Threat Summary
Five AlienVault OTX pulses published between June 25–30, 2026 reveal a converging landscape of credential theft campaigns leveraging diverse initial access vectors — from SEO-poisoned IT tool downloads to AI pipeline exploitation — all converging on infostealer deployment, credential harvesting, and in several cases, ransomware delivery.
The pulses collectively expose five distinct intrusion chains:
-
Bumblebee → AdaptixC2 → Akira Ransomware: SEO poisoning campaigns tricked administrators searching for legitimate IT management tools (ManageEngine OpManager, Angry IP Scanner) into downloading trojanized installers. Bumblebee malware provided initial access; AdaptixC2 enabled command-and-control; the chain terminated in Akira ransomware deployment. The threat actor deliberately targeted IT administrators — users with elevated privileges — to accelerate lateral movement and credential dumping.
-
TaskWeaver → Djinn Stealer via SimpleHelp RMM Exploit: Exploitation of CVE-2026-48558 (authentication bypass in SimpleHelp RMM) granted unauthorized technician access. The attacker deployed TaskWeaver, a heavily obfuscated Node.js loader establishing encrypted C2 communications, which delivered Djinn Stealer for credential exfiltration. C2 infrastructure leveraged Azure dev-tunnels for stealth.
-
JINX-0164 Cryptocurrency Supply Chain Attacks: A financially motivated threat actor active since mid-2025 employed LinkedIn-based social engineering to deliver custom macOS malware — AUDIOFIX (Python-based infostealer/RAT) and MINIRAT (Go backdoor) — targeting cryptocurrency software development infrastructure. The campaign included npm trojan packages and CI/CD pipeline hijacking.
-
KimJongRAT via GitHub LOTS: North Korean APT group Kimsuky distributed KimJongRAT through GitHub Releases and other legitimate services (LOTS — Living Off The Trusted Site). Phishing emails contained shortened URLs redirecting to GitHub-hosted malicious ZIP files. KimJongRAT combines infostealer and remote access capabilities, with MeshAgent used for persistence. Japan was the primary targeting geography.
-
Langflow AI Pipeline Exploitation: A single operator exploited CVE-2026-55255 (CVSS 9.9 cross-tenant IDOR) and CVE-2026-33017 (CVSS 9.3 unauthenticated RCE) against Langflow, an open-source AI agent framework. Despite the lower CVSS score, the RCE vulnerability proved more practically exploitable, enabling botnet deployment and credential theft from AI pipelines.
Common Objective: Credential theft and data exfiltration serve as the primary goal across all five campaigns, with ransomware as a secondary monetization path in the Bumblebee chain. The targeting of IT administrators, developers, and AI infrastructure reflects a deliberate focus on high-value credential repositories.
Threat Actor / Malware Profile
Bumblebee (S1039)
- Distribution: SEO poisoning — malicious domains (opmanager.pro, angryipscanner.org) rank highly in Bing search results for legitimate IT tool queries. Trojanized installers mimic ManageEngine OpManager and Angry IP Scanner.
- Payload Behavior: Loader malware that injects payloads into legitimate processes. Establishes initial access beaconing, then downloads second-stage payloads including AdaptixC2.
- C2 Communication: AdaptixC2 framework provides encrypted command-and-control channels. C2 infrastructure at 172.96.137.160.
- Persistence: Uses scheduled tasks and registry run keys. RustDesk (legitimate RMM tool) was co-opted for persistent remote access.
- Anti-Analysis: Code obfuscation, execution guardrails checking for analysis environments. MD5 hashes: a746da514c90f26a187a294fda7edc1b, bcee0ab10b23f5999bcdb56c0b4a631a.
- Endgame: Credential dumping → lateral movement → Akira ransomware deployment.
TaskWeaver + Djinn Stealer
- Distribution: Exploitation of CVE-2026-48558 in SimpleHelp RMM software, granting unauthorized technician-level remote access.
- Payload Behavior: TaskWeaver is a heavily obfuscated Node.js loader that establishes encrypted C2 communications and delivers Djinn Stealer. Djinn Stealer extracts browser credentials, cryptocurrency wallets, and system secrets.
- C2 Communication: Azure dev-tunnels (a.dev-tunnels.com) used for stealthy C2 traffic, blending with legitimate Microsoft infrastructure. C2 IP: 96.126.130.126.
- Persistence: Maintains access through SimpleHelp technician session persistence and Node.js-based startup mechanisms.
- Anti-Analysis: Heavy obfuscation of Node.js loader code; use of legitimate cloud tunneling services to evade network-based detection.
AUDIOFIX + MINIRAT (JINX-0164)
- Distribution: LinkedIn social engineering — threat actor poses as recruiters or business partners. Delivers malicious npm packages and trojanized macOS applications. Domains: login.teamicrosoft.com, www.driver-updater.net, live.ong.
- Payload Behavior: AUDIOFIX is a Python-based infostealer and RAT targeting macOS. MINIRAT is a lightweight Go backdoor providing persistent remote access. Both target cryptocurrency development environments and CI/CD infrastructure.
- C2 Communication: C2 infrastructure at 89.36.224.5, with command delivery via HTTP. Deceptive domains mimic legitimate Microsoft services.
- Persistence: macOS LaunchAgents/LaunchDaemons, npm package persistence through dependency injection.
- Anti-Analysis: Python and Go provide cross-platform compatibility; npm packaging blends with legitimate development workflows.
KimJongRAT (Kimsuky / TA427)
- Distribution: Phishing emails with shortened URLs redirecting to GitHub Releases hosting malicious ZIP files. Leverages LOTS — GitHub, Google, and other trusted platforms — to evade URL filtering.
- Payload Behavior: Dual-purpose malware combining infostealer capabilities (browser credentials, email data, file exfiltration) with full remote access trojan functionality. MeshAgent deployed for additional persistence and C2 redundancy.
- C2 Communication: Distributed C2 using corpsecs.com subdomains (lutkdd.corpsecs.com, pxqtkc.corpsecs.com) and servequake.com (googleoba.servequake.com:8443). C2 IP: 104.200.67.46.
- Persistence: MeshAgent provides legitimate-appearing remote management persistence. Registry modifications and scheduled tasks for KimJongRAT persistence.
- Anti-Analysis: GitHub-based distribution evades traditional file reputation systems. Use of legitimate services for C2 traffic (LOTS) complicates network detection.
- Targeting: Japan-focused, consistent with Kimsuky's historical targeting of East Asian governments and financial institutions.
IOC Analysis
The five OTX pulses collectively provide 134 indicators across multiple IOC types. Here is the breakdown and operationalization guidance:
Indicator Types Present
| Type | Count | Key Examples |
|---|---|---|
| IPv4 Addresses | 4 | 172.96.137.160, 96.126.130.126, 104.200.67.46, 45.207.216.55 |
| Domains/Hostnames | 10+ | opmanager.pro, angryipscanner.org, a.dev-tunnels.com, lutkdd.corpsecs.com, googleoba.servequake.com, login.teamicrosoft.com, www.driver-updater.net, live.ong |
| File Hashes (SHA256) | 5+ | a14506c6..., 00cc86d1..., f4a72600..., b6cab0b3..., 9758e76b... |
| File Hashes (MD5) | 2 | a746da51..., bcee0ab1... |
| File Hashes (SHA1) | 2 | 1b9aa401..., f352cec8... |
| URLs | 3+ | http://89.36.224.5/troubleshoot/mac/install.sh, http://googleoba.servequake.com:8443/agent.ashx, http://45.207.216.55:8084/slt |
| CVEs | 3 | CVE-2026-48558, CVE-2026-33017, CVE-2026-55255 |
SOC Operationalization
Network-Layer IOC Deployment:
- Push all IPv4 indicators to firewall, IDS/IPS, and web proxy block lists. Priority IPs: 172.96.137.160 (Bumblebee C2), 96.126.130.126 (Djinn Stealer C2), 104.200.67.46 (KimJongRAT C2), 45.207.216.55 (Langflow exploit).
- Deploy domain/hostnames to DNS sinkhole and proxy categories. Flag any lookups for
*.corpsecs.com,a.dev-tunnels.com(if not business-approved),googleoba.servequake.com,opmanager.pro,angryipscanner.org,login.teamicrosoft.com,driver-updater.net,live.ong. - Alert on HTTP/HTTPS traffic to
89.36.224.5, particularly URI paths matching/troubleshoot/mac/install.sh.
Endpoint-Layer IOC Deployment:
- Import all file hashes (SHA256, MD5, SHA1) into EDR/AV signature databases. Enable hash-based blocking for:
a14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2(Bumblebee),00cc86d1144020c24c8fbb3a8dc6b908926497ebd23be3bf854360f93d1c8f4c(TaskWeaver),f4a72600a3735c2a4d843875ea61bbb6f935a1af51a81f2fbc992ce11ba94afc(Djinn Stealer),b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17(AUDIOFIX/MINIRAT),9758e76b601798a30d903bf05052a53df80451e5c156548ce9da828f608b6470(KimJongRAT). - Deploy custom EDR detection rules for Node.js execution originating from SimpleHelp technician sessions (TaskWeaver indicator).
Vulnerability Management:
- Prioritize patching/remediation for: SimpleHelp RMM (CVE-2026-48558), Langflow (CVE-2026-55255, CVE-2026-33017). Both are being actively exploited in the wild.
- Audit all SimpleHelp deployments for unauthorized technician accounts.
- Audit all Langflow instances for signs of cross-tenant access or unauthenticated RCE exploitation.
Tooling:
- SIEM (Splunk/Sentinel/ELK): Configure correlation rules matching IOC fields against network and endpoint telemetry.
- Threat Intelligence Platforms (TIP): Import OTX pulse data via API for automated IOC lifecycle management.
- EDR (CrowdStrike/Defender/SentinelOne): Deploy custom detection rules using hash indicators and behavioral patterns.
- DNS Firewall/Proxy: Sinkhole domain indicators; alert on resolution attempts for IOC domains.
Detection Engineering
Sigma Rules
---
title: Bumblebee Loader SEO Poisoning - Trojanized IT Tool Installer Execution
id: 7a3c1f2e-8b4d-4e6a-9c5d-1f2e3a4b5c6d
status: experimental
description: Detects Bumblebee malware execution from trojanized IT management tool installers delivered via SEO poisoning campaigns
references:
- https://thedfirreport.com/2025/08/05/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira-2/
author: Security Arsenal Threat Intelligence
date: 2026/06/30
tags:
- attack.execution
- attack.initial_access
- attack.t1204.002
- attack.t1185
logsource:
product: windows
category: process_creation
detection:
selection_installer:
Image|endswith:
- '\\opmanager_pro.exe'
- '\\angryipscanner_setup.exe'
- '\\ManageEngine_OpManager.exe'
CommandLine|contains:
- 'opmanager.pro'
- 'angryipscanner.org'
selection_bumblebee_network:
Image|endswith:
- '\\rundll32.exe'
- '\\regsvr32.exe'
- '\\mshta.exe'
CommandLine|contains:
- '172.96.137.160'
selection_rustdesk_abuse:
Image|endswith: '\\rustdesk.exe'
ParentImage|endswith:
- '\\cmd.exe'
- '\\powershell.exe'
- '\\mshta.exe'
condition: selection_installer or selection_bumblebee_network or selection_rustdesk_abuse
falsepositives:
- Legitimate RustDesk usage from interactive sessions (verify parent process)
- Legitimate ManageEngine OpManager installation from verified vendor source
level: high
---
title: TaskWeaver Node.js Loader - C2 via Dev Tunnels
id: 8b4d2f3e-9c5e-4f7b-0d6e-2a3f4b5c6d7e
status: experimental
description: Detects TaskWeaver Node.js loader execution and Djinn Stealer C2 communication through Azure dev-tunnels following SimpleHelp exploitation
references:
- https://blackpointcyber.com/blog/a-djinn-in-the-machine-taskweavers-node-js-intrusion-chain/
author: Security Arsenal Threat Intelligence
date: 2026/06/30
tags:
- attack.execution
- attack.t1059.007
- attack.t1219
- attack.command_and_control
logsource:
product: windows
category: process_creation
detection:
selection_nodejs_simplehelp:
Image|endswith: '\\node.exe'
ParentImage|contains:
- 'simplehelp'
- 'SimpleHelp'
selection_devtunnels_c2:
Image|endswith:
- '\\node.exe'
- '\\powershell.exe'
- '\\curl.exe'
CommandLine|contains:
- 'a.dev-tunnels.com'
- '96.126.130.126'
selection_djinn_hash:
Hashes|contains:
- '00cc86d1144020c24c8fbb3a8dc6b908926497ebd23be3bf854360f93d1c8f4c'
- 'f4a72600a3735c2a4d843875ea61bbb6f935a1af51a81f2fbc992ce11ba94afc'
condition: selection_nodejs_simplehelp or selection_devtunnels_c2 or selection_djinn_hash
falsepositives:
- Legitimate Node.js development using Azure dev-tunnels (verify SimpleHelp parent process)
level: high
---
title: KimJongRAT Distribution via GitHub Releases and MeshAgent Persistence
id: 9c5e3a4f-0d6f-4a8c-1e7f-3b4a5c6d7e8f
status: experimental
description: Detects KimJongRAT execution from GitHub-distributed ZIP archives and MeshAgent persistence used by Kimsuky APT group
references:
- https://sect.iij.ad.jp/blog/2026/06/continuous-evolution-of-kimjongrat-2026/
author: Security Arsenal Threat Intelligence
date: 2026/06/30
tags:
- attack.execution
- attack.persistence
- attack.t1059.001
- attack.command_and_control
- attack.t1071.001
logsource:
product: windows
category: process_creation
detection:
selection_github_zip_exec:
Image|endswith:
- '\\powershell.exe'
- '\\wscript.exe'
- '\\mshta.exe'
CommandLine|contains:
- 'github.com'
- 'githubusercontent.com'
- 'servequake.com'
- 'corpsecs.com'
selection_kimjongrat_c2:
CommandLine|contains:
- 'googleoba.servequake.com:8443'
- 'lutkdd.corpsecs.com'
- 'pxqtkc.corpsecs.com'
- '104.200.67.46'
selection_meshagent_persistence:
Image|endswith: '\\meshagent.exe'
CommandLine|contains:
- '--baseURL'
- 'servequake.com'
- 'corpsecs.com'
selection_kimjongrat_hash:
Hashes|contains:
- '9758e76b601798a30d903bf05052a53df80451e5c156548ce9da828f608b6470'
- '221a39856b37e3c682f62427f1e6b965b36a2405764689c914672770a01a1fa9'
condition: selection_github_zip_exec or selection_kimjongrat_c2 or selection_meshagent_persistence or selection_kimjongrat_hash
falsepositives:
- Legitimate MeshAgent deployments (verify C2 domain should be MeshCentral, not servequake.com or corpsecs.com)
- Legitimate GitHub release downloads (correlate with user activity and verify subsequent execution)
level: critical
Microsoft Sentinel KQL Hunt Query
// Multi-pulse IOC hunt: Bumblebee, TaskWeaver/Djinn, KimJongRAT, JINX-0164, Langflow exploitation
let ioc_ips = dynamic(["172.96.137.160", "96.126.130.126", "104.200.67.46", "45.207.216.55", "89.36.224.5"]);
let ioc_domains = dynamic(["opmanager.pro", "angryipscanner.org", "a.dev-tunnels.com", "lutkdd.corpsecs.com", "pxqtkc.corpsecs.com", "googleoba.servequake.com", "login.teamicrosoft.com", "driver-updater.net", "live.ong", "live.us.org"]);
let ioc_hashes = dynamic(["a14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2", "00cc86d1144020c24c8fbb3a8dc6b908926497ebd23be3bf854360f93d1c8f4c", "f4a72600a3735c2a4d843875ea61bbb6f935a1af51a81f2fbc992ce11ba94afc", "b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17", "9758e76b601798a30d903bf05052a53df80451e5c156548ce9da828f608b6470", "221a39856b37e3c682f62427f1e6b965b36a2405764689c914672770a01a1fa9"]);
let ioc_urls = dynamic(["http://89.36.224.5/troubleshoot/mac/install.sh", "http://googleoba.servequake.com:8443/agent.ashx", "http://45.207.216.55:8084/slt", "https://lutkdd.corpsecs.com"]);
union
DeviceNetworkEvents
| where RemoteIP in (ioc_ips) or RemoteUrl has_any (ioc_urls) or RemoteUrl has_any (ioc_domains)
| project TimeGenerated, DeviceName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, ActionType,
PulseRelated = case(
RemoteIP == "172.96.137.160" or RemoteUrl has "opmanager.pro" or RemoteUrl has "angryipscanner.org", "Bumblebee/Akira",
RemoteIP == "96.126.130.126" or RemoteUrl has "dev-tunnels.com", "TaskWeaver/Djinn Stealer",
RemoteIP == "104.200.67.46" or RemoteUrl has "corpsecs.com" or RemoteUrl has "servequake.com", "KimJongRAT/Kimsuky",
RemoteIP == "89.36.224.5", "JINX-0164/AUDIOFIX",
RemoteIP == "45.207.216.55", "Langflow Exploitation",
"Unknown"
),
DeviceProcessEvents
| where InitiatingProcessSHA256 in (ioc_hashes) or SHA256 in (ioc_hashes)
| project TimeGenerated, DeviceName, FileName, FolderPath, ProcessCommandLine, SHA256, InitiatingProcessFileName,
PulseRelated = "IOC Hash Match"
,
DeviceProcessEvents
| where FileName =~ "node.exe" and (InitiatingProcessFileName has "simplehelp" or InitiatingProcessFileName has "SimpleHelp")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName,
PulseRelated = "TaskWeaver via SimpleHelp Exploit"
,
DeviceProcessEvents
| where FileName =~ "meshagent.exe" and ProcessCommandLine has_any (dynamic(["servequake.com", "corpsecs.com", "104.200.67.46"]))
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine,
PulseRelated = "KimJongRAT MeshAgent C2"
,
DeviceProcessEvents
| where FileName =~ "rustdesk.exe" and InitiatingProcessFileName in (dynamic(["cmd.exe", "powershell.exe", "mshta.exe"]))
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName,
PulseRelated = "Bumblebee RustDesk Lateral Movement"
PowerShell IOC Hunt Script
<#
.SYNOPSIS
Multi-pulse IOC hunt script targeting Bumblebee, TaskWeaver/Djinn Stealer, KimJongRAT, AUDIOFIX/MINIRAT, and Langflow exploitation.
.DESCRIPTION
Checks for network connections, file hashes, suspicious processes, scheduled tasks, and registry persistence
associated with OTX pulse IOCs from 2026-06-25 to 2026-06-30.
.NOTES
Run with elevated privileges. Designed for enterprise SOC hunt operations.
#>
$IOC_IPs = @(
"172.96.137.160",
"96.126.130.126",
"104.200.67.46",
"45.207.216.55",
"89.36.224.5"
)
$IOC_Domains = @(
"opmanager.pro",
"angryipscanner.org",
"a.dev-tunnels.com",
"lutkdd.corpsecs.com",
"pxqtkc.corpsecs.com",
"googleoba.servequake.com",
"login.teamicrosoft.com",
"www.driver-updater.net",
"live.ong",
"www.live.us.org"
)
$IOC_Hashes = @{
"a14506c6fb92a5af88a6a44d273edafe10d69ee3d85c8b2a7ac458a22edf68d2" = "Bumblebee Loader (SHA256)"
"a746da514c90f26a187a294fda7edc1b" = "Bumblebee Loader (MD5)"
"bcee0ab10b23f5999bcdb56c0b4a631a" = "Bumblebee Loader (MD5)"
"00cc86d1144020c24c8fbb3a8dc6b908926497ebd23be3bf854360f93d1c8f4c" = "TaskWeaver Node.js Loader (SHA256)"
"f4a72600a3735c2a4d843875ea61bbb6f935a1af51a81f2fbc992ce11ba94afc" = "Djinn Stealer (SHA256)"
"b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17" = "AUDIOFIX/MINIRAT (SHA256)"
"9758e76b601798a30d903bf05052a53df80451e5c156548ce9da828f608b6470" = "KimJongRAT (SHA256)"
"221a39856b37e3c682f62427f1e6b965b36a2405764689c914672770a01a1fa9" = "KimJongRAT Component (SHA256)"
}
Write-Host "`n=== OTX Pulse IOC Hunt - $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') ===`n" -ForegroundColor Cyan
# 1. Check active network connections to IOC IPs
Write-Host "[1/6] Checking active network connections to IOC IPs..." -ForegroundColor Yellow
$activeConnections = Get-NetTCPConnection -State Established, SynSent, SynReceived -ErrorAction SilentlyContinue |
Where-Object { $IOC_IPs -contains $_.RemoteAddress }
if ($activeConnections) {
Write-Host " [!] ACTIVE CONNECTIONS TO IOC IPs:" -ForegroundColor Red
foreach ($conn in $activeConnections) {
$proc = Get-Process -Id $conn.OwningProcess -ErrorAction SilentlyContinue
Write-Host " PID: $($conn.OwningProcess) | Process: $($proc.ProcessName) | Remote: $($conn.RemoteAddress):$($conn.RemotePort) | State: $($conn.State)" -ForegroundColor Red
}
} else {
Write-Host " [OK] No active connections to IOC IPs found." -ForegroundColor Green
}
# 2. Check DNS cache for IOC domains
Write-Host "`n[2/6] Checking DNS cache for IOC domains..." -ForegroundColor Yellow
$dnsCache = Get-DnsClientCache -ErrorAction SilentlyContinue |
Where-Object { $IOC_Domains -contains $_.Entry }
if ($dnsCache) {
Write-Host " [!] DNS CACHE HITS FOR IOC DOMAINS:" -ForegroundColor Red
foreach ($entry in $dnsCache) {
Write-Host " Domain: $($entry.Entry) | Type: $($entry.Type) | Data: $($entry.Data)" -ForegroundColor Red
}
} else {
Write-Host " [OK] No DNS cache hits for IOC domains." -ForegroundColor Green
}
# 3. Check running processes against IOC hashes
Write-Host "`n[3/6] Checking running processes for IOC hashes..." -ForegroundColor Yellow
$processes = Get-Process -ErrorAction SilentlyContinue
$hashHits = @()
foreach ($proc in $processes) {
try {
$path = $proc.Path
if ($path -and (Test-Path $path)) {
$sha256 = (Get-FileHash -Path $path -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
$md5 = (Get-FileHash -Path $path -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
if ($IOC_Hashes.ContainsKey($sha256) -or $IOC_Hashes.ContainsKey($md5)) {
$hashHits += [PSCustomObject]@{
Process = $proc.ProcessName
PID = $proc.Id
Path = $path
HashMatch = if ($IOC_Hashes.ContainsKey($sha256)) { $IOC_Hashes[$sha256] } else { $IOC_Hashes[$md5] }
}
}
}
} catch {}
}
if ($hashHits) {
Write-Host " [!] IOC HASH MATCHES IN RUNNING PROCESSES:" -ForegroundColor Red
$hashHits | Format-Table -AutoSize
} else {
Write-Host " [OK] No running processes matching IOC hashes." -ForegroundColor Green
}
# 4. Check scheduled tasks for persistence mechanisms
Write-Host "`n[4/6] Checking scheduled tasks for suspicious persistence..." -ForegroundColor Yellow
$suspiciousTasks = Get-ScheduledTask -ErrorAction SilentlyContinue |
Where-Object {
$_.Actions.Execute -match "meshagent|rustdesk|node" -or
$_.Actions.Arguments -match "corpsecs|servequake|dev-tunnels|opmanager|angryipscanner|simplehelp"
}
if ($suspiciousTasks) {
Write-Host " [!] SUSPICIOUS SCHEDULED TASKS DETECTED:" -ForegroundColor Red
foreach ($task in $suspiciousTasks) {
Write-Host " Task: $($task.TaskName) | Path: $($task.TaskPath) | State: $($task.State)" -ForegroundColor Red
foreach ($action in $task.Actions) {
Write-Host " Execute: $($action.Execute) | Args: $($action.Arguments)" -ForegroundColor Red
}
}
} else {
Write-Host " [OK] No suspicious scheduled tasks found." -ForegroundColor Green
}
# 5. Check registry for persistence
Write-Host "`n[5/6] Checking registry persistence mechanisms..." -ForegroundColor Yellow
$regPaths = @(
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce",
"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce",
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon"
)
$regHits = @()
foreach ($regPath in $regPaths) {
if (Test-Path $regPath) {
$props = Get-ItemProperty -Path $regPath -ErrorAction SilentlyContinue
if ($props) {
$props.PSObject.Properties | ForEach-Object {
if ($_.Value -match "meshagent|rustdesk|node|corpsecs|servequake|dev-tunnels|opmanager|simplehelp") {
$regHits += [PSCustomObject]@{
RegPath = $regPath
Name = $_.Name
Value = $_.Value
}
}
}
}
}
}
if ($regHits) {
Write-Host " [!] SUSPICIOUS REGISTRY PERSISTANCE DETECTED:" -ForegroundColor Red
$regHits | Format-Table -AutoSize
} else {
Write-Host " [OK] No suspicious registry persistence found." -ForegroundColor Green
}
# 6. Check for SimpleHelp exploitation artifacts
Write-Host "`n[6/6] Checking for SimpleHelp exploitation artifacts (CVE-2026-48558)..." -ForegroundColor Yellow
$simpleHelpPaths = @(
"C:\Program Files\SimpleHelp",
"C:\Program Files (x86)\SimpleHelp",
"C:\SimpleHelp"
)
$simpleHelpFound = $false
foreach ($shPath in $simpleHelpPaths) {
if (Test-Path $shPath) {
$simpleHelpFound = $true
Write-Host " [!] SIMPLEHELP INSTALLATION DETECTED at $shPath" -ForegroundColor Red
Write-Host " Verify CVE-2026-48558 patch status immediately." -ForegroundColor Red
$logPath = Join-Path $shPath "logs"
if (Test-Path $logPath) {
$recentLogs = Get-ChildItem $logPath -Filter "*.log" -ErrorAction SilentlyContinue |
Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-30) }
if ($recentLogs) {
Write-Host " Recent log files found - review for unauthorized access:" -ForegroundColor Yellow
$recentLogs | ForEach-Object { Write-Host " $($_.Name) - Last modified: $($_.LastWriteTime)" }
}
}
}
}
if (-not $simpleHelpFound) {
Write-Host " [OK] No SimpleHelp installation detected on this host." -ForegroundColor Green
}
# Summary
Write-Host "`n=== HUNT SUMMARY ===" -ForegroundColor Cyan
Write-Host "Host: $env:COMPUTERNAME" -ForegroundColor White
Write-Host "Timestamp: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')" -ForegroundColor White
Write-Host "IOCs Checked: $($IOC_IPs.Count) IPs, $($IOC_Domains.Count) domains, $($IOC_Hashes.Count) hashes" -ForegroundColor White
Write-Host "Results: $($activeConnections.Count) active connections, $($hashHits.Count) hash matches, $($suspiciousTasks.Count) suspicious tasks, $($regHits.Count) registry hits" -ForegroundColor White
if ($hashHits -or $activeConnections -or $suspiciousTasks -or $regHits) {
Write-Host "`n[CRITICAL] Positive detections found - initiate incident response procedures." -ForegroundColor Red
} else {
Write-Host "`n[INFO] No positive detections on this host." -ForegroundColor Green
}
Write-Host "`n=== END HUNT ===`n" -ForegroundColor Cyan
---
Response Priorities
Immediate (0–4 Hours)
- Block all IOC IPs on perimeter firewalls, IDS/IPS, and web proxies: 172.96.137.160, 96.126.130.126, 104.200.67.46, 45.207.216.55, 89.36.224.5
- Sinkhole IOC domains in DNS infrastructure: opmanager.pro, angryipscanner.org, *.corpsecs.com, googleoba.servequake.com, login.teamicrosoft.com, driver-updater.net, live.ong
- Deploy file hash IOCs to EDR/AV across all endpoints — prioritize the 8 unique hashes across Bumblebee, TaskWeaver, Djinn Stealer, AUDIOFIX/MINIRAT, and KimJongRAT
- Hunt for execution artifacts: run the PowerShell hunt script across all endpoints; query Sentinel/SIEM for historical connections to IOC IPs and domains (lookback 90 days minimum)
- Quarantine any endpoints with confirmed hash matches or active C2 connections
- Audit SimpleHelp RMM deployments for CVE-2026-48558 patch status; disable remote access if unpatched
- Audit Langflow instances for CVE-2026-55255 and CVE-2026-33017 exploitation evidence; check for unauthorized cross-tenant access
24-Hour Window
- Credential verification and rotation: All five campaigns are credential-theft-focused. Assume compromise of:
- IT administrator credentials (Bumblebee chain — credential dumping observed)
- Browser-stored credentials and session tokens (Djinn Stealer, KimJongRAT, AUDIOFIX)
- Cryptocurrency wallet credentials (AUDIOFIX targeting crypto industry)
- SimpleHelp technician credentials (CVE-2026-48558 exploitation)
- AI pipeline API keys and service credentials (Langflow exploitation)
- Force password resets for all accounts on affected systems; invalidate active sessions and tokens
- Review authentication logs for lateral movement indicators — focus on RDP, WinRM, and PsExec usage originating from compromised hosts
- Check for RustDesk deployment on non-standard hosts — Bumblebee abuse of RustDesk for lateral movement is a key indicator
- Review GitHub release downloads in proxy logs — KimJongRAT distribution via GitHub Releases may not trigger traditional download filters
- Scan macOS fleet for AUDIOFIX and MINIRAT indicators — Python processes with network connections to 89.36.224.5, Go binaries matching MINIRAT hash
1-Week Window
- Architecture hardening:
- Implement allowlisting for RMM tools (SimpleHelp, RustDesk, MeshAgent) — block unauthorized instances
- Deploy URL filtering categories blocking newly registered domains mimicking legitimate services (opmanager.pro, login.teamicrosoft.com)
- Implement GitHub content filtering for enterprise endpoints if not already in place
- Enforce network segmentation between IT management systems and production infrastructure
- Patch management: Prioritize SimpleHelp (CVE-2026-48558) and Langflow (CVE-2026-55255, CVE-2026-33017) patching across all instances
- Supply chain security: Audit npm package dependencies for trojanized packages associated with JINX-0164 campaign; implement package signing verification
- SEO poisoning awareness: Train IT staff to verify software downloads through vendor-verified channels only; implement DNS filtering for known SEO poisoning domains
- Threat hunting: Expand hunt to 180-day lookback using behavioral indicators (not just IOC matches) — focus on Node.js execution from RMM contexts, GitHub release downloads followed by archive extraction, and cross-tenant access patterns in AI infrastructure
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.