Back to Intelligence

GIFTEDCROOK, Overlord & BRICKSTORM: OTX Pulse Analysis — Multi-Front APT Campaigns & Detection Pack

SA
Security Arsenal Team
July 8, 2026
6 min read

Recent OTX Pulse data exposes a convergence of high-impact nation-state campaigns targeting distinct sectors. Russian-aligned actors SHADOW-EARTH-066 and Earth Dahu are actively exploiting a patched WinRAR vulnerability (CVE-2025-8088) to deliver GIFTEDCROOK stealer against Ukrainian government and defense entities. Simultaneously, a likely North Korean cluster tracked as UNK_DeadDrop is launching sophisticated supply chain attacks on developers in the US, using malicious GitHub repositories and weaponized VSIX extensions to deploy Overlord and OtterCookie for cryptocurrency theft. Separately, Chinese actor VerdantBamboo has demonstrated persistence by compromising Managed Service Providers (MSPs) to deploy the BRICKSTORM backdoor on network edge devices lacking EDR coverage, exploiting a sudo misconfiguration in Egnyte Storage Sync systems.

Threat Actor / Malware Profile

SHADOW-EARTH-066 / Earth Dahu (Russia-Aligned)

  • Malware: GIFTEDCROOK, GammaSteel
  • Objective: Credential harvesting, espionage, and data exfiltration from Ukrainian infrastructure.
  • Distribution: Spear-phishing archives exploiting CVE-2025-8088 (WinRAR path traversal) and CVE-2018-20250.
  • Behavior: GIFTEDCROOK utilizes in-memory DLL loading via direct NT system calls to evade detection. It targets browser credentials, session cookies, and documents across 35+ file extensions.

UNK_DeadDrop (Likely North Korea)

  • Malware: Overlord, OtterCookie, Invisible Ferret, FlexibleFerret
  • Objective: Cryptocurrency theft and intellectual property compromise from the tech and finance sectors.
  • Distribution: Recruitment-themed phishing emails linking to actor-controlled GitHub repositories hosting malicious scripts and Visual Studio (VSIX) extensions.
  • Behavior: The infection chain involves the execution of malicious scripts that download and install payloads capable of wallet exfiltration and system reconnaissance.

VerdantBamboo (China-Aligned)

  • Malware: BRICKSTORM, PLENET, AGENTPSD
  • Objective: Long-term persistence within victim organizations and MSPs.
  • Distribution: Initial access via compromised Egnyte Storage Sync systems, leveraging sudo misconfigurations for privilege escalation.
  • Behavior: Deploys malware on network edge devices (firewalls/gateways) to bypass traditional EDR. BRICKSTORM acts as the primary backdoor with AGENTPSD serving as a fallback mechanism.

IOC Analysis

The provided IOCs reveal a blend of infrastructure and file-based artifacts:

  • Domains & Hostnames:
    • astrocaf.com (SHADOW-EARTH-066 C2)
    • service.systemsvcs.com (VerdantBamboo C2)
  • IPv4 Addresses:
    • 166.0.132.237 (Hosted in US, likely proxy)
    • 38.225.209.229 (Cogent Communications)
  • File Hashes: Multiple SHA256 hashes associated with Overlord and BRICKSTORM payloads.
  • CVEs: CVE-2025-8088, CVE-2025-6218, CVE-2018-20250.

Operational Guidance: SOC teams should immediately block listed IPs and domains at the perimeter firewall and proxy servers. File hashes should be uploaded to EDR solutions for signature scanning. Given the use of GitHub repositories, network traffic to non-standard GitHub endpoints or anomalous git clone activities should be flagged.

Detection Engineering

Sigma Rules

YAML
---
title: Potential WinRAR Path Traversal Exploitation - GIFTEDCROOK
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects attempts to exploit WinRAR path traversal vulnerabilities (CVE-2025-8088, CVE-2018-20250) often used by SHADOW-EARTH-066 to drop GIFTEDCROOK.
author: Security Arsenal
date: 2026/07/08
references:
    - https://otx.alienvault.com/
tags:
    - attack.initial_access
    - attack.t1203
logsource:
    category: process_creation
    product: windows
detection:
    selection_winrar:
        Image|endswith:
            - '\WinRAR.exe'
            - '\rar.exe'
    selection_traversal:
        CommandLine|contains:
            - '..\..\'
            - '../..'
            - 'AppData\'
    condition: all of selection_*
falsepositives:
    - Administrative archive management
level: high
---
title: Suspicious VSIX Extension Installation - UNK_DeadDrop
id: 2b3c4d5e-6f7a-8b9c-0d1e-2f3a4b5c6d7e
status: experimental
description: Detects installation of Visual Studio or VS Code extensions from untrusted sources associated with UNK_DeadDrop campaigns.
author: Security Arsenal
date: 2026/07/08
references:
    - https://otx.alienvault.com/
tags:
    - attack.execution
    - attack.t1204
logsource:
    category: process_creation
    product: windows
detection:
    selection_editor:
        Image|endswith:
            - '\Code.exe'
            - '\devenv.exe'
    selection_install:
        CommandLine|contains:
            - '--install-extension'
            - '.vsix'
    filter_signed:
        CommandLine|contains: '--force' # often used to bypass prompts
    condition: all of selection_*
falsepositives:
    - Legitimate developer environment setup
level: medium
---
title: VerdantBamboo C2 Network Traffic
id: 3c4d5e6f-7a8b-9c0d-1e2f-3a4b5c6d7e8f
status: experimental
description: Detects network connections to known VerdantBamboo C2 infrastructure (BRICKSTORM).
author: Security Arsenal
date: 2026/07/08
references:
    - https://otx.alienvault.com/
tags:
    - attack.command_and_control
    - attack.t1071
logsource:
    category: network_connection
    product: windows
detection:
    selection_c2:
        DestinationHostname|contains:
            - 'service.systemsvcs.com'
        DestinationPort:
            - 443
            - 80
    condition: selection_c2
falsepositives:
    - Unknown (Low volume domain)
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for WinRAR Suspicious Activity
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ('WinRAR.exe', 'rar.exe')
| where ProcessCommandLine has '..\..\' or ProcessCommandLine has '../..' 
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| extend IoC_Type = 'WinRAR Exploit'
;
// Hunt for UNK_DeadDrop IOCs
union DeviceNetworkEvents, DeviceFileEvents
| where Timestamp > ago(30d)
| where SHA256 in (
    '2812e0847d472cb8870c94f463331dbe53b84135132b9bf5f6d84c2382be628f',
    '339907b44f161f57ff30819f422c552382ff437b3ae437463b4222cfe86bd943',
    '35813f4401d3ad77b618275473a556eb47bfa6f4b7439dd8943b19f81aa7252e'
    )
| project Timestamp, DeviceName, ActionType, RemoteUrl, RemoteIP, SHA256, FolderPath
| extend IoC_Type = 'UNK_DeadDrop Hash'
;
// Hunt for VerdantBamboo C2
DeviceNetworkEvents
| where Timestamp > ago(90d)
| where RemoteUrl has 'service.systemsvcs.com' or RemoteIP == '166.0.132.237'
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, DeviceName
| extend IoC_Type = 'VerdantBamboo C2'

PowerShell Hunt Script

PowerShell
# IOC Hunt for GIFTEDCROOK, UNK_DeadDrop, and VerdantBamboo
# Requires Admin privileges for network checks

Write-Host "[+] Starting Security Arsenal Threat Hunt..." -ForegroundColor Cyan

# 1. Check for WinRAR Process
$winrar = Get-Process -Name "winrar" -ErrorAction SilentlyContinue
if ($winrar) {
    Write-Host "[!] ALERT: WinRAR is currently running." -ForegroundColor Red
} else {
    Write-Host "[-] WinRAR not running." -ForegroundColor Green
}

# 2. Check Hosts File for C2 Domains
$hostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
$maliciousDomains = @("astrocaf.com", "service.systemsvcs.com")
$hostsContent = Get-Content $hostsPath -ErrorAction SilentlyContinue

foreach ($domain in $maliciousDomains) {
    if ($hostsContent -match $domain) {
        Write-Host "[!] ALERT: Malicious domain '$domain' found in hosts file." -ForegroundColor Red
    }
}

# 3. Check for Recent VSIX Installs (UNK_DeadDrop vector)
$vsixPath = "$env:USERPROFILE\.vscode\extensions"
if (Test-Path $vsixPath) {
    $recentExt = Get-ChildItem $vsixPath | Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-30) }
    if ($recentExt) {
        Write-Host "[?] INFO: Recent VS Code extensions found (Last 30 days):" -ForegroundColor Yellow
        $recentExt | Select-Object Name, LastWriteTime
    }
}

# 4. DNS Resolution Check for C2 Infrastructure
Write-Host "[+] Resolving IOCs..." -ForegroundColor Cyan
$targets = @("astrocaf.com", "service.systemsvcs.com", "166.0.132.237")
foreach ($target in $targets) {
    try {
        $result = Resolve-DnsName -Name $target -ErrorAction Stop
        Write-Host "[!] ALERT: Resolution successful for $target - Possible C2 connectivity." -ForegroundColor Red
    } catch {
        Write-Host "[-] Resolution failed for $target." -ForegroundColor Green
    }
}

Response Priorities

  • Immediate:

    • Block all listed IPs (166.0.132.237, 38.225.209.229) and domains (astrocaf.com, service.systemsvcs.com) at the perimeter.
    • Scan endpoints for the specific SHA256 hashes associated with Overlord and BRICKSTORM.
    • Disable or restrict the use of WinRAR in high-security zones pending patch verification.
  • 24 Hours:

    • Initiate credential rotation for accounts active on systems where WinRAR exploitation is suspected.
    • Audit GitHub repositories accessed by development teams for non-approved forks or suspicious commits.
    • Review logs for connections to service.systemsvcs.com or VSIX installation events in the last 90 days.
  • 1 Week:

    • Enforce strict software patching policies, specifically targeting the WinRAR CVE-2025-8088 vulnerability.
    • Implement application controls to prevent the execution of unauthorized VSIX extensions.
    • Conduct a security audit of all edge devices and MSP access points to identify and remediate privilege escalation vectors (e.g., sudo misconfigurations).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptgiftedcrookunk-deaddropverdantbambooapt-campaignscve-exploitation

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.