Live OTX pulse data from May 17, 2026, reveals a coordinated escalation in credential theft operations targeting enterprise environments. Threat actors are leveraging a dual-pronged approach: sophisticated supply chain compromises (npm, GitHub) and the exploitation of network edge infrastructure (Cisco SD-WAN). Key observations include the evolution of Gremlin Stealer using virtual machine-based obfuscation, FAMOUS CHOLLIMA's deployment of OtterCookie via malicious npm packages, and the exploitation of the Claude Code leak to distribute Vidar Stealer. Concurrently, actors UAT-8616 and The Gentlemen are actively exploiting zero-day vulnerabilities in Cisco Catalyst SD-WAN and Fortinet appliances to establish persistence and facilitate data exfiltration.

Threat Summary

The collective intelligence from these pulses highlights a shift towards "living-off-the-land" in the software supply chain and critical infrastructure exploitation. The primary objective across these campaigns is the harvesting of sensitive credentials (browser cookies, SSH keys, session tokens) and cryptocurrency wallet data.

Supply Chain Vector: Attackers are planting malicious packages (big.js clones, OtterCookie variants) in public repositories and leveraging trending topics (Claude Code leak) on GitHub to distribute stealers.
Infrastructure Vector: Active exploitation of CVE-2026-20182 (Cisco SD-WAN) allows for remote code execution (RCE) and administrative privilege theft, bypassing traditional perimeter defenses.

Threat Actor / Malware Profile

Malware Families

Gremlin Stealer

Distribution: Embedded within resource files, protected by commercial packers utilizing instruction virtualization.
Behavior: Siphons payment card details, browser data, and session tokens. employs anti-analysis techniques via a custom Virtual Machine (VM).
C2: Exfiltrates data via Telegram and hardcoded IPs.

OtterCookie / BeaverTail

Actor: FAMOUS CHOLLIMA (North Korean APT).
Distribution: Malicious npm packages (e.g., koalemos, invisibleferret) using dependency confusion. Often associated with "contagious interview" scams targeting developers.
Behavior: Steals browser credentials and establishes SSH backdoors for persistence.

Vidar Stealer & GhostSocks

Distribution: Trojanized GitHub repositories posing as leaked Claude Code source.
Behavior: Vidar targets sensitive data and cryptocurrency wallets; GhostSocks acts as a proxy/trojan.

The Gentlemen / SystemBC

Distribution: Exploits edge vulnerabilities (Fortinet/Cisco).
Behavior: SystemBC provides a C2 proxy and SOCKS tunneling capability. The group recently suffered a leak of their own backend "Rocket" database.

IOC Analysis

The provided pulses offer a mix of network and file-based indicators crucial for detection:

File Hashes (SHA256/MD5): A significant volume of hashes are provided for Gremlin Stealer and the webshell payloads associated with the Cisco exploits. These should be blocked in EDR solutions and scanned for in static analysis tools like VirusTotal.
CVEs: CVE-2026-20182, CVE-2026-20133, CVE-2024-55591. These are critical for vulnerability management prioritization.
Network Indicators (IPv4/URL): IPs such as 194.87.92.109 and 176.65.139.31 serve as C2 infrastructure. URLs like https://147.45.197.92:443 indicate HTTPS C2 channels often used to blend in with web traffic.
Operationalization: SOC teams should ingest these IOCs into SIEM correlations (e.g., Firewall logs blocking these IPs, EDR alerting on file hashes) and immediately block the listed domains at the perimeter.

Detection Engineering

YAML

title: Potential Gremlin Stealer VM-based Packets
id: 26d2d8c8-1234-5678-9abc-1a2b3c4d5e6f
description: Detects behavior associated with Gremlin Stealer and commercial packing utilities using instruction virtualization. Looks for suspicious child processes and resource access.
status: experimental
date: 2026/05/17
author: Security Arsenal
references:
    - https://unit42.paloaltonetworks.com/gremlin-stealer-evolution/
tags:
    - attack.defense_evasion
    - attack.t1027.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\explorer.exe'
            - '\cmd.exe'
            - '\powershell.exe'
        Image|endswith:
            - '\rundll32.exe'
            - '\regsvr32.exe'
            - '\mshta.exe'
    filter_legit:
        - CommandLine|contains: 'shell32.dll'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate software installers using custom wrappers
level: high
---
title: Malicious NPM Package Installation (OtterCookie/FAMOUS CHOLLIMA)
id: 1a2b3c4d-5e6f-7890-abcd-ef123456789a
description: Detects the installation of known malicious npm packages associated with the OtterCookie campaign or suspicious package installations from unverified sources.
status: experimental
date: 2026/05/17
author: Security Arsenal
references:
    - https://panther.com/blog/tracking-an-ottercookie-infostealer-campaign-across-npm
tags:
    - attack.initial_access
    - attack.t1195.001
logsource:
    product: linux
    service: auditd
detection:
    selection_npm:
        process.name: 'npm'
        process.args: 'install'
    selection_malicious:
        process.args|contains:
            - 'ottercookie'
            - 'beavertail'
            - 'koalemos'
            - 'invisibleferret'
    condition: all of selection_*
falsepositives:
    - Legitimate developer installation of packages with similar names (unlikely)
level: critical
---
title: Cisco SD-WAN Webshell Upload Activity
id: 9f8e7d6c-5b4a-3210-fedc-ba9876543210
description: Detects potential webshell upload or exploitation activity associated with CVE-2026-20182 on Cisco Catalyst SD-WAN devices based on process anomalies and file modifications.
status: experimental
date: 2026/05/17
author: Security Arsenal
references:
    - https://blog.talosintelligence.com/sd-wan-ongoing-exploitation/
tags:
    - attack.initial_access
    - attack.t1190
logsource:
    category: web
detection:
    selection_uri:
        cs-method: 'POST'
        c-uri|contains:
            - '/vpn'
            - '/api'
    selection_suspicious_files:
    # Common webshell extensions observed in similar campaigns
        c-uri|endswith:
            - '.jsp'
            - '.php'
            - '.jspx'
    condition: all of selection_*
falsepositives:
    - Legitimate administrative file uploads
level: high

Microsoft Sentinel KQL

KQL — Microsoft Sentinel / Defender

// Hunt for Gremlin Stealer and Webshell Indicators
// Network connections to known malicious IPs
let MaliciousIPs = pack_array("194.87.92.109", "176.65.139.31", "147.45.197.92", "94.228.161.88");
DeviceNetworkEvents
| where RemoteIP in (MaliciousIPs)
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort
| union (
    // Hunt for file hashes associated with the campaigns
    DeviceFileEvents
    | where SHA256 in ("1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5", "d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa")
    | project Timestamp, DeviceName, FileName, SHA256, FolderPath
)
| extend AlertDetails = iff(isnotempty(RemoteIP), "C2 Traffic detected", "Malicious file dropped")

PowerShell Hunt Script

PowerShell

<#
.SYNOPSIS
    Hunt script for OtterCookie npm packages and Gremlin Stealer artifacts.
.DESCRIPTION
    Scans common Node.js directories and user profiles for indicators.
#>

Write-Host "[+] Hunting for OtterCookie/Gremlin Artifacts..." -ForegroundColor Cyan

# Check for malicious npm packages in common node_modules locations
$MaliciousPackages = @("ottercookie", "beavertail", "koalemos", "invisibleferret")
$PathsToScan = @("$env:USERPROFILE\node_modules", "$env:APPDATA\npm", "C:\Program Files\nodejs\node_modules")

foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Write-Host "[?] Scanning $Path" -ForegroundColor Yellow
        Get-ChildItem -Path $Path -Recurse -Directory -ErrorAction SilentlyContinue | 
            Where-Object { $MaliciousPackages -contains $_.Name } | 
            ForEach-Object { 
                Write-Host "[!] SUSPICIOUS PACKAGE FOUND: $($_.FullName)" -ForegroundColor Red
            }
    }
}

# Check for persistence via Run keys associated with stealers
$RunKey = Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -ErrorAction SilentlyContinue
$SuspiciousPatterns = @("discord", "token", "stealer", "node", "python")

if ($RunKey) {
    foreach ($Val in $RunKey.PSObject.Properties) {
        if ($SuspiciousPatterns | Where-Object { $Val.Value -like "*$_*" }) {
            Write-Host "[!] SUSPICIOUS PERSISTENCE: $($Val.Name) -> $($Val.Value)" -ForegroundColor Red
        }
    }
}

Write-Host "[-] Hunt complete." -ForegroundColor Green


# Response Priorities

*   **Immediate:**
    *   Block all listed IOCs (IPs, Domains, Hashes) on perimeter firewalls and endpoints.
    *   Scan for and isolate any endpoints matching the file hashes for Gremlin Stealer, XenShell, or Vidar.
    *   Audit developer workstations for the presence of the malicious npm packages listed in the OtterCookie pulse.

*   **24 Hours:**
    *   If credential-stealing malware (Gremlin, OtterCookie, Vidar) is suspected, force a password reset for all users and invalidate active session tokens for critical applications.
    *   Review VPN and SD-WAN logs for signs of exploitation related to CVE-2026-20182 and CVE-2025-32433.

*   **1 Week:**
    *   Apply patches for Cisco Catalyst SD-WAN (CVE-2026-20182) and Fortinet vulnerabilities immediately upon vendor release.
    *   Implement strict allow-listing for npm packages and GitHub repositories used in build pipelines.
    *   Conduct a security review of all edge devices (SD-WAN controllers) for unauthorized webshells.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

Gremlin, OtterCookie, and Vidar Surge: Credential Theft via Supply Chain and Edge Exploits