Cisco SD-WAN Exploit & Npm Supply Chain Attack: UAT-8616 & Chollima Campaign

Threat Summary

Recent OTX pulse data highlights a convergence of sophisticated nation-state activity and financially motivated ransomware operations targeting enterprise infrastructure. The primary threat landscape is dominated by UAT-8616 (a sophisticated threat actor) actively exploiting critical authentication bypass vulnerabilities in Cisco Catalyst SD-WAN (CVE-2026-20182, CVE-2026-20133). Simultaneously, North Korean actors (FAMOUS CHOLLIMA) are leveraging software supply chain attacks via malicious npm packages (OtterCookie, BeaverTail) to infiltrate technology sectors. Additionally, the Interlock Ransomware Group has been observed exploiting a zero-day in Cisco Firepower Management Center (CVE-2026-20131). Collectively, these campaigns aim to establish persistent C2 channels via webshells (Godzilla, Sliver), steal credentials, deploy cryptominers (XMRig), and facilitate ransomware deployment.

Threat Actor / Malware Profile

UAT-8616 (Cisco SD-WAN Campaign)

Objective: Initial access to network infrastructure, credential theft, and resource hijacking.
Malware Families: XenShell (webshell), Godzilla, Behinder, Sliver (C2 frameworks), XMRig (cryptominer), AdaptixC2.
Distribution: Direct exploitation of internet-facing Cisco Catalyst SD-WAN controllers via CVE-2026-20182 (Auth Bypass) and CVE-2026-20133.
Behavior: Actors obtain administrative privileges, drop webshells for persistence, and deploy Sliver or AdaptixC2 beacons for lateral movement. XMRig is often deployed as a secondary payload for monetization.

FAMOUS CHOLLIMA (Npm Supply Chain)

Objective: Credential harvesting and initial access to developer environments.
Malware Families: OtterCookie, BeaverTail (loader), InvisibleFerret, Koalemos.
Distribution: Typosquatting and dependency confusion on the npm registry. Benign wrapper packages clone legitimate libraries (e.g., big.js) while pulling malicious dependencies.
Behavior: Upon execution by developers, the malware exfiltrates browser cookies, system information, and SSH keys. It establishes persistence using scheduled tasks or modified configuration files, beaconing out to Vercel-hosted C2 infrastructure.

Interlock Ransomware Group

Objective: Data encryption and extortion.
Malware Families: GHOSTKNIFE, GHOSTSABER, PlasmaLoader.
Behavior: Exploits CVE-2026-20131 on Cisco FMC to gain a foothold, deploys custom loaders (PlasmaLoader) to disable security tools and encrypt network-attached storage.

IOC Analysis

The current intelligence dump contains a mix of network, file, and vulnerability artifacts:

File Hashes: SHA256, MD5, and SHA1 hashes associated with the UAT-8616 payloads (e.g., d94f75a70b5cabaf...). These should be loaded into EDR solutions for immediate scanning of endpoint memory and disk.
Network Indicators: IPv4 addresses (e.g., 176.65.139.31) linked to C2 infrastructure. These must be blocked at the perimeter and firewalls.
CVEs: High-priority vulnerabilities including CVE-2026-20182, CVE-2026-20133, CVE-2026-20131, and CVE-2025-53521.
Operationalization: SOC teams should ingest the CVEs into vulnerability management platforms for immediate patch prioritization. File hashes should be queried against SIEM logs (e.g., Sysmon File Creation, Image Loaded). The specific npm package names (restricted in this pulse but identified in wild reports) should be blocked in artifact repositories.

Detection Engineering

Sigma Rules

YAML

title: Potential Cisco SD-WAN Webshell Activity UAT-8616
id: 4a8f9c12-5b6a-4f6d-8e1a-3c2b4d5e6f7a
description: Detects potential webshell activity associated with UAT-8616 exploitation of Cisco SD-WAN, characterized by suspicious processes spawned by web server binaries or uncommon Linux executables like XenShell/Sliver.
status: experimental
date: 2026/05/16
author: Security Arsenal
logsource:
  product: linux
  service: auditd or process

detection:
  selection_parent:
    ParentImage|endswith:
      - '/nginx'
      - '/apache2'
      - '/lighttpd'
      - '/java'
      - '/tomcat'
  selection_child:
    Image|contains:
      - 'sh'
      - 'bash'
      - 'perl'
      - 'python'
      - 'php'
    CommandLine|contains:
      - 'wget'
      - 'curl'
      - 'nc.traditional'
      - 'chmod 777'
  condition: selection_parent and selection_child
falsepositives:
  - Legitimate administrative scripts
level: high

tags:
  - attack.initial_access
  - attack.persistence
  - cve.2026.20182
  - apt.8616
---
title: Suspicious Node.js Child Process Execution Supply Chain
id: b7g0h1i2-j3k4-l5m6-n7o8-p9q0r1s2t3u4
description: Detects Node.js processes spawning cmd.exe or powershell.exe, a common behavior in npm supply chain attacks like OtterCookie/BeaverTail used by FAMOUS CHOLLIMA.
status: experimental
date: 2026/05/16
author: Security Arsenal
logsource:
  category: process_creation
  product: windows

detection:
  selection_parent:
    Image|endswith:
      - '\node.exe'
  selection_child:
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
      - '\wscript.exe'
      - '\cscript.exe'
  condition: selection_parent and selection_child
falsepositives:
  - Legitimate developer build scripts
level: high

tags:
  - attack.execution
  - attack.initial_access
  - supply.chain
  - npm.malware
---
title: Linux Cryptominer XMRig Execution
id: c8d9e0f1-2a3b-4c5d-6e7f-8a9b0c1d2e3f
description: Detects execution of XMRig or similar cryptomining utilities often deployed post-exploitation by UAT-8616.
status: experimental
date: 2026/05/16
author: Security Arsenal
logsource:
  product: linux
  service: process

detection:
  selection_img:
    Image|contains:
      - 'xmrig'
      - 'cpuminer'
      - 'minerd'
  selection_cli:
    CommandLine|contains:
      - '--donate-level'
      - '--url='
      - '--user='
      - 'stratum+tcp'
  condition: selection_img or selection_cli
falsepositives:
  - Authorized mining operations
level: critical

tags:
  - attack.impact
  - attack.resource_hijacking

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for UAT-8616 C2 IP and Hashes
let IOCs = dynamic([
    "176.65.139.31",
    "d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa",
    "d75cb9920d1d3d280518ddccfe4789d2",
    "18821dbb53892d6faa14b1f063517a0302057290"
]);
// Network Connections to malicious IP
DeviceNetworkEvents
| where RemoteIP in (IOCs)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemotePort, InitiatingProcessCommandLine
| union (
    // File Hash Matches
    DeviceFileEvents
    | where SHA256 in (IOCs) or MD5 in (IOCs) or SHA1 in (IOCs)
    | project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName
)
| extend Severity = "High"

PowerShell Hunt Script

PowerShell

# IOC Scanner for UAT-8616 and OtterCookie Campaigns
# Requires Admin privileges for full disk scan

$MaliciousHashes = @(
    "d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa",
    "d75cb9920d1d3d280518ddccfe4789d2",
    "18821dbb53892d6faa14b1f063517a0302057290"
)

Write-Host "[+] Starting IOC Hunt for UAT-8616 / Chollima Indicators..." -ForegroundColor Cyan

# Scan common npm/cache directories for malicious files
$PathsToScan = @(
    "$env:APPDATA\npm",
    "$env:USERPROFILE\AppData\Roaming\npm-cache",
    "$env:LOCALAPPDATA\Yarn",
    "C:\ProgramData\npm"
)

foreach ($path in $PathsToScan) {
    if (Test-Path $path) {
        Write-Host "[+] Scanning $path..." -ForegroundColor Yellow
        Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($MaliciousHashes -contains $hash) {
                Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName) | Hash: $hash" -ForegroundColor Red
            }
        }
    }
}

# Check for suspicious network connections (Simulated via netstat, typically use EDR API)
Write-Host "[+] Checking for established connections to 176.65.139.31..." -ForegroundColor Yellow
$netstat = netstat -ano | Select-String "176.65.139.31"
if ($netstat) {
    Write-Host $netstat -ForegroundColor Red
} else {
    Write-Host "[-] No connections found to malicious IP." -ForegroundColor Green
}

Write-Host "[+] Hunt Complete." -ForegroundColor Cyan

Response Priorities

Immediate:
- Block network connectivity to IP 176.65.139.31 at perimeter firewalls.
- Scan all endpoints for the file hashes provided in the IOC Analysis.
- Isolate any Cisco SD-WAN management interfaces accessible from the internet.
24 Hours:
- Initiate credential rotation for accounts with access to Cisco Catalyst SD-WAN and source code repositories (npm).
- Audit npm package usage in development environments to identify any instances of "big.js" or related wrappers from the timeframe April 6-9, 2026.
- Hunt for webshell artifacts (e.g., XenShell, Godzilla) on web servers.
1 Week:
- Apply patches for CVE-2026-20182, CVE-2026-20133, and CVE-2026-20131 across all Cisco infrastructure.
- Implement strict allow-listing for npm packages and signed repository policies.
- Review network segmentation to ensure management planes are not accessible from untrusted networks.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub