Bumblebee, KimJongRAT & Djinn Stealer: Multi-Vector Credential Theft Campaigns — OTX Pulse Intelligence Brief | Security Arsenal

Threat Summary

Five AlienVault OTX pulses published between June 25–30, 2026 reveal a converging landscape of credential theft and infostealer campaigns exploiting diverse initial access vectors. The collective threat activity spans four distinct attack chains:

SEO Poisoning → Bumblebee → AdaptixC2 → Akira Ransomware: Threat actors poisoned Bing search results for legitimate IT management tools (ManageEngine OpManager, Angry IP Scanner). Users who downloaded trojanized installers received Bumblebee (S1039) malware, which provided initial access. Because the victims were privileged administrators executing IT tools, attackers achieved rapid lateral movement via AdaptixC2 before deploying Akira ransomware.
SimpleHelp RMM Exploit → TaskWeaver → Djinn Stealer: Exploitation of CVE-2026-48558, a critical authentication bypass in SimpleHelp remote support software, granted unauthorized technician access. The attacker deployed two previously undocumented malware families: TaskWeaver (a heavily obfuscated Node.js loader establishing encrypted C2 communications) and Djinn Stealer (credential exfiltration payload).
LinkedIn Social Engineering → AUDIOFIX + MINIRAT (JINX-0164): Threat actor JINX-0164, active since mid-2025, targets cryptocurrency organizations' software development infrastructure. Using LinkedIn-based social engineering posing as recruiters or business partners, the actor delivers custom macOS malware: AUDIOFIX (Python-based infostealer and RAT) and MINIRAT (lightweight Go backdoor). The campaign focuses on CI/CD pipeline hijacking and developer credential theft.
GitHub-Hosted Malware → KimJongRAT + MeshAgent (Kimsuky): North Korean APT group Kimsuky continues evolving KimJongRAT, active since 2013, by leveraging Living Off Trusted Sites (LOTS). Phishing emails with shortened URLs redirect victims to GitHub Releases hosting malicious ZIP files. KimJongRAT combines information stealing and remote access, now augmented with MeshAgent for persistent C2.

A fifth pulse documents active exploitation of Langflow (CVE-2026-55255 cross-tenant IDOR, CVSS 9.9 and CVE-2026-33017 unauthenticated RCE, CVSS 9.3) in AI pipeline environments, enabling credential theft and botnet deployment — illustrating that initial access vectors increasingly target AI/ML infrastructure alongside traditional IT management tooling.

Collective objective: Credential theft, persistent access, and in the Bumblebee chain, ransomware deployment. The targeting of privileged administrators, developers, and AI infrastructure represents a strategic shift toward high-value credential repositories.

Threat Actor / Malware Profile

Bumblebee (S1039) → AdaptixC2 → Akira

Attribute	Detail
Distribution	SEO poisoning on Bing; trojanized installers for ManageEngine OpManager, Angry IP Scanner hosted on lookalike domains (opmanager.pro, angryipscanner.org)
Initial Access	User-initiated execution of trojanized installer with admin privileges
Payload Behavior	Bumblebee loader executes, injects into legitimate processes, establishes AdaptixC2 beaconing for C2
C2 Communication	AdaptixC2 — encrypted command-and-control framework enabling lateral movement coordination
Persistence	Scheduled tasks, registry run keys (typical Bumblebee TTPs)
Lateral Movement	Credential dumping via LSASS access; RustDesk used as legitimate remote access tool
Final Payload	Akira ransomware deployment for data extortion
Anti-Analysis	Process injection, code obfuscation in loader component

TaskWeaver + Djinn Stealer

Attribute	Detail
Distribution	Exploitation of CVE-2026-48558 (SimpleHelp RMM authentication bypass)
Initial Access	Unauthorized technician-level access to SimpleHelp console
Payload Behavior	TaskWeaver — heavily obfuscated Node.js loader that decrypts and executes Djinn Stealer in memory
C2 Communication	Encrypted communications via a.dev-tunnels.com (Microsoft Azure dev tunnels abuse)
Objective	Credential theft and session token exfiltration
Anti-Analysis	Node.js-based execution evades traditional PE-based AV signatures; heavy obfuscation in loader

AUDIOFIX + MINIRAT (JINX-0164)

Attribute	Detail
Distribution	LinkedIn social engineering; fake recruiter profiles delivering trojanized coding challenges and interview materials
Initial Access	Developer-initiated execution of trojanized npm packages or macOS applications
Payload Behavior	AUDIOFIX — Python-based infostealer with RAT capabilities; exfiltrates browser credentials, crypto wallets, SSH keys. MINIRAT — Go backdoor for persistent access
C2 Communication	Lookalike domains (login.teamicrosoft.com, teams.live.us.org, www.driver-updater.net)
Persistence	LaunchAgent/LaunchDaemon plist files (macOS)
Objective	CI/CD pipeline credential theft, cryptocurrency wallet exfiltration
Anti-Analysis	Python/Go cross-platform compilation; domain impersonation of Microsoft services

KimJongRAT + MeshAgent (Kimsuky)

Attribute	Detail
Distribution	Phishing emails with shortened URLs → GitHub Releases hosting malicious ZIP archives
Initial Access	User-initiated execution of ZIP-embedded payloads from trusted GitHub infrastructure
Payload Behavior	KimJongRAT — combined infostealer and RAT; steals browser credentials, email data, system information. MeshAgent — legitimate RMM tool abused for persistent remote access
C2 Communication	LOTS infrastructure: corpsecs.com subdomains (lutkdd.corpsecs.com, pxqtkc.corpsecs.com), servequake.com (googleoba.servequake.com:8443)
Persistence	MeshAgent service installation; registry persistence mechanisms
Objective	Intelligence collection, credential theft targeting Japanese organizations
Anti-Analysis	GitHub as hosting platform evades URL reputation filtering; legitimate RMM tool abuse blends with admin activity

IOC Analysis

The five OTX pulses collectively contain 134 indicators across the following types:

Indicator Breakdown

Type	Count (sampled)	Operational Use
IPv4	4+ (172.96.137.160, 96.126.130.126, 104.200.67.46, 45.207.216.55)	Firewall egress blocking, SIEM network hunt, EDR network connection correlation
Domains	3+ (driver-updater.net, live.ong, opmanager.pro)	DNS sinkholing, proxy categorization, email security blocking
Hostnames	7+ (login.teamicrosoft.com, teams.live.us.org, lutkdd.corpsecs.com, pxqtkc.corpsecs.com, googleoba.servequake.com, a.dev-tunnels.com, www.driver-updater.net)	DNS monitoring, TLS certificate tracking, proxy log correlation
URLs	4+ (http://89.36.224.5/troubleshoot/mac/install.sh, http://googleoba.servequake.com:8443/agent.ashx, https://lutkdd.corpsecs.com, http://45.207.216.55:8084/slt)	Web proxy blocking, SWG policy, email link detonation
FileHash-SHA256	5+ sampled	EDR file reputation, AV signature generation, file integrity monitoring
FileHash-MD5/SHA1	3+ sampled	Legacy AV signature feeds, SIEM file event correlation
CVEs	3 (CVE-2026-48558, CVE-2026-55255, CVE-2026-33017)	Vulnerability management prioritization, WAF rule deployment, patch compliance auditing

Operationalization Guidance

SOC teams should:

Ingest all file hashes into EDR (CrowdStrike, Defender, SentinelOne) as block/quarantine IOCs
Push domains and hostnames to DNS filtering (Cisco Umbrella, BlueCat, Defender for DNS)
Add URLs to SWG block lists (Zscaler, Netskope, Palo Alto)
Prioritize patching for CVE-2026-48558 (SimpleHelp), CVE-2026-55255 and CVE-2026-33017 (Langflow)
Monitor for connections to a.dev-tunnels.com — abuse of Azure dev tunnels is an emerging C2 pattern
Track lookalike domains impersonating Microsoft (login.teamicrosoft.com, teams.live.us.org) via passive DNS

Tooling that decodes these indicators:

AlienVault OTX Direct Import: otx-pull CLI to sync pulses to SIEM
MISP: Bulk import via OTX-MISP connector for IOC sharing
CrowdStrike Falcon: Hash-based custom IOCs via Falcon Intelligence
Microsoft Defender for Endpoint: Custom IOC ingestion via Graph API
Splunk: OTX add-on for automated indicator lookup and correlation

Detection Engineering

YAML

---
title: Bumblebee Loader Execution via Trojanized IT Tool Installer
id: 7a3c1f2e-8b4d-4a6e-9c2f-1d5e8a7b3c9f
status: experimental
description: >
  Detects Bumblebee malware execution patterns associated with trojanized
  ManageEngine OpManager or Angry IP Scanner installers delivered via
  SEO poisoning campaigns. Bumblebee (S1039) is a loader that injects
  into legitimate processes and establishes AdaptixC2 C2 communications
  before delivering Akira ransomware.
references:
  - https://thedfirreport.com/2025/08/05/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira-2/
author: Security Arsenal Threat Intelligence
date: 2026/06/30
tags:
  - attack.execution
  - attack.t1059
  - attack.t1055
  - attack.initial_access
  - attack.t1566.002
logsource:
  product: windows
  category: process_creation
detection:
  selection_installer:
    Image|endswith:
      - '\\opmanager_setup.exe'
      - '\\angryipscanner_setup.exe'
      - '\\OpManager.exe'
    CommandLine|contains:
      - 'opmanager.pro'
      - 'angryipscanner.org'
  selection_bumblebee_execution:
    ParentImage|endswith:
      - '\\msiexec.exe'
      - '\\rundll32.exe'
    Image|endswith:
      - '\\rundll32.exe'
      - '\\regsvr32.exe'
      - '\\wmic.exe'
    CommandLine|contains:
      - 'DllRegisterServer'
      - '#'
      - 'load'
  selection_rustdesk_abuse:
    Image|endswith:
      - '\\rustdesk.exe'
    CommandLine|contains:
      - '--password'
      - '--get-id'
      - '--option'
  filter_legitimate:
    Image|endswith:
      - '\\msiexec.exe'
    CommandLine|contains:
      - 'manageengine.com'
      - 'angryip.org'
  condition: (selection_installer and not filter_legitimate) or selection_bumblebee_execution or selection_rustdesk_abuse
falsepositives:
  - Legitimate ManageEngine or Angry IP Scanner installations from official sources
  - Authorized RustDesk remote support sessions
level: high

---
title: TaskWeaver Node.js Loader and Djinn Stealer C2 Activity
id: 9f2e4a7c-3b6d-48e1-8a5f-7c2d9b1e4f3a
status: experimental
description: >
  Detects TaskWeaver Node.js loader execution patterns and Djinn Stealer
  C2 communications following exploitation of CVE-2026-48558 in SimpleHelp
  RMM software. TaskWeaver is a heavily obfuscated Node.js loader that
  delivers Djinn Stealer for credential exfiltration via Azure dev tunnels.
references:
  - https://blackpointcyber.com/blog/a-djinn-in-the-machine-taskweavers-node-js-intrusion-chain/
author: Security Arsenal Threat Intelligence
date: 2026/06/30
tags:
  - attack.execution
  - attack.t1059.007
  - attack.t1219
  - attack.exfiltration
logsource:
  product: windows
  category: process_creation
detection:
  selection_nodejs_suspicious:
    Image|endswith:
      - '\\node.exe'
      - '\\nodejs.exe'
    CommandLine|contains:
      - '-e'
      - 'eval'
      - 'require'
      - 'child_process'
      - 'Buffer.from'
      - 'base64'
  selection_devtunnels_c2:
    Image|endswith:
      - '\\node.exe'
      - '\\powershell.exe'
      - '\\curl.exe'
      - '\\wget.exe'
    CommandLine|contains:
      - 'dev-tunnels.com'
      - 'a.dev-tunnels.com'
  selection_simplehelp_exploit:
    Image|endswith:
      - '\\cmd.exe'
      - '\\powershell.exe'
      - '\\wmic.exe'
    ParentImage|endswith:
      - '\\SimpleService.exe'
      - '\\SimpleHelp.exe'
  condition: selection_nodejs_suspicious or selection_devtunnels_c2 or selection_simplehelp_exploit
falsepositives:
  - Legitimate Node.js development activity
  - Authorized Azure dev tunnels usage by development teams
  - Legitimate SimpleHelp remote support operations
level: high

---
title: KimJongRAT C2 Beaconing via LOTS Infrastructure
id: 3b8c5f2a-7e1d-4a9c-8f3b-6d2e9c1a4b7e
status: experimental
description: >
  Detects KimJongRAT and MeshAgent C2 communications to corpsecs.com and
  servequake.com infrastructure used by Kimsuky APT group. KimJongRAT
  combines infostealer and RAT capabilities, distributed via GitHub
  Releases through phishing campaigns targeting Japanese organizations.
references:
  - https://sect.iij.ad.jp/blog/2026/06/continuous-evolution-of-kimjongrat-2026/
author: Security Arsenal Threat Intelligence
date: 2026/06/30
tags:
  - attack.command_and_control
  - attack.t1071.001
  - attack.t1105
  - attack.t1219
logsource:
  product: windows
  category: network_connection
detection:
  selection_c2_domains:
    DestinationHostname|endswith:
      - '.corpsecs.com'
      - '.servequake.com'
    DestinationHostname|contains:
      - 'lutkdd.corpsecs.com'
      - 'pxqtkc.corpsecs.com'
      - 'googleoba.servequake.com'
  selection_c2_ports:
    DestinationHostname|endswith:
      - '.corpsecs.com'
      - '.servequake.com'
    DestinationPort:
      - 8443
      - 443
      - 8080
  selection_meshagent:
    Image|endswith:
      - '\\meshagent.exe'
      - '\\MeshAgent.exe'
    DestinationHostname|contains:
      - '.corpsecs.com'
      - '.servequake.com'
      - 'github.com'
  selection_github_download:
    Image|endswith:
      - '\\powershell.exe'
      - '\\curl.exe'
      - '\\bitsadmin.exe'
    CommandLine|contains:
      - 'github.com'
      - 'releases/download'
      - 'servequake.com'
      - 'corpsecs.com'
  condition: selection_c2_domains or selection_c2_ports or selection_meshagent or selection_github_download
falsepositives:
  - Legitimate use of Dynamic DNS services on servequake.com
  - Authorized MeshAgent RMM deployment
level: critical


kql
// Multi-pulse IOC hunt: Bumblebee, TaskWeaver/Djinn, KimJongRAT, JINX-0164, Langflow exploitation
// Hunt across network, process, and file events for OTX pulse indicators
let _iocIPs = dynamic(["172.96.137.160", "96.126.130.126", "104.200.67.46", "45.207.216.55", "89.36.224.5"]);
let _iocDomains = dynamic(["opmanager.pro", "angryipscanner.org", "driver-updater.net", "live.ong", "corpsecs.com", "servequake.com", "dev-tunnels.com", "teamicrosoft.com", "live.us.org"]);
let _iocHostnames = dynamic(["lutkdd.corpsecs.com", "pxqtkc.corpsecs.com", "googleoba.servequake.com", "a.dev-tunnels.com", "login.teamicrosoft.com", "teams.live.us.org", "www.driver-updater.net", "www.live.us.org"]);
let _iocHashes = dynamic(["a14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2", "00cc86d1144020c24c8fbb3a8dc6b908926497ebd23be3bf854360f93d1c8f4c", "f4a72600a3735c2a4d843875ea61bbb6f935a1af51a81f2fbc992ce11ba94afc", "b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17", "9758e76b601798a30d903bf05052a53df80451e5c156548ce9da828f608b6470", "221a39856b37e3c682f62427f1e6b965b36a2405764689c914672770a01a1fa9"]);
let _iocURLs = dynamic(["http://89.36.224.5/troubleshoot/mac/install.sh", "http://googleoba.servequake.com:8443/agent.ashx", "https://lutkdd.corpsecs.com", "http://45.207.216.55:8084/slt"]);
union
(
  DeviceNetworkEvents
  | where RemoteIP in (_iocIPs)
     or RemoteUrl has_any (_iocURLs)
     or RemoteUrl has_any (_iocDomains)
     or RemoteUrl has_any (_iocHostnames)
  | extend MatchType = "Network_IP_or_URL"
  | project TimeGenerated, DeviceName, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessFileName, MatchType, ActionType
),
(
  DeviceProcessEvents
  | where SHA256 in (_iocHashes)
     or InitiatingProcessSHA256 in (_iocHashes)
     or (ProcessCommandLine has_any (_iocDomains) or ProcessCommandLine has_any (_iocHostnames))
     or (ProcessCommandLine has "dev-tunnels.com" and ProcessCommandLine has "node")
     or (ProcessCommandLine has "corpsecs.com" or ProcessCommandLine has "servequake.com")
     or (ProcessCommandLine has "github.com" and ProcessCommandLine has "releases/download")
     or (FileName =~ "meshagent.exe")
     or (FileName =~ "rustdesk.exe" and ProcessCommandLine has "--password")
     or (InitiatingProcessFileName =~ "SimpleService.exe" or InitiatingProcessFileName =~ "SimpleHelp.exe")
  | extend MatchType = "Process_Hash_or_CommandLine"
  | project TimeGenerated, DeviceName, FileName, ProcessCommandLine, SHA256, InitiatingProcessFileName, MatchType, ActionType
),
(
  DeviceFileEvents
  | where SHA256 in (_iocHashes)
     or FileName endswith "meshagent.exe"
     or FileName endswith "OpManager.exe"
  | extend MatchType = "File_Hash"
  | project TimeGenerated, DeviceName, FileName, SHA256, FolderPath, MatchType, ActionType
)
| summarize HitCount = count(), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by DeviceName, MatchType, ActionType
| order by FirstSeen desc


powershell
<#
.SYNOPSIS
  Security Arsenal OTX Pulse IOC Hunt Script
  Targets: Bumblebee, TaskWeaver/Djinn Stealer, KimJongRAT/MeshAgent, AUDIOFIX/MINIRAT, Langflow exploitation
.DESCRIPTION
  Hunts for network connections, file hashes, scheduled tasks, registry persistence,
  and suspicious process patterns across endpoints. Designed for enterprise SOC teams
  to operationalize OTX pulse indicators.
#>

$IOC_IPs = @(
  "172.96.137.160",
  "96.126.130.126",
  "104.200.67.46",
  "45.207.216.55",
  "89.36.224.5"
)

$IOC_Domains = @(
  "opmanager.pro",
  "angryipscanner.org",
  "driver-updater.net",
  "live.ong",
  "lutkdd.corpsecs.com",
  "pxqtkc.corpsecs.com",
  "googleoba.servequake.com",
  "a.dev-tunnels.com",
  "login.teamicrosoft.com",
  "teams.live.us.org",
  "www.driver-updater.net"
)

$IOC_Hashes = @(
  "a14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2",
  "00cc86d1144020c24c8fbb3a8dc6b908926497ebd23be3bf854360f93d1c8f4c",
  "f4a72600a3735c2a4d843875ea61bbb6f935a1af51a81f2fbc992ce11ba94afc",
  "b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17",
  "9758e76b601798a30d903bf05052a53df80451e5c156548ce9da828f608b6470",
  "221a39856b37e3c682f62427f1e6b965b36a2405764689c914672770a01a1fa9"
)

$SuspiciousProcesses = @("meshagent", "rustdesk", "node")

Write-Host "=== Security Arsenal OTX Pulse IOC Hunt ===" -ForegroundColor Cyan
Write-Host "Started: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')" -ForegroundColor Gray
Write-Host ""

# --- Check active network connections ---
Write-Host "[*] Checking active network connections..." -ForegroundColor Yellow
$connections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue |
  Where-Object { $_.RemoteAddress -in $IOC_IPs }

if ($connections) {
  foreach ($conn in $connections) {
    $proc = Get-Process -Id $conn.OwningProcess -ErrorAction SilentlyContinue
    Write-Host "[!] ALERT: Active connection to IOC IP $($conn.RemoteAddress):$($conn.RemotePort)" -ForegroundColor Red
    Write-Host "    PID: $($conn.OwningProcess), Process: $($proc.ProcessName)" -ForegroundColor Red
  }
} else {
  Write-Host "[+] No active connections to IOC IPs found." -ForegroundColor Green
}

# --- Check DNS cache for IOC domains ---
Write-Host ""
Write-Host "[*] Checking DNS resolver cache..." -ForegroundColor Yellow
$dnsCache = Get-DnsClientCache -ErrorAction SilentlyContinue |
  Where-Object {
    foreach ($domain in $IOC_Domains) {
      if ($_.Entry -match $domain) { return $true }
    }
    return $false
  }

if ($dnsCache) {
  foreach ($entry in $dnsCache) {
    Write-Host "[!] ALERT: IOC domain found in DNS cache: $($entry.Entry) -> $($entry.Data)" -ForegroundColor Red
  }
} else {
  Write-Host "[+] No IOC domains found in DNS cache." -ForegroundColor Green
}

# --- Check running processes against suspicious list and hashes ---
Write-Host ""
Write-Host "[*] Checking running processes..." -ForegroundColor Yellow
$processes = Get-Process -ErrorAction SilentlyContinue |
  Where-Object { $_.ProcessName -in $SuspiciousProcesses }

if ($processes) {
  foreach ($proc in $processes) {
    $path = $proc.Path
    if ($path) {
      $hash = (Get-FileHash -Path $path -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
      $hashMatch = $false
      if ($hash -and $IOC_Hashes -contains $hash.ToLower()) {
        $hashMatch = $true
      }
      $color = if ($hashMatch) { 'Red' } else { 'Yellow' }
      Write-Host "[!] Suspicious process: $($proc.ProcessName) (PID: $($proc.Id))" -ForegroundColor $color
      Write-Host "    Path: $path" -ForegroundColor $color
      Write-Host "    SHA256: $hash" -ForegroundColor $color
      if ($hashMatch) {
        Write-Host "    *** HASH MATCHES KNOWN IOC ***" -ForegroundColor Red
      }
    }
  }
} else {
  Write-Host "[+] No suspicious processes from watchlist found running." -ForegroundColor Green
}

# --- Check scheduled tasks for persistence (Bumblebee TTP) ---
Write-Host ""
Write-Host "[*] Checking scheduled tasks for persistence..." -ForegroundColor Yellow
$scheduledTasks = Get-ScheduledTask -ErrorAction SilentlyContinue |
  Where-Object {
    $_.State -ne 'Disabled' -and
    ($_.Actions.Execute -match 'rundll32|regsvr32|node|powershell|cmd|meshagent|rustdesk' -or
     $_.Actions.Arguments -match 'rundll32|regsvr32|corpsecs|servequake|dev-tunnels|opmanager|angryipscanner')
  }

if ($scheduledTasks) {
  foreach ($task in $scheduledTasks) {
    Write-Host "[!] Suspicious scheduled task: $($task.TaskName)" -ForegroundColor Red
    Write-Host "    Path: $($task.TaskPath)" -ForegroundColor Red
    foreach ($action in $task.Actions) {
      Write-Host "    Execute: $($action.Execute) $($action.Arguments)" -ForegroundColor Red
    }
  }
} else {
  Write-Host "[+] No suspicious scheduled tasks found." -ForegroundColor Green
}

# --- Check registry persistence ---
Write-Host ""
Write-Host "[*] Checking registry Run keys..." -ForegroundColor Yellow
$runKeys = @(
  "HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",
  "HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
  "HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",
  "HKCU:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce"
)

foreach ($key in $runKeys) {
  if (Test-Path $key) {
    $values = Get-ItemProperty -Path $key -ErrorAction SilentlyContinue
    if ($values) {
      $valueNames = $values.PSObject.Properties.Name | Where-Object { $_ -notin @('PSPath', 'PSParentPath', 'PSChildName', 'PSDrive', 'PSProvider') }
      foreach ($name in $valueNames) {
        $val = $values.$name
        if ($val -match 'meshagent|rustdesk|node\.exe|rundll32.*#|corpsecs|servequake|dev-tunnels') {
          Write-Host "[!] ALERT: Suspicious registry Run value: $name = $val" -ForegroundColor Red
          Write-Host "    Key: $key" -ForegroundColor Red
        }
      }
    }
  }
}
Write-Host "[+] Registry Run key scan complete." -ForegroundColor Green

# --- Check for SimpleHelp installation (CVE-2026-48558 exposure) ---
Write-Host ""
Write-Host "[*] Checking for SimpleHelp RMM installation..." -ForegroundColor Yellow
$simpleHelp = Get-ChildItem -Path "C:\\Program Files*","C:\\Program Files (x86)" -Filter "SimpleHelp*" -Directory -ErrorAction SilentlyContinue
if ($simpleHelp) {
  Write-Host "[!] WARNING: SimpleHelp RMM detected - verify CVE-2026-48558 patch status" -ForegroundColor Red
  foreach ($dir in $simpleHelp) {
    Write-Host "    Install path: $($dir.FullName)" -ForegroundColor Red
  }
} else {
  Write-Host "[+] SimpleHelp RMM not found on this system." -ForegroundColor Green
}

# --- Check hosts file for IOC domain redirects ---
Write-Host ""
Write-Host "[*] Checking hosts file for IOC domains..." -ForegroundColor Yellow
$hostsContent = Get-Content "$env:windir\\System32\\drivers\\etc\\hosts" -ErrorAction SilentlyContinue
if ($hostsContent) {
  foreach ($line in $hostsContent) {
    foreach ($domain in $IOC_Domains) {
      if ($line -match $domain) {
        Write-Host "[!] ALERT: IOC domain found in hosts file: $line" -ForegroundColor Red
      }
    }
  }
}
Write-Host "[+] Hosts file scan complete." -ForegroundColor Green

Write-Host ""
Write-Host "=== IOC Hunt Complete ===" -ForegroundColor Cyan
Write-Host "Finished: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')" -ForegroundColor Gray
Write-Host ""
Write-Host "Remediation: Any [!] ALERT entries require immediate investigation." -ForegroundColor Yellow
Write-Host "Contact your SOC team or Security Arsenal IR for assistance." -ForegroundColor Yellow

Response Priorities

Immediate (0–4 hours)

Block all IOC IPs on perimeter firewall, next-gen firewall, and EDR network containment rules: 172.96.137.160, 96.126.130.126, 104.200.67.46, 45.207.216.55, 89.36.224.5
Sinkhole IOC domains in DNS resolver: opmanager.pro, angryipscanner.org, driver-updater.net, live.ong, corpsecs.com, servequake.com (and subdomains)
Add IOC URLs to SWG block list: http://89.36.224.5/troubleshoot/mac/install.sh, http://googleoba.servequake.com:8443/agent.ashx, http://45.207.216.55:8084/slt
Quarantine files matching IOC hashes in EDR across all endpoints
Patch SimpleHelp RMM for CVE-2026-48558 immediately if installed; if patching is delayed, disable the SimpleHelp service
Patch Langflow for CVE-2026-55255 and CVE-2026-33017 if AI pipeline infrastructure is exposed
Hunt for Bumblebee execution artifacts: scheduled tasks with rundll32 arguments, rustdesk.exe in unexpected paths, LSASS access by non-system processes
Hunt for Node.js loader activity: node.exe with -e or eval arguments, connections to *.dev-tunnels.com

24 Hours

Identity verification and credential rotation for all users on compromised endpoints — Bumblebee, Djinn Stealer, KimJongRAT, and AUDIOFIX all exfiltrate credentials
Force password resets and revoke active session tokens for any accounts on machines with IOC hits
Audit MFA enrollment — if Bumblebee or Djinn Stealer captured MFA tokens, require re-enrollment with new device
Review RustDesk installations across the enterprise — Bumblebee campaign abuses RustDesk for lateral movement; verify all instances are authorized
Audit GitHub Releases downloads — Kimsuky leverages GitHub for malware hosting; correlate download events with endpoint telemetry
Review LinkedIn-originated file deliveries to development teams — JINX-0164 targets developers via fake recruiter contacts
Scan macOS fleet for AUDIOFIX and MINIRAT artifacts: check LaunchAgent plists, Python processes with network connections to driver-updater.net or live.us.org

1 Week

Architecture hardening — IT tool download controls: Implement allowlisting for IT management tool downloads; restrict to vendor-verified domains only. Block opmanager.pro and angryipscanner.org at DNS level permanently.
RMM software governance: Inventory all RMM tools (SimpleHelp, RustDesk, MeshAgent, AnyDesk) across the enterprise. Enforce centralized deployment, disable unauthorized instances, implement RMM tool usage policy.
AI pipeline security: If using Langflow or similar AI agent frameworks, implement network segmentation between AI pipeline infrastructure and production networks. Enforce authentication on all Langflow endpoints. Deploy WAF rules for CVE-2026-55255 and CVE-2026-33017 patterns.
Developer workstation hardening: Implement application allowlisting on developer endpoints. Block execution of unsigned Node.js scripts outside approved project directories. Enforce signed package requirements for npm installations.
GitHub download monitoring: Deploy DLP rules to detect and alert on executable content downloaded from GitHub Releases by non-developer personnel. Consider proxy-based GitHub content scanning.
LinkedIn phishing awareness: Brief development and cryptocurrency teams on JINX-0164 social engineering tactics. Implement verification procedures for LinkedIn-originated file sharing and coding challenge deliveries.
Dev tunnels monitoring: Azure dev tunnels (*.dev-tunnels.com) abuse is an emerging C2 technique. Audit all dev tunnels usage, implement conditional access policies, and alert on dev tunnels connections from non-developer endpoints.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

Bumblebee, KimJongRAT & Djinn Stealer: Multi-Vector Credential Theft Campaigns — OTX Pulse Intelligence Brief