Recent OTX Pulse data reveals a convergence of high-profile credential theft and access brokering campaigns targeting critical infrastructure, software development, and MSP sectors. Three distinct clusters—SHADOW-EARTH-066 (Russia-aligned), UNK_DeadDrop (North Korea-aligned), and VerdantBamboo (China-aligned)—are actively exploiting unmanaged software, supply chain trust, and edge device misconfigurations.
- SHADOW-EARTH-066 is leveraging a patched but pervasive WinRAR vulnerability (CVE-2025-8088) to deliver GIFTEDCROOK, an evolved information stealer targeting Ukrainian government and defense entities.
- UNK_DeadDrop is conducting a broad phishing campaign against developers, utilizing malicious GitHub repositories and VSIX extensions to deliver OtterCookie and Overlord, focused on cryptocurrency wallet exfiltration.
- VerdantBamboo has compromised edge infrastructure via Egnyte storage sync systems, deploying the BRICKSTORM backdoor to maintain persistent access likely used for credential harvesting and lateral movement.
Collectively, these campaigns indicate a shift toward targeting "blind spots" in enterprise security: archive utilities, developer tools, and network devices lacking EDR coverage.
Threat Actor / Malware Profile
SHADOW-EARTH-066 / GIFTEDCROOK
- Distribution: Weaponized RAR archives exploiting CVE-2025-8088 (path traversal) delivered via spear-phishing.
- Payload Behavior: GIFTEDCROOK utilizes in-memory DLL loading via direct NT system calls to evade hooks. It harvests browser credentials, session cookies, and documents across 35 specific file extensions.
- C2 Communication: Connects to hardcoded C2 IPs (e.g., 38.225.209.229) to exfiltrate stolen data.
- Persistence: GammaSteel malware component ensures continued access;
- Anti-Analysis: Heavy use of obfuscation and NT system calls to bypass user-mode API monitoring.
UNK_DeadDrop / OtterCookie
- Distribution: Phishing emails with recruitment themes; links to actor-controlled GitHub repositories containing malicious scripts or VSIX extensions.
- Payload Behavior: OtterCookie and Overlord specifically target browser extensions and cryptocurrency wallets. Invisible Ferret and FlexibleFerret provide flexibility in payload delivery.
- C2 Communication: Exfiltration via GitHub API or hardcoded endpoints associated with the repo infrastructure.
- Persistence: Malicious VSIX extensions auto-load when Visual Studio Code is launched.
VerdantBamboo / BRICKSTORM
- Distribution: Initial compromise via Egnyte Storage Sync systems, exploiting sudo misconfigurations.
- Payload Behavior: BRICKSTORM is a Linux-based backdoor installed on network edge devices; AGENTPSD acts as a fallback implant.
- C2 Communication: Connects to
service.systemsvcs.comfor command and control. - Persistence: Installs as a system service or modifies startup scripts on Linux edge devices.
IOC Analysis
The provided IOCs span multiple vectors requiring layered defense:
- Network Infrastructure: Blocking
166.0.132.237(Digital Energy Technologies) and38.225.209.229(Cogent) is critical, as these host C2 servers. The domainservice.systemsvcs.comis a key indicator for the VerdantBamboo campaign. - File Hashes: A significant number of SHA256 hashes are provided for the North Korean campaign (e.g.,
2812e084...) and MD5 for BRICKSTORM (123e80a3...). These should be loaded into EDR solutions immediately. - Vulnerabilities: CVE-2025-8088 is the primary vector for the Ukraine attacks. While CVE-2018-20250 is listed as a sample, the focus is on the 2025 flaw.
SOC Operationalization:
- Firewall/Proxy: Block the listed IPs and domains immediately.
- EDR: Hunt for the specific file hashes; look for processes spawned by WinRAR that touch sensitive directories (path traversal).
- SIEM: Alert on DNS queries to
service.systemsvcs.comand HTTP connections to the listed C2 IPs.
Detection Engineering
---
title: WinRAR Path Traversal Exploitation Attempt - CVE-2025-8088
id: 4f8c2d1a-9b3e-4c5f-8e1a-2b3c4d5e6f7a
description: Detects WinRAR exploiting path traversal vulnerabilities to write files outside the target directory, a technique used by GIFTEDCROOK.
status: experimental
date: 2026/07/08
author: Security Arsenal
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\WinRAR.exe'
- '\rar.exe'
CommandLine|contains:
- '..\'
- '../'
condition: selection
falsepositives:
- Legitimate archive extraction containing parent directory references (rare)
level: high
tags:
- attack.initial_access
- attack.execution
- cve.2025.8088
- giftedcrook
---
title: Suspicious Visual Studio Code Extension Load
id: 5a9d3e2b-1c4f-4a6b-9e2d-3c4d5e6f7a8b
description: Detects Visual Studio Code loading extensions or spawning shells, indicative of UNK_DeadDrop malicious VSIX activity.
status: experimental
date: 2026/07/08
author: Security Arsenal
logsource:
category: process_creation
product: windows
detection:
selection_parent:
Image|endswith: '\Code.exe'
selection_child:
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\node.exe'
condition: selection_parent and selection_child
falsepositives:
- Developer using terminal integrated in VS Code
level: medium
tags:
- attack.execution
- attack.initial_access
- unk_deaddrop
- ottercookie
---
title: VerdantBamboo C2 Domain Resolution
id: 6b0e4f3c-2d5g-5h7i-0j1k-4l5m6n7o8p9q
description: Detects DNS resolution of known VerdantBamboo C2 infrastructure associated with BRICKSTORM.
status: experimental
date: 2026/07/08
author: Security Arsenal
logsource:
category: dns_query
product: windows
detection:
selection:
QueryName|contains: 'service.systemsvcs.com'
condition: selection
falsepositives:
- Unknown
level: critical
tags:
- attack.command_and_control
- attack.persistence
- verdantbamboo
- brickstorm
kql
// Hunt for network indicators associated with GIFTEDCROOK, UNK_DeadDrop, and VerdantBamboo
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in ("astrocaf.com", "service.systemsvcs.com")
or RemoteIP in ("166.0.132.237", "38.225.209.229")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| extend IOCHit = iif(RemoteUrl in ("astrocaf.com", "service.systemsvcs.com"), "Domain", "IP")
bash
#!/bin/bash
# Hunt script for VerdantBamboo BRICKSTORM (Linux/Edge Devices)
# Checks for known MD5 hashes and C2 domain resolution
KNOWN_HASH="123e80a34508c4dede7cc70e76931fcc"
C2_DOMAIN="service.systemsvcs.com"
echo "[*] Scanning for BRICKSTORM artifacts..."
# Check processes for the known MD5
for pid in $(ls /proc/ | grep -E '^[0-9]+$'); do
if [ -L "/proc/$pid/exe" ]; then
exe=$(readlink -f /proc/$pid/exe)
if [ -f "$exe" ]; then
current_md5=$(md5sum "$exe" | awk '{print $1}')
if [ "$current_md5" == "$KNOWN_HASH" ]; then
echo "[!] ALERT: Process $pid ($exe) matches BRICKSTORM hash $KNOWN_HASH"
fi
fi
fi
done
# Check /etc/hosts for C2 domain poisoning
if grep -q "$C2_DOMAIN" /etc/hosts; then
echo "[!] ALERT: C2 Domain $C2_DOMAIN found in /etc/hosts"
fi
echo "[*] Scan complete."
Response Priorities
-
Immediate:
- Block all listed IP addresses and domains at the perimeter firewall and proxy.
- Push the SHA256 and MD5 hashes to all endpoints for immediate isolation/quarantine.
- Identify and patch systems vulnerable to CVE-2025-8088, specifically focusing on Ukraine-targeted business units.
-
24 Hours:
- Conduct credential resets for developers and users in the targeted sectors (Finance, Tech, Education) who may have interacted with the malicious GitHub repositories.
- Audit Visual Studio Code installations for unauthorized extensions.
-
1 Week:
- Audit all edge devices and Linux systems for the presence of BRICKSTORM or connections to
service.systemsvcs.com. - Implement strict software update policies for archive utilities (WinRAR) and review EDR coverage on network edge devices.
- Audit all edge devices and Linux systems for the presence of BRICKSTORM or connections to
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.