Recent intelligence from AlienVault OTX highlights a sophisticated convergence of ransomware operations and credential-thealing campaigns. The DragonForce threat actor has pioneered a novel technique abusing Microsoft Teams TURN relays for C2 communications, utilizing the custom Backdoor.Turn to bypass network inspection. Simultaneously, the gaming sector is under siege via Steam Workshop, where malicious "Wallpaper Engine" assets are deploying Vidar, Lumma, and DarkComet.
In the ransomware ecosystem, Hive0163 (Interlock) and Rhysida continue to evolve, utilizing trojanized installers and custom loaders like JunkFiction and NodeSnake to deliver payloads. Additionally, the Gremlin Stealer has adopted commercial-grade virtualization obfuscation to evade detection. The FIFA World Cup 2026 is also being leveraged for credential harvesting and phishing. Collectively, these campaigns aim to steal credentials for initial access, financial fraud, or to facilitate ransomware deployment.
Threat Actor / Malware Profile
DragonForce & Backdoor.Turn
- Objective: Ransomware deployment and persistent access.
- Distribution: Likely via phishing or exploitation (CVE-2025-61155, CVE-2025-1055 mentioned).
- C2 Communication: Abuses Microsoft Teams visitor tokens and TURN relay servers to tunnel traffic, masking it as legitimate Microsoft collaboration traffic.
- Persistence: DLL side-loading and Bring Your Own Vulnerable Driver (BYOVD) techniques.
- Anti-Analysis: Uses vulnerable drivers to disable security tools.
Vidar & Lumma (Steam Campaign)
- Objective: Stealer credentials, browser data, and crypto-wallets.
- Distribution: Malicious projects in Steam Workshop (Wallpaper Engine), targeting gamers in China and Russia.
- Payload Behavior: Drops infostealers (Vidar, Lumma) and backdoors (DarkComet) via RAR archives hosted on Dropbox or Google Drive.
- Persistence: Scheduled tasks or registry run keys (typical for Vidar).
Gremlin Stealer
- Objective: Infostealing (payment cards, browser info).
- Distribution: Malicious attachments/downloads.
- Anti-Analysis: Employs commercial packing with instruction virtualization; transforms code into custom bytecode executed by a private VM to evade static analysis.
Interlock & Rhysida
- Objective: Espionage and extortion.
- Malware: NodeSnake, InterlockRAT, SystemBC.
- Distribution: Trojanized installers, SEO poisoning (Gootloader).
IOC Analysis
The provided indicators span multiple categories requiring immediate attention:
- File Hashes (SHA256/MD5): A high volume of hashes related to Gremlin Stealer, DragonForce backdoors, and Steam-based malware. These must be loaded into EDR blocklists.
- Domains:
leadslaw.com(Interlock infrastructure) andfifaticket2026vip.com(World Cup phishing) require immediate DNS blocking. - URLs: Dropbox and Google Drive links used in the Steam campaign indicate a reliance on legitimate cloud storage for payload hosting; URL filtering is critical.
- CVEs: CVE-2023-36036, CVE-2023-52271, CVE-2025-61155, CVE-2025-1055. Patch management is the primary remediation.
Operationalization: SOC teams should import the SHA256 hashes into their EDR solutions (e.g., CrowdStrike, SentinelOne) for immediate blocking. The domains should be added to the DNS Sinkhole/PAC file. The CVE list should be cross-referenced with vulnerability scanners (Tenable, Qualys).
Detection Engineering
YAML
title: Suspicious Wallpaper Engine Child Process
id: 6a5c4d2a-1b8c-4a3e-9d6f-2e7b8c9d0a1f
description: Detects suspicious child processes spawned by Wallpaper Engine, potentially indicating malware execution from malicious Steam Workshop items.
status: experimental
date: 2026/06/17
author: Security Arsenal
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\\wallpaper32.exe'
- '\\wallpaper_engine.exe'
selection_child:
Image|endswith:
- '\\powershell.exe'
- '\\cmd.exe'
- '\
undll32.exe'
- '\
egsvr32.exe'
- '\\wscript.exe'
condition: all of selection_*
falsepositives:
- Legitimate user scripts (rare)
level: high
tags:
- attack.execution
- attack.t1204
---
title: Potential DragonForce BYOVD Driver Load
id: 7b6e5f3b-2c9d-5b4f-0e7g-3f8c9d0e1b2f
description: Detects the loading of vulnerable drivers often exploited by DragonForce and other ransomware actors for BYOVD attacks (e.g., RTCore64, PROCWORM).
status: experimental
date: 2026/06/17
author: Security Arsenal
logsource:
category: driver_load
product: windows
detection:
selection:
Signed: 'true'
Subject|contains:
- 'RTCore'
- 'DBUtil_2_3'
- 'AsIO'
- 'EnTech'
- 'PROCMON24'
condition: selection
falsepositives:
- Legitimate software installing hardware utilities (MSI Afterburner, ASUS utilities)
level: high
tags:
- attack.privilege_escalation
- attack.t1068
---
title: Gremlin Stealer Suspicious VM/Obfuscation Artifacts
id: 8c7f0g4c-3d0e-6c5g-1f8h-4g9d0e1f2c3g
description: Detects characteristics of process hollowing or VM-based obfuscation often used by advanced stealers like Gremlin.
status: experimental
date: 2026/06/17
author: Security Arsenal
logsource:
category: process_creation
product: windows
detection:
selection_generic:
Image|endswith:
- '\\mshta.exe'
- '\
egsvr32.exe'
selection_cli:
CommandLine|contains:
- 'scraping'
- 'token'
- 'stealer'
condition: 1 of selection_*
falsepositives:
- Administrative scripts
level: medium
tags:
- attack.defense_evasion
- attack.t1027
kql
// Hunt for Steam Wallpaper Engine spawning suspicious processes
DeviceProcessEvents
| where InitiatingProcessFolderPath has @\"Steam\\steamapps\\common\\wallpaper_engine\"
| where ProcessCommandLine contains \"powershell\" or ProcessCommandLine contains \"cmd\"
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine, FolderPath
// Hunt for specific DragonForce and Gremlin IOCs (File Hashes)
DeviceFileEvents
| where SHA256 in (\"8a4033425d36cd99fe23e6faef9764fbf555f362ebdb5b72379342fbbe4c5531\",
\"048e18416177de2ead251abdf4d89837f6807c6aba4d5b1debe49adfdecbf05c\",
\"1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5\")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256
// Network connections to DragonForce related IPs
DeviceNetworkEvents
| where RemoteIP in (\"185.196.9.234\")
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort, RemoteUrl
powershell
# IOC Hunt Script: Scan for Malicious Files associated with DragonForce, Gremlin, and Steam Campaigns
# Requires Administrator Privileges
$TargetHashes = @(
\"8a4033425d36cd99fe23e6faef9764fbf555f362ebdb5b72379342fbbe4c5531\",
\"048e18416177de2ead251abdf4d89837f6807c6aba4d5b1debe49adfdecbf05c\",
\"1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5\",
\"fc586cad94e5a10dd5be6a6ae6096bd02dfbfd094365bec87e788ed0798d6f67\"
)
$PathsToScan = @(
\"$env:USERPROFILE\\Downloads\",
\"$env:USERPROFILE\\Desktop\",
\"$env:TEMP\",
\"C:\\Program Files\\Steam\\steamapps\\common\\wallpaper_engine\"
)
Write-Host \"[+] Starting scan for known malicious IoCs...\" -ForegroundColor Cyan
foreach ($Path in $PathsToScan) {
if (Test-Path $Path) {
Write-Host \"[!] Scanning directory: $Path\" -ForegroundColor Yellow
Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
$FileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
if ($TargetHashes -contains $FileHash) {
Write-Host \"[!!!] MALICIOUS FILE DETECTED: $($_.FullName)\" -ForegroundColor Red
Write-Host \" Hash: $FileHash\" -ForegroundColor Red
}
}
}
}
# Check for suspicious persistence (Steam Wallpaper Startup)
$StartupPath = \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\"
if (Test-Path $StartupPath) {
Write-Host \"[!] Checking Startup Folder for suspicious Wallpaper Engine artifacts...\" -ForegroundColor Yellow
Get-ChildItem -Path $StartupPath -ErrorAction SilentlyContinue | ForEach-Object {
if ($_.Name -like \"*wallpaper*\" -or $_.Name -like \"*steam*\") {
Write-Host \"[?] Suspicious startup item found: $($_.Name)\" -ForegroundColor DarkYellow
}
}
}
Write-Host \"[+] Scan complete.\" -ForegroundColor Cyan
# Response Priorities
**Immediate (0-24h)**:
* **Block IOCs**: Push all file hashes, domains (`leadslaw.com`, `fifaticket2026vip.com`), and IPs (`185.196.9.234`) to blocking lists (Firewall, Proxy, EDR).
* **Hunt for Steam Artifacts**: Scan endpoints for processes spawned by `wallpaper32.exe` and investigate RAR files in Downloads folders from the dates mentioned.
* **Vulnerability Scan**: Assess exposure to CVE-2023-36036, CVE-2023-52271, and CVE-2025-61155.
**24h - 48h**:
* **Identity Verification**: If credential theft is suspected (Vidar/Lumma/Gremlin), force reset passwords for accounts accessed from suspicious geographic locations or IP ranges associated with DragonForce activity.
* **Teams Traffic Analysis**: Review logs for anomalous usage of Microsoft Teams relay services by non-standard endpoints.
**1 Week**:
* **Architecture Hardening**: Implement strict application allowlisting for gaming software in corporate environments. Restrict the use of consumer-grade collaboration tools for C2-like traffic patterns.
* **User Awareness**: Update security awareness training to include risks associated with "free" assets in gaming platforms and World Cup-themed phishing.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-credentialsinfostealerransomwaredragonforcevidarcredential-theft
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.