Back to Intelligence

Emerging Infostealer Ecosystem: Lumma, Vidar, and AI-Generated Supply Chain Attacks

SA
Security Arsenal Team
May 12, 2026
5 min read

Recent OTX Pulse data indicates a coordinated surge in credential theft activity utilizing advanced social engineering and supply chain compromise. Threat actor TroyDen is leveraging AI-generated lure names (using biological taxonomy) on GitHub to distribute LuaJIT payloads for Redline and LummaStealer. Concurrently, malicious NuGet packages are typosquatting Chinese UI libraries to deliver Quantum and ArrowRAT. These campaigns are characterized by a pivot from initial infostealer infection (Vidar, Lumma) to post-exploitation frameworks (EtherRat, TukTuk, NetExec), often culminating in The Gentleman Ransomware or persistent backdoors (cPanel-Python). The primary objectives across all five pulses are the exfiltration of browser credentials, cryptocurrency wallet keys, and SSH keys to facilitate lateral movement and financial extortion.

Threat Actor / Malware Profile

  • TroyDen (Lure Factory):
    • Distribution: GitHub repositories with over 300 delivery packages. Uses AI to generate obscure package names.
    • Malware: LuaJIT, Redline, LummaStealer.
    • Technique: Two-component payload; utilizes Prometheus obfuscator.
  • Unknown (NuGet Supply Chain):
    • Distribution: Malicious NuGet packages (bmrxntfj account) impersonating Chinese libraries.
    • Malware: Lumma, Quantum, AgentRacoon, ArrowRAT.
    • Technique: Typosquatting, .NET Reactor protection, version rotation.
  • EtherRat / TukTuk Operators:
    • Distribution: Malicious MSI installer disguised as a Sysinternals tool.
    • Malware: EtherRAT, TukTuk, The Gentleman Ransomware.
    • Technique: EtherHiding (using Ethereum blockchain for C2), DLL sideloading, Kerberoasting.
  • Mr_Rot13:
    • Distribution: Exploitation of CVE-2026-41940 in cPanel.
    • Malware: Filemanager, Cpanel-Python.
    • Target: Government and Defense sectors in Southeast Asia.

IOC Analysis

The provided indicators include C2 infrastructure (IPv4 addresses associated with TroyDen), exfil domains (dns-providersa2.com, g8way.io), and numerous file hashes (MD5, SHA256) for the malicious payloads.

  • Operationalization: SOC teams should immediately block the listed IP ranges and domains at the perimeter. File hashes should be uploaded to EDR solutions for retrospective scanning.
  • Decoding: The domains g8way.io and dns-providersa2.com appear to serve as check-in/C2 points for the stealer configurations. The IP ranges (e.g., 89.169.12.241, 213.176.73.0/24) are likely part of a bulletproof hosting infrastructure.

Detection Engineering

YAML
title: Suspicious NuGet Package Installation from Known Malicious Domains
id: 8a7b6c5d-4e3f-2a1b-9c8d-0e1f2a3b4c5d
status: experimental
description: Detects installation of NuGet packages from domains associated with malicious supply chain campaigns (e.g., Lumma, Quantum).
references:
    - https://otx.alienvault.com/
author: Security Arsenal
date: 2026/05/13
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '\nuget.exe'
            - '\dotnet.exe'
        CommandLine|contains:
            - 'install'
            - 'add'
    filter_legit:
        Network|contains:
            - 'nuget.org'
            - 'api.nuget.org'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate internal NuGet feeds
level: high
tags:
    - attack.supply_chain
    - attack.initial_access
---
title: AutoIt Script Execution Linked to Vidar Stealer Loader
id: 1b2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects execution of AutoIt3.exe or masqueraded files like MicrosoftToolkit.exe which are known vectors for multi-stage loaders like Vidar.
references:
    - https://otx.alienvault.com/
author: Security Arsenal
date: 2026/05/13
logsource:
    product: windows
    category: process_creation
detection:
    selection_autoit:
        Image|endswith: '\AutoIt3.exe'
    selection_masquerade:
        Image|endswith:
            - '\cmd.exe'
        ParentImage|endswith:
            - '\MicrosoftToolkit.exe'
        CommandLine|contains: '.bat'
    condition: 1 of selection*
falsepositives:
    - Legitimate AutoIt scripts
level: medium
tags:
    - attack.execution
    - attack.defense_evasion
---
title: C2 Network Connections for Infostealers and Ransomware Precursors
id: 2c3d4e5f-6a7b-8c9d-0e1f-2a3b4c5d6e7f
status: experimental
description: Detects network connections to domains identified as C2 infrastructure for TroyDen, EtherRat, or Vidar campaigns.
references:
    - https://otx.alienvault.com/
author: Security Arsenal
date: 2026/05/13
logsource:
    product: windows
    category: network_connection
detection:
    selection:
        DestinationHostname|contains:
            - 'g8way.io'
            - 'dns-providersa2.com'
            - 'gz.technicalprorj.xyz'
            - 'wpsock.com'
            - 'wrned.com'
        Initiated: 'true'
    condition: selection
falsepositives:
    - Unknown
level: critical
tags:
    - attack.command_and_control
    - attack.exfiltration


kql
// Hunt for processes related to NuGet attacks and AutoIt loaders
let MaliciousDomains = dynamic(['g8way.io', 'dns-providersa2.com', 'gz.technicalprorj.xyz', 'wpsock.com', 'wrned.com']);
let MaliciousHashes = dynamic(['efb675de4b3af3dac3c9cae91075fd7cc2f4f98e', '019e6c2cf58386039133981f3377b085fbd70c98ae8613c7c6a4f10a9f2d9824', '7ac9278876c83c9b597fae68acb6fbf9']);
DeviceNetworkEvents
| where RemoteUrl in MaliciousDomains or RemoteIP in ("89.169.12.241", "213.176.73.80", "213.176.73.130")
| extend Timestamp = TimeGenerated, DeviceName = DeviceName, RemoteUrl = RemoteUrl
| join kind=inner (
    DeviceProcessEvents
    | where SHA256 in MaliciousHashes or ProcessVersionInfoOriginalFileName in ("AutoIt3.exe", "MicrosoftToolkit.exe")
) on DeviceName
| project Timestamp, DeviceName, FileName, ProcessCommandLine, FolderPath, RemoteUrl, RemoteIP, InitiatingProcessFileName


powershell
# IOC Hunt Script for Credential Stealers
# Check for presence of suspicious file hashes and AutoIt executables

$TargetHashes = @(
    "efb675de4b3af3dac3c9cae91075fd7cc2f4f98e",
    "019e6c2cf58386039133981f3377b085fbd70c98ae8613c7c6a4f10a9f2d9824",
    "34e2d63b5db7e24c808711c2ca0c0a42afde97a0086d7d81609110c002d18d7c",
    "596c453c9dbb7240f1ce05cc025496524ce7c538c239b2171174bf32b5691a1",
    "73ce2438d4ed475e03727b7b000d2794",
    "7ac9278876c83c9b597fae68acb6fbf9"
)

Write-Host "Scanning for malicious IoCs..." -ForegroundColor Yellow

# Scan C:\ Drive for matching hashes
Get-ChildItem -Path "C:\" -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { 
        $_.Length -gt 0kb -and $_.Extension -in @('.exe', '.dll', '.bat', '.ps1', '.msi') 
    } | 
    ForEach-Object {
        $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($TargetHashes -contains $hash) {
            Write-Host "MATCH FOUND: $($_.FullName)" -ForegroundColor Red
        }
    }

# Check for AutoIt Installation (often used in these loaders)
$autoItPath = "C:\Program Files\AutoIt3\AutoIt3.exe"
if (Test-Path $autoItPath) {
    Write-Host "AutoIt3 detected at $autoItPath. Investigate if unauthorized." -ForegroundColor Cyan
}

# Check for NuGet Cache containing suspicious packages
$nugetPath = "$env:USERPROFILE\.nuget\packages"
if (Test-Path $nugetPath) {
    Write-Host "NuGet packages found. Manual review recommended for typosquatted packages." -ForegroundColor Cyan
}


# Response Priorities

*   **Immediate**:
    *   Block all listed IPv4 addresses and domains (`g8way.io`, `dns-providersa2.com`, etc.) on firewalls and proxies.
    *   Initiate endpoint scans for the provided SHA256 and MD5 hashes.
    *   Isolate any systems exhibiting network traffic to the listed TroyDen IP ranges.
*   **24 Hours**:
    *   Force password reset for developer accounts and privileged users if credential theft (Lumma/Vidar) is suspected.
    *   Review NuGet package usage for typosquatting incidents; audit `bmrxntfj` account access.
    *   Patch cPanel instances for **CVE-2026-41940** immediately.
*   **1 Week**:
    *   Implement strict code-signing policies for GitHub and NuGet packages utilized internally.
    *   Hunt for EtherHiding activity by monitoring for outbound Ethereum RPC connections from non-wallet endpoints.
    *   Review SSH key usage on Linux servers compromised by Mr_Rot13.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialslumma-stealervidar-stealersupply-chain-attackcredential-theftai-lures

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action