Back to Intelligence

Gremlin & Vidar Infostealers + SD-WAN RaaS Attacks: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
May 18, 2026
6 min read

Recent OTX pulses indicate a coordinated surge in credential theft campaigns and edge-device exploitation. Threat actors, including UAT-8616 and FAMOUS CHOLLIMA, are leveraging sophisticated infostealers (Gremlin, Vidar, OtterCookie) distributed via supply chain compromises (npm) and social engineering (GitHub). Concurrently, significant exploitation of Cisco Catalyst SD-WAN vulnerabilities is being utilized to deploy webshells (Godzilla, XenShell) and C2 frameworks (Sliver). This briefing synthesizes these threats into immediate detection and response actions.

Threat Summary

Collectively, the pulses reveal a dual-front attack surface:

  1. Endpoint Credential Harvesting: Actors are aggressively distributing infostealers like Gremlin Stealer and Vidar. Gremlin utilizes advanced virtualization-based obfuscation to hide in resource files, while Vidar is being distributed via trojanized GitHub repositories leveraging the recent Claude Code leak as a lure.
  2. Edge Infrastructure Compromise: The exploitation of Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20182, CVE-2026-20133) allows actors like UAT-8616 to gain administrative access. This access is immediately leveraged to drop webshells (Godzilla, Behinder) and establish persistence using C2 frameworks like Sliver.

The primary objective across these campaigns is credential harvesting (browser cookies, SSH keys, cryptocurrency wallets) and establishing long-term persistence within enterprise environments for cryptomining or data exfiltration.

Threat Actor / Malware Profile

Gremlin Stealer (Pulse 1)

  • Distribution: Malicious spam or bundled downloads.
  • Behavior: Employs a commercial packer with instruction virtualization. Extracts payloads from embedded resource files to evade static analysis.
  • C2: Exfiltrates data via Telegram or hardcoded C2 IPs (e.g., 194.87.92.109).
  • Targets: Browser data, payment cards, Discord tokens.

OtterCookie / NPM Campaign (Pulse 3)

  • Actor: FAMOUS CHOLLIMA (North Korean associated).
  • Distribution: "Contagious Interview" supply chain attack. Malicious npm packages clone legitimate libraries (e.g., big.js) and pull malicious dependencies.
  • Behavior: Infostealing and SSH backdoor deployment.

Vidar Stealer (Pulse 5)

  • Distribution: Social engineering via GitHub. Trojanized versions of the leaked "Claude Code".
  • Behavior: SystemBC proxy usage, information theft.
  • C2: Communicates with specific C2 servers (e.g., 147.45.197.92).

SD-WAN Exploitation (Pulse 2 & 4)

  • Actors: UAT-8616, The Gentlemen RaaS.
  • Vectors: CVE-2026-20182 (Auth Bypass), CVE-2024-55591 (Fortinet), CVE-2025-32433.
  • Payloads: Webshells (Godzilla, XenShell), Sliver C2, XMRig.
  • Behavior: Authentication bypass to gain admin rights, followed by webshell upload for remote control.

IOC Analysis

The provided IOCs are critical for immediate blocking and hunting:

  • IPv4 Addresses: Key C2 servers include 194.87.92.109 (Gremlin), 176.65.139.31 (SD-WAN), and 147.45.197.92 (Vidar). These should be blocked at the firewall.
  • File Hashes (SHA256/MD5): Multiple hashes associated with Gremlin, Vidar, and webshells are provided. These should be loaded into EDR solutions for immediate quarantine.
  • CVEs: Priority patching is required for CVE-2026-20182, CVE-2026-20133, CVE-2024-55591, and CVE-2025-32433.
  • Operationalization:
    • SIEM: Use KQL to correlate DeviceNetworkEvents with the listed IPs.
    • EDR: Scan DeviceProcessEvents and DeviceFileEvents for the listed hashes.
    • TIP: Ingest OTX pulses to automatically update firewall blocklists.

Detection Engineering

Sigma Rules

YAML
---
title: Potential Gremlin Stealer Process Execution
id: 9b3f1e5e-1c2a-4a7b-9f0d-1a2b3c4d5e6f
description: Detects suspicious process execution patterns associated with Gremlin Stealer and Agent Tesla, specifically rundll32 or regsvr32 loading from suspicious paths or obfuscated command lines.
status: experimental
date: 2026/05/18
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\rundll32.exe'
      - '\regsvr32.exe'
      - '\mshta.exe'
    CommandLine|contains:
      - 'javascript:'
      - 'vbscript:'
      - '.dll'
  filter:
    CommandLine|contains:
      - 'Windows'
      - 'System32'
  condition: selection and not filter
falsepositives:
  - Legitimate software installers
level: high
tags:
  - attack.execution
  - attack.t1059.001
  - attack.defense_evasion
  - malware.gremlin
---
title: Cisco SD-WAN Webshell Activity via Java/Tomcat
id: a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d
description: Detects potential webshell activity on Cisco SD-WAN devices by identifying Java/Tomcat processes spawning cmd.exe or powershell.exe, indicative of Godzilla or Behinder webshells.
status: experimental
date: 2026/05/18
author: Security Arsenal
logsource:
  category: process_creation
  product: linux
detection:
  parent:
    Image|endswith:
      - '/java'
      - '/tomcat'
  child:
    Image|endswith:
      - '/sh'
      - '/bash'
      - '/powershell'
  condition: parent and child
falsepositives:
  - Legitimate administration scripts
level: critical
tags:
  - attack.persistence
  - attack.t1505.003
  - cve.2026.20182
---
title: Suspicious Node.js Child Process (OtterCookie)
id: f1e2d3c4-b5a6-4f7e-9d0c-1a2b3c4d5e6f
description: Detects Node.js spawning suspicious child processes like PowerShell or Bash, a common tactic in the OtterCookie npm supply chain attack.
status: experimental
date: 2026/05/18
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  parent:
    Image|endswith:
      - '\node.exe'
  child:
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
      - '\wscript.exe'
  condition: parent and child
falsepositives:
  - Legitimate development build scripts
level: medium
tags:
  - attack.execution
  - attack.t1059.001
  - attack.supply_chain

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Gremlin and Vidar C2 Connections
let IOCs = dynamic(["194.87.92.109", "176.65.139.31", "147.45.197.92", "94.228.161.88"]);
DeviceNetworkEvents
| where RemoteIP in IOCs or RemoteUrl contains "cargomanbd.com"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemoteUrl, ActionType
| extend Alert = "Potential C2 Traffic Detected"

// Hunt for Malicious File Hashes
let MaliciousHashes = dynamic([
"1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5",
"d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa",
"06f63fe3eba5a2d1e2177d49f25721c2bdd90f3c46f19e29740899fa908453bf"
]);
DeviceFileEvents
| where SHA256 in MaliciousHashes or MD5 in MaliciousHashes
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName

PowerShell Hunt Script

PowerShell
# IOC Hunter for Gremlin, Vidar, and Webshell Artifacts
# Requires administrative privileges

$TargetHashes = @(
    "1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5",
    "d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa",
    "06f63fe3eba5a2d1e2177d49f25721c2bdd90f3c46f19e29740899fa908453bf",
    "d75cb9920d1d3d280518ddccfe4789d2"
)

Write-Host "[+] Scanning for malicious file hashes..." -ForegroundColor Yellow

# Scan C: drive (adjust as needed)
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { $_.Length -gt 0kb -and $_.Length -lt 500kb } | 
    ForEach-Object {
        $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($TargetHashes -contains $hash) {
            Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
        }
    }

# Check for suspicious network connections (Gremlin/Vidar C2)
$TargetIPs = @("194.87.92.109", "176.65.139.31", "147.45.197.92")
Write-Host "[+] Checking for established C2 connections..." -ForegroundColor Yellow

Get-NetTCPConnection -State Established | 
    Where-Object { $TargetIPs -contains $_.RemoteAddress } | 
    ForEach-Object {
        $proc = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
        Write-Host "[!] SUSPICIOUS CONNECTION: RemoteIP=$($_.RemoteAddress) PID=$($_.OwningProcess) Process=$($proc.ProcessName)" -ForegroundColor Red
    }

Response Priorities

Immediate (0-24 hours)

  1. Block IOCs: Push all listed IPv4 addresses, domains (e.g., rti.cargomanbd.com), and file hashes to EDR, Firewall, and Proxy blocklists.
  2. Hunt for Webshells: Scan web servers (especially Cisco SD-WAN/vManage) for recently modified files in web directories and look for the process chains described in the Sigma rules (Java -> cmd).
  3. Isolate Infected Hosts: If Gremlin or Vidar hashes are found, isolate the endpoint immediately to prevent further credential exfiltration.

24-48 Hours

  1. Credential Reset: If infostealer activity (Gremlin, OtterCookie, Vidar) is confirmed, force a password reset for all users on affected hosts and revoke session tokens (Discord, Git, SSH).
  2. Vulnerability Scanning: Initiate a deep scan for Cisco Catalyst SD-WAN, Fortinet, and ASUS routers (implied by CVEs) to identify unpatched instances vulnerable to CVE-2026-20182 and CVE-2024-55591.

1 Week

  1. Supply Chain Audit: Audit package. files and npm dependencies in development environments to detect the "Contagious Interview" or OtterCookie campaign packages.
  2. Architecture Hardening: Implement strict egress filtering to block C2 traffic and restrict the execution of unsigned binaries and scripts from npm or GitHub in production environments.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealergremlin-stealervidarsd-wan-exploitationnpm-supply-chain

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action