Back to Intelligence

GIFTEDCROOK, OtterCookie & BRICKSTORM: OTX Pulse Analysis — Multi-Vector Credential Theft Campaigns

SA
Security Arsenal Team
July 8, 2026
6 min read

Recent OTX Pulse data reveals a convergence of high-profile credential theft and access brokering campaigns targeting critical infrastructure, software development, and MSP sectors. Three distinct clusters—SHADOW-EARTH-066 (Russia-aligned), UNK_DeadDrop (North Korea-aligned), and VerdantBamboo (China-aligned)—are actively exploiting unmanaged software, supply chain trust, and edge device misconfigurations.

  • SHADOW-EARTH-066 is leveraging a patched but pervasive WinRAR vulnerability (CVE-2025-8088) to deliver GIFTEDCROOK, an evolved information stealer targeting Ukrainian government and defense entities.
  • UNK_DeadDrop is conducting a broad phishing campaign against developers, utilizing malicious GitHub repositories and VSIX extensions to deliver OtterCookie and Overlord, focused on cryptocurrency wallet exfiltration.
  • VerdantBamboo has compromised edge infrastructure via Egnyte storage sync systems, deploying the BRICKSTORM backdoor to maintain persistent access likely used for credential harvesting and lateral movement.

Collectively, these campaigns indicate a shift toward targeting "blind spots" in enterprise security: archive utilities, developer tools, and network devices lacking EDR coverage.

Threat Actor / Malware Profile

SHADOW-EARTH-066 / GIFTEDCROOK

  • Distribution: Weaponized RAR archives exploiting CVE-2025-8088 (path traversal) delivered via spear-phishing.
  • Payload Behavior: GIFTEDCROOK utilizes in-memory DLL loading via direct NT system calls to evade hooks. It harvests browser credentials, session cookies, and documents across 35 specific file extensions.
  • C2 Communication: Connects to hardcoded C2 IPs (e.g., 38.225.209.229) to exfiltrate stolen data.
  • Persistence: GammaSteel malware component ensures continued access;
  • Anti-Analysis: Heavy use of obfuscation and NT system calls to bypass user-mode API monitoring.

UNK_DeadDrop / OtterCookie

  • Distribution: Phishing emails with recruitment themes; links to actor-controlled GitHub repositories containing malicious scripts or VSIX extensions.
  • Payload Behavior: OtterCookie and Overlord specifically target browser extensions and cryptocurrency wallets. Invisible Ferret and FlexibleFerret provide flexibility in payload delivery.
  • C2 Communication: Exfiltration via GitHub API or hardcoded endpoints associated with the repo infrastructure.
  • Persistence: Malicious VSIX extensions auto-load when Visual Studio Code is launched.

VerdantBamboo / BRICKSTORM

  • Distribution: Initial compromise via Egnyte Storage Sync systems, exploiting sudo misconfigurations.
  • Payload Behavior: BRICKSTORM is a Linux-based backdoor installed on network edge devices; AGENTPSD acts as a fallback implant.
  • C2 Communication: Connects to service.systemsvcs.com for command and control.
  • Persistence: Installs as a system service or modifies startup scripts on Linux edge devices.

IOC Analysis

The provided IOCs span multiple vectors requiring layered defense:

  • Network Infrastructure: Blocking 166.0.132.237 (Digital Energy Technologies) and 38.225.209.229 (Cogent) is critical, as these host C2 servers. The domain service.systemsvcs.com is a key indicator for the VerdantBamboo campaign.
  • File Hashes: A significant number of SHA256 hashes are provided for the North Korean campaign (e.g., 2812e084...) and MD5 for BRICKSTORM (123e80a3...). These should be loaded into EDR solutions immediately.
  • Vulnerabilities: CVE-2025-8088 is the primary vector for the Ukraine attacks. While CVE-2018-20250 is listed as a sample, the focus is on the 2025 flaw.

SOC Operationalization:

  1. Firewall/Proxy: Block the listed IPs and domains immediately.
  2. EDR: Hunt for the specific file hashes; look for processes spawned by WinRAR that touch sensitive directories (path traversal).
  3. SIEM: Alert on DNS queries to service.systemsvcs.com and HTTP connections to the listed C2 IPs.

Detection Engineering

YAML
---
title: WinRAR Path Traversal Exploitation Attempt - CVE-2025-8088
id: 4f8c2d1a-9b3e-4c5f-8e1a-2b3c4d5e6f7a
description: Detects WinRAR exploiting path traversal vulnerabilities to write files outside the target directory, a technique used by GIFTEDCROOK.
status: experimental
date: 2026/07/08
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\WinRAR.exe'
            - '\rar.exe'
        CommandLine|contains:
            - '..\'
            - '../'
    condition: selection
falsepositives:
    - Legitimate archive extraction containing parent directory references (rare)
level: high
tags:
    - attack.initial_access
    - attack.execution
    - cve.2025.8088
    - giftedcrook

---
title: Suspicious Visual Studio Code Extension Load
id: 5a9d3e2b-1c4f-4a6b-9e2d-3c4d5e6f7a8b
description: Detects Visual Studio Code loading extensions or spawning shells, indicative of UNK_DeadDrop malicious VSIX activity.
status: experimental
date: 2026/07/08
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        Image|endswith: '\Code.exe'
    selection_child:
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\node.exe'
    condition: selection_parent and selection_child
falsepositives:
    - Developer using terminal integrated in VS Code
level: medium
tags:
    - attack.execution
    - attack.initial_access
    - unk_deaddrop
    - ottercookie

---
title: VerdantBamboo C2 Domain Resolution
id: 6b0e4f3c-2d5g-5h7i-0j1k-4l5m6n7o8p9q
description: Detects DNS resolution of known VerdantBamboo C2 infrastructure associated with BRICKSTORM.
status: experimental
date: 2026/07/08
author: Security Arsenal
logsource:
    category: dns_query
    product: windows
detection:
    selection:
        QueryName|contains: 'service.systemsvcs.com'
    condition: selection
falsepositives:
    - Unknown
level: critical
tags:
    - attack.command_and_control
    - attack.persistence
    - verdantbamboo
    - brickstorm


kql
// Hunt for network indicators associated with GIFTEDCROOK, UNK_DeadDrop, and VerdantBamboo
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in ("astrocaf.com", "service.systemsvcs.com") 
   or RemoteIP in ("166.0.132.237", "38.225.209.229")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| extend IOCHit = iif(RemoteUrl in ("astrocaf.com", "service.systemsvcs.com"), "Domain", "IP")


bash
#!/bin/bash
# Hunt script for VerdantBamboo BRICKSTORM (Linux/Edge Devices)
# Checks for known MD5 hashes and C2 domain resolution

KNOWN_HASH="123e80a34508c4dede7cc70e76931fcc"
C2_DOMAIN="service.systemsvcs.com"

echo "[*] Scanning for BRICKSTORM artifacts..."

# Check processes for the known MD5
for pid in $(ls /proc/ | grep -E '^[0-9]+$'); do
    if [ -L "/proc/$pid/exe" ]; then
        exe=$(readlink -f /proc/$pid/exe)
        if [ -f "$exe" ]; then
            current_md5=$(md5sum "$exe" | awk '{print $1}')
            if [ "$current_md5" == "$KNOWN_HASH" ]; then
                echo "[!] ALERT: Process $pid ($exe) matches BRICKSTORM hash $KNOWN_HASH"
            fi
        fi
    fi
done

# Check /etc/hosts for C2 domain poisoning
if grep -q "$C2_DOMAIN" /etc/hosts; then
    echo "[!] ALERT: C2 Domain $C2_DOMAIN found in /etc/hosts"
fi

echo "[*] Scan complete."

Response Priorities

  • Immediate:

    • Block all listed IP addresses and domains at the perimeter firewall and proxy.
    • Push the SHA256 and MD5 hashes to all endpoints for immediate isolation/quarantine.
    • Identify and patch systems vulnerable to CVE-2025-8088, specifically focusing on Ukraine-targeted business units.
  • 24 Hours:

    • Conduct credential resets for developers and users in the targeted sectors (Finance, Tech, Education) who may have interacted with the malicious GitHub repositories.
    • Audit Visual Studio Code installations for unauthorized extensions.
  • 1 Week:

    • Audit all edge devices and Linux systems for the presence of BRICKSTORM or connections to service.systemsvcs.com.
    • Implement strict software update policies for archive utilities (WinRAR) and review EDR coverage on network edge devices.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsgiftedcrookottercookiebrickstormcredential-theftapt-groups

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.