" -or $content -match "hidden") {
                Write-Host "Suspicious LaunchAgent found: $($_.Name)" -ForegroundColor Red
            }
        }
    }
} else {
    Write-Host "Not a macOS host. Skipping macOS specific checks." -ForegroundColor Gray
}

Write-Host "Hunt Complete." -ForegroundColor Green

Response Priorities

  • Immediate:
    • Block the domains aso.ddns.net and coockie.pro at the perimeter firewall and proxy.
    • Quarantine systems matching the provided file hashes (MD5/SHA1/SHA256).
    • Patch marimo instances immediately to mitigate CVE-2026-39987.
  • 24 Hours:
    • Initiate credential resets for high-privilege users in the targeted sectors (Gov/Media) and any users known to hold cryptocurrency.
    • Review mobile device management (MDM) logs for the installation of "Syrian government" apps or unknown PDF readers on corporate devices.
  • 1 Week:
    • Implement application whitelisting for Python notebooks and restrict outbound access to public blockchain nodes (NKN) from developer workstations.
    • Enhance mobile security protocols to detect APK side-loading and excessive permission requests.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwareaso-ratnkabusenotnullosxmacos-stealerblockchain-botnet

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action