Back to Intelligence

Cisco SD-WAN Zero-Days & NPM Supply Chain Attacks: UAT-8616, FAMOUS CHOLLIMA, and Interlock Campaigns

SA
Security Arsenal Team
May 17, 2026
6 min read

Threat Summary

Recent OTX pulses indicate a convergence of high-fidelity threats targeting both network infrastructure edges and software supply chains. UAT-8616 is actively exploiting zero-day authentication bypass vulnerabilities in Cisco Catalyst SD-WAN controllers (CVE-2026-20128, CVE-2026-20133) to deploy webshells (XenShell, Godzilla) and cryptocurrency miners (XMRig). Simultaneously, North Korean threat actor FAMOUS CHOLLIMA is conducting a sophisticated supply chain attack via the npm registry, distributing the OtterCookie infostealer through obfuscated packages targeting the technology sector. Additionally, the Interlock Ransomware Group has been observed exploiting a separate zero-day in Cisco Firepower Management Center (CVE-2026-20131) to deploy PlasmaLoader and GHOSTKNIFE. The collective objective spans from credential theft and financial gain (crypto-mining/ransomware) to establishing persistent C2 access within enterprise networks.

Threat Actor / Malware Profile

UAT-8616 (Cisco SD-WAN Campaign)

  • Distribution: Exploitation of CVE-2026-20128 (Auth Bypass) and CVE-2026-20133.
  • Payload Behavior: Deploys webshells (Godzilla, Sliver, XenShell) for remote control and XMRig for resource hijacking.
  • C2 Communication: Uses AdaptixC2, Sliver, and gsocket for encrypted command and control.
  • Persistence: Webshells implanted on the management interface; scheduled tasks for miners.
  • Anti-Analysis: Use of obfuscated webshells and potentially encrypted C2 traffic.

FAMOUS CHOLLIMA (NPM Supply Chain)

  • Distribution: Malicious npm packages using a "benign wrapper" technique to clone legitimate libraries (e.g., big.js) while pulling malicious dependencies.
  • Payload Behavior: OtterCookie infostealer variants (BeaverTail, InvisibleFerret, Koalemos) targeting browser credentials and SSH keys.
  • C2 Communication: Uses Vercel and other cloud infrastructure for C2 to blend in with legitimate dev traffic.
  • Persistence: Established via malicious node_modules dependencies in developer environments.

Interlock Ransomware Group

  • Distribution: Exploitation of Cisco FMC Zero-Day (CVE-2026-20131).
  • Payload Behavior: Deploys PlasmaLoader (PLASMAGRID) which executes GHOSTKNIFE/GHOSTSABER ransomware payloads.
  • Objective: Double-extortion ransomware operations.

IOC Analysis

The provided indicators include CVE identifiers for vulnerability scanning, file hashes (SHA256, MD5, SHA1) for malware identification, and IPv4 addresses for C2 blocking. SOC teams should prioritize loading the SHA256 hashes (e.g., d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa) into EDR solutions to detect the execution of XenShell and XMRig. The IP addresses (e.g., 176.65.139.31) should be blocked immediately at perimeter firewalls. While Pulse 2 (OtterCookie) restricted specific IOCs, the package names and behavioral patterns provide high-value hunting opportunities. Decoding these requires standard forensic tools (7zip, strings) for the npm packages and memory forensics for the webshells.

Detection Engineering

YAML
---
title: Potential Cisco SD-WAN Webshell Execution
date: 2026/05/18
author: Security Arsenal
status: experimental
description: Detects potential webshell activity associated with UAT-8616 exploiting Cisco SD-WAN vulnerabilities. Looks for suspicious process execution patterns on the management interface or common webshell binaries.
references:
    - https://blog.talosintelligence.com/sd-wan-ongoing-exploitation/
tags:
    - attack.persistence
    - attack.t1505.003
    - cve-2026-20128
    - cve-2026-20133
logsource:
    category: process_creation
    product: linux
detection:
    selection_img:
        Image|endswith:
            - '/java'
            - '/tomcat'
    selection_cli:
        CommandLine|contains:
            - 'XenShell'
            - 'Godzilla'
            - 'Behinder'
            - 'bash -i'
            - 'nc -e'
    selection_parent:
        ParentImage|contains:
            - 'vshell'
            - 'sd-wan'
    condition: 1 of selection_*
falsepositives:
    - Legitimate administrative troubleshooting
level: critical

---
title: Malicious NPM Package Execution (OtterCookie)
date: 2026/05/18
author: Security Arsenal
status: experimental
description: Detects execution of node processes linked to the OtterCookie campaign. Hunt for obfuscated packages or arguments matching known malicious families like BeaverTail or Koalemos.
references:
    - https://panther.com/blog/tracking-an-ottercookie-infostealer-campaign-across-npm
tags:
    - attack.initial_access
    - attack.t1195.002
    - npm
    - supply-chain
logsource:
    category: process_creation
    product: windows
detection:
    selection_node:
        Image|endswith: '\node.exe'
    selection_suspicious_args:
        CommandLine|contains:
            - 'ottercookie'
            - 'beavertail'
            - 'koalemos'
            - 'invisibleferret'
    selection_obfuscation:
        CommandLine|contains:
            - 'eval('
            - 'Buffer.from'
    condition: all of selection_*
falsepositives:
    - Legitimate obfuscated npm scripts
level: high

---
title: Ransomware Loader Activity - PlasmaLoader
id: 43f14e6c-0b99-4a6a-9c6e-7186236889e8
description: Detects execution artifacts associated with PlasmaLoader and GhostKnife ransomware components used by Interlock Group.
references:
    - https://www.recordedfuture.com/blog/march-2026-cve-landscape
tags:
    - attack.execution
    - attack.t1059.001
    - ransomware
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\rundll32.exe'
            - '\regsvr32.exe'
        CommandLine|contains:
            - 'PlasmaLoader'
            - 'GHOSTSABER'
            - 'GHOSTKNIFE'
            - '.dll,RunDLL'
    condition: selection
falsepositives:
    - Unknown
level: critical


kql
// Hunt for C2 connections associated with UAT-8616 and known bad IPs
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIP in ("176.65.139.31") // Expand with additional IOCs from Pulse
| summarize Count=count(), FirstSeen=min(Timestamp), LastSeen=max(Timestamp) by DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName

// Hunt for suspicious npm processes related to OtterCookie
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName =~ "node.exe"
| where ProcessCommandLine has_any ("ottercookie", "beavertail", "koalemos", "invisibleferret", "vercel")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, FolderPath

// Hunt for Cisco FMC exploit patterns (CVE-2026-20131)
SecurityEvent
| where TimeGenerated > ago(7d)
| where EventID == 4624 or EventID == 5140
| where TargetUserName has "admin" and WorkstationName has "FMC" or WorkstationName has "Cisco"
| project TimeGenerated, Account, TargetUserName, WorkstationName, IpAddress


powershell
# IOC Hunt Script: Check for UAT-8616 File Hashes and Suspicious Paths

$MaliciousHashes = @(
    "d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa",
    "d75cb9920d1d3d280518ddccfe4789d2"
)

Write-Host "[+] Scanning for UAT-8616 Malware Artifacts..." -ForegroundColor Cyan

# Scan C: drive for file hashes (This may take time)
foreach ($hash in $MaliciousHashes) {
    $result = Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
              Get-FileHash -Algorithm SHA256 -ErrorAction SilentlyContinue | 
              Where-Object { $_.Hash -eq $hash }
    
    if ($result) {
        Write-Host "[!] MATCH FOUND: $($result.Path) matches hash $hash" -ForegroundColor Red
    }
}

# Check for typical XMRig or Webshell paths on Linux/Windows systems
$SuspiciousPaths = @(
    "C:\Windows\Temp\XMRig",
    "C:\ProgramData\XenShell",
    "/tmp/.XMRig",
    "/var/tmp/godzilla.jsp"
)

foreach ($path in $SuspiciousPaths) {
    if (Test-Path $path) {
        Write-Host "[!] Suspicious Path Found: $path" -ForegroundColor Yellow
        Get-ChildItem $path -Recurse -ErrorAction SilentlyContinue | Select-Object FullName, LastWriteTime
    }
}

Write-Host "[+] Hunt Complete. Investigate any RED or YELLOW findings immediately." -ForegroundColor Green

Response Priorities

Immediate

  • Block all IOCs (IPs, Domains, File Hashes) provided in the UAT-8616 and Interlock pulses at the perimeter and on endpoints.
  • Patch Cisco Catalyst SD-WAN Manager (CVE-2026-20128, CVE-2026-20133) and Cisco FMC (CVE-2026-20131) immediately.
  • Isolate any Cisco management appliances showing signs of compromise (high CPU usage, unknown processes).

24 Hours

  • Conduct a credential audit for developers who may have interacted with npm packages recently. Rotate API keys and SSH keys if OtterCookie infection is suspected.
  • Scan development workstations for the presence of node.exe processes matching the malicious behavioral patterns.
  • Hunt for file hashes associated with XenShell and XMRig across the enterprise.

1 Week

  • Implement strict allow-listing for npm packages and verify integrity of package-lock. files in source repositories.
  • Review network segmentation to ensure SD-WAN management planes are not directly accessible from the internet.
  • Update EDR signatures to include the specific C2 frameworks (Sliver, Godzilla, AdaptixC2) referenced in the UAT-8616 campaign.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptuat-8616famous-chollimaottercookiecisco-sd-wanransomware

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action