Back to Intelligence

Gremlin Stealer & SD-WAN Exploitation: OTX Pulse Analysis — Multi-Vector Detection Pack

SA
Security Arsenal Team
May 16, 2026
6 min read

The current OTX pulse data reveals a coordinated surge in multi-vector threat activity heavily focused on credential theft and infrastructure exploitation. Key observations include:

  • Infostealer Evolution: The Gremlin Stealer (Pulse 1) has adopted advanced evasion via instruction virtualization and resource hiding, targeting payment card data and browser sessions. Concurrently, OtterCookie (Pulse 3) leverages the npm supply chain, while Vidar Stealer (Pulse 5) is distributed via trojanized GitHub repositories exploiting the Claude Code leak.
  • Critical Infrastructure Targeting: Active exploitation of Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20182, CVE-2026-20133) by actor UAT-8616 (Pulse 2) is facilitating the deployment of webshells (Godzilla, XenShell) and cryptocurrency miners (XMRig).
  • RaaS & Edge Attacks: The Gentlemen RaaS operation (Pulse 4) continues to leverage edge appliance vulnerabilities (Fortinet, Cisco) for initial access via NTLM relay attacks.

Collective Objective: The adversary goal ranges from immediate financial gain via infostealers to long-term persistence through edge device compromise and resource hijacking (crypto-mining).

Threat Actor / Malware Profile

Gremlin Stealer & Variants

  • Distribution: Malicious spam (malspam) and compromised repositories.
  • Payload Behavior: Siphons sensitive data including payment card details, browser credentials, and session tokens. Variants exhibit ties to Agent Tesla and Lokibot.
  • C2 Communication: Utilizes hardcoded IP addresses (e.g., 194.87.92.109) for command and control; exfiltration via Telegram and other protocols.
  • Persistence: Registry run keys and scheduled tasks.
  • Anti-Analysis: Uses commercial packing utilities with instruction virtualization (custom VM) to hinder static analysis and debugging.

UAT-8616 (SD-WAN Exploitation)

  • Distribution: Direct exploitation of internet-facing Cisco Catalyst SD-WAN Manager/Controller instances.
  • Payload Behavior: Deploys webshells (Godzilla, Behinder) for remote access and XMRig for cryptocurrency mining.
  • C2 Communication: Connects to malicious infrastructure (e.g., 176.65.139.31) for payload retrieval and C2.
  • Persistence: Webshell maintenance and potential backdoor accounts within the SD-WAN management interface.

OtterCookie (Supply Chain)

  • Distribution: Malicious npm packages (big.js clones) pulling malicious dependencies (BeaverTail, InvisibleFerret).
  • Payload Behavior: Credential theft and SSH backdoor installation.
  • Attribution: FAMOUS CHOLLIMA (North Korean threat actor).

IOC Analysis

The provided pulses contain a mix of network and file-based indicators critical for detection:

  • IPv4 Addresses: Critical for immediate blocking on perimeter firewalls.
    • 194.87.92.109 (Gremlin Stealer C2)
    • 176.65.139.31 (UAT-8616 infrastructure)
  • File Hashes (SHA256/MD5): Numerous hashes associated with Gremlin Stealer, Vidar, and SD-WAN webshells. These must be imported into EDR solutions for immediate quarantining.
  • CVEs:
    • CVE-2026-20182, CVE-2026-20133: Cisco SD-WAN auth bypass.
    • CVE-2024-55591, CVE-2025-32433: Fortinet/Cisco edge exploits used by The Gentlemen.
  • Operationalization: SOC teams should ingest these IOCs into SIEM Correlation engines. Network IOCs should be checked against DeviceNetworkEvents (Defender) or Firewall logs. File hashes should be scanned against DeviceProcessEvents and DeviceFileEvents.

Detection Engineering

Sigma Rules

YAML
title: Potential Gremlin Stealer Process Activity
id: 4e8b6c12-1c3a-4b5f-9a2d-1f3e4a5b6c7d
description: Detects suspicious process execution patterns associated with Gremlin Stealer and other info stealers accessing browser data.
status: experimental
date: 2026/05/16
author: Security Arsenal
references:
    - https://unit42.paloaltonetworks.com/gremlin-stealer-evolution/
tags:
    - attack.credential_access
    - attack.collection
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\wscript.exe'
            - '\cscript.exe'
    filter:
        CommandLine|contains:
            - 'AppData\Local\Google\Chrome\User Data'
            - 'AppData\Roaming\Mozilla\Firefox\Profiles'
            - 'AppData\Local\Microsoft\Edge\User Data'
    condition: selection and filter
falsepositives:
    - Legitimate backup scripts
level: high
---
title: Cisco SD-WAN Vulnerability Exploitation Attempt
date: 2026/05/16
id: 5f9c7d23-2d4b-5c6a-0b3e-2g4f5a6b7c8d
description: Detects potential exploitation of CVE-2026-20182 or similar auth bypass on Cisco SD-WAN devices via webshell behavior.
status: experimental
author: Security Arsenal
references:
    - https://blog.talosintelligence.com/sd-wan-ongoing-exploitation/
tags:
    - attack.initial_access
    - cve.2026.20182
logsource:
    category: web
    product: apache
    service: access
detection:
    selection_uri:
        cs-uri-query|contains:
            - 'vpnsvc'
            - 'webshell'
            - '.jsp'
    selection_status:
        sc-status: 200
    condition: all of selection_*
falsepositives:
    - Legitimate administrative access
level: critical
---
title: Suspicious PowerShell Download from GitHub (Claude Code Lure)
date: 2026/05/16
id: 6a0d8e34-3e5c-6d7b-1c4f-3h5g6a7b8c9d
description: Detects PowerShell scripts downloading content from GitHub, often associated with trojanized repositories like the Claude Code leak campaign.
status: experimental
author: Security Arsenal
references:
    - https://www.zscaler.com/blogs/security-research/anthropic-claude-code-leak
tags:
    - attack.initial_access
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\powershell.exe'
        CommandLine|contains: 'Invoke-WebRequest'
        CommandLine|contains: 'github.com'
    filter_legit:
        ParentImage|contains: 
            - '\Visual Studio\'
            - '\GitHub Desktop\'
            - '\git\'
    condition: selection and not filter_legit
falsepositives:
    - Developers installing legitimate tools
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Gremlin C2 Connections and Suspicious Processes
let GremlinIPs = dynamic(["194.87.92.109", "176.65.139.31"]);
DeviceNetworkEvents
| where RemoteIP in (GremlinIPs)
| extend Timestamp = TimeGenerated, DeviceName = DeviceName, RemoteIP = RemoteIP
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessAccountName, InitiatingProcessCommandLine
| union ( 
    DeviceProcessEvents
    | where ProcessCommandLine has_any ("AppData\\Local\\Google\\Chrome\\User Data", "AppData\\Roaming\\Mozilla\\Firefox", "-enc", "FromBase64String")
    | project Timestamp = TimeGenerated, DeviceName, FileName, ProcessCommandLine, AccountName
)
| order by Timestamp desc

PowerShell Hunt Script

PowerShell
# IOC Hunt Script for Gremlin and OtterCookie Indicators
$MaliciousIPs = @("194.87.92.109", "176.65.139.31")
$ProcessList = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue

Write-Host "Checking for established connections to known C2 IPs..." -ForegroundColor Yellow

foreach ($IP in $MaliciousIPs) {
    $Connections = $ProcessList | Where-Object { $_.RemoteAddress -eq $IP }
    if ($Connections) {
        Write-Host "[ALERT] Found connection to malicious IP: $IP" -ForegroundColor Red
        $Connections | ForEach-Object {
            $Proc = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
            Write-Host "   PID: $($_.OwningProcess) | Process: $($Proc.ProcessName) | Path: $($Proc.Path)"
        }
    }
}

# Check for specific file hashes (Sample check - requires hash db)
Write-Host "Checking file system for suspicious payloads..." -ForegroundColor Yellow
$PathsToCheck = @("$env:TEMP", "$env:APPDATA")
$Extensions = @(".exe", ".dll", ".ps1", ".js")

foreach ($Path in $PathsToCheck) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -Include $Extensions -ErrorAction SilentlyContinue | ForEach-Object {
            # In a real scenario, calculate hash and compare to IOC list
            if ($_.Length -gt 0kb -and $_.Length -lt 500kb -and $_.CreationTime -gt (Get-Date).AddDays(-7)) {
                Write-Host "[SUSPICIOUS] Recent small binary found: $($_.FullName)" -ForegroundColor Cyan
            }
        }
    }
}


---

# Response Priorities

Immediate

  • Block Indicators: Block all identified IPv4 addresses (194.87.92.109, 176.65.139.31) and associated domains at the perimeter.
  • Patch Management: Apply patches for CVE-2026-20182 and CVE-2026-20133 on all Cisco Catalyst SD-WAN infrastructure immediately. Review patch status for Fortinet CVEs listed in The Gentlemen pulse.
  • Endpoint Scan: Initiate a full scan for the SHA256 and MD5 hashes provided in the pulses across all endpoints.

24 Hours

  • Credential Audit: Given the prevalence of infostealers (Gremlin, Vidar, OtterCookie), force a password reset for privileged accounts and users with access to sensitive data. Enforce MFA re-enrollment where possible.
  • Supply Chain Review: Audit npm and GitHub repository usage. Block access to the trojanized repositories identified in the Claude Code and OtterCookie campaigns.

1 Week

  • Architecture Hardening: Segregate SD-WAN management interfaces from the public internet where possible. Implement strict allow-listing for outbound PowerShell and script execution.
  • Threat Hunting: Deploy the provided Sigma rules and KQL queries to hunt for persistent access or missed activity.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsgremlin-stealersd-wan-exploitationinfostealersupply-chain-attackcredential-theft

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action