Back to Intelligence

CylindricalCanine RAT, OkoBot Framework, and Kratos PhaaS: OTX Pulse Analysis — Enterprise Credential Theft Defense

SA
Security Arsenal Team
July 16, 2026
5 min read

Recent OTX pulses indicate a surge in financially motivated credential theft operations utilizing diverse delivery mechanisms. A primary threat is the resurgence of the CylindricalCanine subgroup (GoldenEyeDog), targeting APAC finance sectors with signed Golden Gh0st RAT payloads. Concurrently, the OkoBot framework is aggressively targeting cryptocurrency users in the Americas via ClickFix attacks and PowerShell droppers. Additionally, the Kratos PhaaS platform has expanded its M365 account takeover capabilities across the US and EU, while TA2730 exploits financial hype (SpaceX IPO) for investment fraud. These campaigns share a common objective: high-value credential harvesting and unauthorized financial access.

Threat Actor / Malware Profile

CylindricalCanine (GoldenEyeDog Subgroup)

  • Malware Families: Golden Gh0st Loader, Golden Gh0st RAT (modified Gh0st RAT), Mydoor, Zhong Stealer.
  • Distribution: Phishing campaigns targeting APAC finance organizations.
  • Behavior: Uses code-signing certificates to bypass SmartScreen. Establishes C2 on non-standard ports (e.g., 5188, 5198).
  • Persistence: Utilizes malicious loaders and scheduled tasks.

OkoBot Framework

  • Malware Families: TookPS, TeviRAT, Rilide, SeedHunter, OkoSpyware.
  • Distribution: "ClickFix" technical support scams, fake GitHub repositories.
  • Behavior: Modular architecture deploying over 20 malicious components. Features browser extension injectors (Rilide) and SSH tunneling for C2 obfuscation.
  • Persistence: Browser extension manipulation and scheduled tasks via HDUtil.

Kratos PhaaS & TA2730

  • Malware Families: N/A (Social Engineering / PhaaS).
  • Distribution: Phishing-as-a-Service (Kratos), fraudulent investment portals (TA2730).
  • Behavior: Kratos facilitates large-scale M365 credential theft using anti-bot checks. TA2730 leverages brand impersonation (SpaceX, Fidelity) to harvest W-8BEN forms and financial details.

Romanian Threat Actor (Bulk Mailer)

  • Malware Families: N/A (Infrastructure Abuse).
  • Distribution: Compromised terminal servers.
  • Behavior: Stages massive phishing campaigns (8M+ emails) using legitimate software "Gammadyne Mailer" with project files linked to Romanian language ('dracii').

IOC Analysis

The provided indicators reveal a multi-vector approach:

  • Network IOCs: Domains associated with OkoBot (e.g., coffeesaloon.online, livewallpapers.online) and Kratos PhaaS (e.g., buenne.de, ihrsupportcenter.de) should be blocked immediately at the perimeter and DNS level.
  • File Hashes: Several SHA256 and MD5 hashes for Golden Gh0st RAT components and OkoBot droppers are available. SOC teams should query EDR history for these specific hashes.
  • URLs: C2 endpoints for Golden Gh0st (e.g., http://uu.goldeyeuu.io:5188) and phishing URLs (e.g., SpaceX impersonators) are critical for blocklists.
  • Operationalization: Feed the domains into firewall blocklists and DPI systems. Use EDR to hunt for the file hashes. Correlate the IP addresses referenced in the Romanian campaign with outbound traffic logs to detect compromised internal SMTP servers.

Detection Engineering

YAML
date: 2026/07/16
description: Detects potential CylindricalCanine Golden Gh0st RAT C2 communication via non-standard high ports observed in recent campaigns.
detection:
  condition: selection
  selection:
    DestinationPort|startswith:
      - 5188
      - 5198
    Initiated: 'true'
falsepositives:
  - Legitimate administrative tools using rare high ports
id: 91c72b7c-6b5a-4e9c-8c12-d3a9b5e0f1a2
level: high
logsource:
  category: network_connection
  product: windows
product: windows
references:
  - https://otx.alienvault.com/pulse/66971a3c7b1d3c2f1a9e8b7d
tags:
  - attack.command_and_control
  - attack.t1071
title: Golden Gh0st RAT C2 Traffic
status: experimental
---
date: 2026/07/16
description: Detects execution of Gammadyne Mailer (GM), a legitimate bulk mailer abused by threat actors for phishing staging, particularly the 'dracii' campaign.
detection:
  condition: selection
  selection:
    Image|endswith:
      - '\\GM.exe'
      - '\\Gammadyne Mailer.exe'
    OriginalFileName:
      - 'GM.exe'
falsepositives:
  - Authorized marketing campaigns using Gammadyne Mailer
id: 82f61a6d-5c4b-3d8b-7b01-e2a8c4f1e2b3
level: medium
logsource:
  category: process_creation
  product: windows
product: windows
references:
  - https://otx.alienvault.com/pulse/66961a3c7b1d3c2f1a9e8b7e
tags:
  - attack.execution
  - attack.t1204
title: Phishing Stager Gammadyne Mailer Execution
status: experimental
---
date: 2026/07/16
description: Detects suspicious PowerShell execution patterns associated with the OkoBot TookPS droppers and ClickFix attacks involving base64 encoded commands.
detection:
  condition: selection
  selection:
    CommandLine|contains:
      - 'FromBase64String'
      - 'ToBase64String'
    CommandLine|contains:
      - 'ClickFix'
      - 'TookPS'
      - 'Invoke-WebRequest'
    Image|endswith:
      - '\\powershell.exe'
falsepositives:
  - System administration scripts
id: 73f50a5e-4d3a-2c7a-6a90-d1b7d3e0f3c4
level: high
logsource:
  category: process_creation
  product: windows
product: windows
references:
  - https://otx.alienvault.com/pulse/66951a3c7b1d3c2f1a9e8b7f
tags:
  - attack.execution
  - attack.t1059.001
title: OkoBot TookPS PowerShell Dropper
status: experimental


kql
// Hunt for Golden Gh0st RAT C2 connections and OkoBot domains
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where (RemotePort in (5188, 5198)) or 
        (RemoteUrl has_any ("coffeesaloon.online", "livewallpapers.online", "2baserec2.guru", "kbeautyreviews.com", "buenne.de", "ihrsupportcenter.de"))
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| extend IOCHit = iff(RemotePort in (5188, 5198), "Golden Gh0st C2", "OkoBot/Kratos Domain")


powershell
# IOC Hunter for CylindricalCanine and OkoBot File Hashes
$TargetHashes = @(
    "1abffe97aafe9916b366da57458a78338598cab9742c2d9e03e4ad0ba11f29bf",
    "4eaebd93e23be3427d4c1349d64bef4b5fc455c93aebb9b5b752981e9266488e",
    "dd44dabff536a1aa9b845dd891ad483162d4f28913344c93e5d59f648a186098",
    "b07d451ee65a1580f20a784c8f0e7a46",
    "187a1f68ae786e53d3831166dc84e6d2",
    "d84e8dc509308523e0209d3cd3544619",
    "83e6b8fcb92a0b13e109301f8ff649cf"
)

$ScanPaths = @("C:\Users\", "C:\ProgramData\", "C:\Windows\Temp")

Write-Host "Starting hunt for malware IOCs..." -ForegroundColor Cyan

foreach ($Path in $ScanPaths) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | Get-FileHash -Algorithm SHA256, MD5 -ErrorAction SilentlyContinue | Where-Object {
            $TargetHashes -contains $_.Hash -or $TargetHashes -contains $_.Hash.ToUpper()
        } | ForEach-Object {
            Write-Host "[!] MALICIOUS FILE FOUND: $($_.Path) | HASH: $($_.Hash) | ALGO: $($_.Algorithm)" -ForegroundColor Red
        }
    }
}

Write-Host "Hunt complete. Check for Red output." -ForegroundColor Green


# Response Priorities

Immediate (0-24h)

  • Block IOCs: Block all domains, URLs, and file hashes listed in the IOC Analysis section on perimeter firewalls, proxies, and EDRs.
  • Hunt for C2: Scan network logs for traffic on TCP ports 5188 and 5198.
  • Process Isolation: Identify and isolate any endpoints with positive hits for the Golden Gh0st or OkoBot file hashes.

24-48h

  • Credential Audit: If credential theft is suspected (Golden Gh0st, Kratos, OkoBot), initiate forced password resets and MFA challenges for users in the targeted sectors (Finance, Crypto wallets).
  • Terminal Server Review: Audit logs for terminal servers (specifically those exposed to RDP) for signs of the "Gammadyne Mailer" installation or bulk email activity.
  • Phishing Awareness: Alert users about the SpaceX IPO scams and Kratos M365 login pages.

1 Week

  • Architecture Hardening: Restrict the use of code-signing certificates to strictly controlled build pipelines to prevent misuse like GoldenEyeDog's.
  • Proxy Restrictions: Limit access to personal email and file-sharing sites often used in ClickFix attacks.
  • SIEM Tuning: Implement the Sigma rules and KQL hunts for continuous monitoring of these specific TTPs.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsgolden-gh0st-ratokobotkratos-phaascredential-theftta2730

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.