Current OTX intelligence reveals a convergence of high-impact credential theft campaigns targeting enterprise environments. These pulses highlight a multi-faceted threat landscape: the Gremlin Stealer evolution demonstrates advanced resource-file obfuscation to evade detection; the OtterCookie campaign showcases the abuse of the npm ecosystem by North Korean actors (FAMOUS CHOLLIMA) to distribute infostealers; and The Gentlemen RaaS continues to leverage initial access via edge appliances (Fortinet/Cisco) to deploy SystemBC and facilitate data exfiltration. Collectively, these actors aim to harvest sensitive credentials (browser, SSH, session tokens) and establish persistence for follow-on activities like ransomware deployment.
Threat Actor / Malware Profile
Gremlin Stealer
- Distribution: Malicious email attachments and downloads, often packed with commercial protectors.
- Payload Behavior: An information stealer that targets payment card details, browser data (cookies, history, saved passwords), and cryptocurrency wallets. New variants use instruction virtualization to hide code in embedded resource files.
- C2 Communication: Typically communicates with C2 servers over HTTP/HTTPS to exfiltrate stolen data. May use Telegram for exfiltration in some variants.
- Persistence: Often established via scheduled tasks or registry run keys.
- Anti-Analysis: Uses commercial packing utilities and custom virtual machine bytecode to obfuscate its malicious code, making static and dynamic analysis difficult.
OtterCookie / BeaverTail / InvisibleFerret
- Distribution: Supply chain attack via the npm registry. Malicious packages act as benign wrappers (e.g.,
big.js) that pull in a malicious dependency containing the payload. Often tied to fake job interviews ("Contagious Interview" campaign). - Payload Behavior: An infostealer targeting browser cookies, passwords, and cryptocurrency wallets. BeaverTail and InvisibleFerret are often part of the same attack chain, with one acting as a loader and the other as the stealer. May also establish an SSH backdoor.
- C2 Communication: Communicates with C2 infrastructure, often hosted on platforms like Vercel.
- Persistence: Established through scheduled tasks or by modifying system configuration files.
- Anti-Analysis: Heavily obfuscated JavaScript code to evade detection by static analysis tools and security researchers.
The Gentlemen RaaS (SystemBC)
- Distribution: Initial access broker activity, leveraging vulnerabilities in edge devices like Fortinet and Cisco appliances (e.g., CVE-2024-55591, CVE-2025-32433) for initial access.
- Payload Behavior: SystemBC is a proxy and malware loader. It creates a SOCKS5 proxy on the infected host, routing traffic for other malicious activities. It also downloads and executes additional payloads, such as ransomware.
- C2 Communication: Uses encrypted communication channels to receive commands and proxy traffic.
- Persistence: Established via scheduled tasks or services.
- Anti-Analysis: May use anti-debugging and code packing techniques.
IOC Analysis
The provided IOCs cover a range of types, offering multiple avenues for detection:
- File Hashes (SHA256, MD5, SHA1): These are critical for identifying malicious files on endpoints. SOC teams should add these to EDR detection rules and scan historical data for matches.
- IPv4 Addresses: These represent C2 servers or distribution points. Firewalls, proxies, and network detection systems should be configured to block and alert on traffic to/from these IPs.
- CVE Identifiers: Vulnerabilities like CVE-2026-20128 and CVE-2025-32433 are actively exploited. This informs patching priorities and vulnerability scanning.
- URLs and Hostnames: These are C2 domains and can be blocked at the DNS level. Threat hunting should involve querying DNS logs for any lookups to these domains.
Operationalization:
- Blocklists: Immediately add all IPs, domains, and URLs to perimeter and endpoint blocklists.
- Scanning: Use your EDR solution to scan all endpoints for the listed file hashes.
- Hunting: Use SIEM queries to hunt for network connections to the IOCs and for process execution patterns associated with the malware.
- Vulnerability Management: Prioritize patching for the identified CVEs, especially on edge devices.
Detection Engineering
Sigma Rules
YAML
---
title: Potential Gremlin Stealer Execution via Unusual Parent Process
id: 8c35d5a0-7c3a-4d4e-9e4f-1a2b3c4d5e6f
description: Detects potential execution of Gremlin Stealer based on its typical process tree, often spawned by a script host or office application with a command line containing arguments related to resource extraction.
status: experimental
date: 2026/05/18
author: Security Arsenal
references:
- https://unit42.paloaltonetworks.com/gremlin-stealer-evolution/
tags:
- attack.execution
- attack.t1059.001
- attack.t1204
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\winword.exe'
- '\excel.exe'
Image|endswith:
- '.exe'
CommandLine|contains:
- 'rundll32.exe'
- 'regsvr32.exe'
condition: selection
falsepositives:
- Legitimate software installation
level: high
---
title: OtterCookie NPM Supply Chain Attack Detection
id: 1a2b3c4d-5e6f-7g8h-9i0j-1k2l3m4n5o6p
description: Detects the execution of processes spawned from a malicious NPM package, a common tactic in the OtterCookie campaign. This looks for Node.js processes with suspicious command-line arguments.
status: experimental
date: 2026/05/18
author: Security Arsenal
references:
- https://panther.com/blog/tracking-an-ottercookie-infostealer-campaign-across-npm
tags:
- attack.initial_access
- attack.t1195.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\node.exe'
CommandLine|contains:
- 'beavertail'
- 'ottercookie'
- 'invisibleferret'
condition: selection
falsepositives:
- Legitimate development work using Node.js
level: critical
---
title: SystemBC Proxy Activity on Unusual Port
id: 9f8e7d6c-5b4a-3c2d-1e0f-9a8b7c6d5e4f
description: Detects SystemBC establishing a SOCKS proxy on the infected host, typically on a high or non-standard port.
status: experimental
date: 2026/05/18
author: Security Arsenal
references:
- https://research.checkpoint.com/2026/thus-spoke-the-gentlemen/
tags:
- attack.command_and_control
- attack.t1090.003
logsource:
product: windows
service: security
detection:
selection:
EventID: 5156
DestPort:
- 1080
- 8080
- 9999
LayerName: 'SystemBC'
condition: selection
falsepositives:
- Authorized proxy software
level: high
KQL (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for Gremlin Stealer C2 traffic based on OTX IP IOCs
DeviceNetworkEvents
| where RemoteIP in ("194.87.92.109", "176.65.139.31")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemotePort, RemoteUrl
// Hunt for OtterCookie-related process activity
DeviceProcessEvents
| where ProcessCommandLine has_any ("beavertail", "ottercookie", "invisibleferret")
| where FileName == "node.exe"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, FolderPath
// Hunt for SystemBC persistence via scheduled task
DeviceEvents
| where ActionType == "ScheduledTaskCreated" or ActionType == "ScheduledTaskUpdated"
| where AdditionalFields contains "SystemBC"
| project Timestamp, DeviceName, AccountName, ActionType, AdditionalFields
PowerShell IOC Hunt Script
PowerShell
# IOC Hunt Script for Gremlin, OtterCookie, and The Gentlemen Campaigns
# Usage: .\Get-MaliciousIOC.ps1
$GremlinHashes = @(
"1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5",
"2172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9b",
"281b970f281dbea3c0e8cfc68b2e9939b253e5d3de52265b454d8f0f578768a2",
"691896c7be87e47f3e9ae914d76caaf026aaad0a1034e9f396c2354245215dc3",
"971198ff86aeb42739ba9381923d0bc6f847a91553ec57ea6bae5becf80f8759",
"9aab30a3190301016c79f8a7f8edf45ec088ceecad39926cfcf3418145f3d614",
"9fda1ddb1acf8dd3685ec31b0b07110855832e3bed28a0f3b81c57fe7fe3ac20"
)
$GentlemenHashes = @(
"3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235",
"51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2"
)
$MaliciousIPs = @("194.87.92.109", "176.65.139.31", "147.45.197.92", "94.228.161.88")
$MaliciousHostnames = @("rti.cargomanbd.com")
Write-Host "[+] Hunting for Gremlin Stealer file hashes..." -ForegroundColor Cyan
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
$hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
if ($hash -in $GremlinHashes) {
Write-Host "[!] MATCH FOUND: $($_.FullName)" -ForegroundColor Red
}
}
Write-Host "[+] Hunting for The Gentlemen RaaS file hashes..." -ForegroundColor Cyan
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
$hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
if ($hash -in $GentlemenHashes) {
Write-Host "[!] MATCH FOUND: $($_.FullName)" -ForegroundColor Red
}
}
Write-Host "[+] Checking for active network connections to malicious IPs..." -ForegroundColor Cyan
Get-NetTCPConnection | ForEach-Object {
$remoteIP = $_.RemoteAddress
$remotePort = $_.RemotePort
$owningProcess = (Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).ProcessName
if ($remoteIP -in $MaliciousIPs) {
Write-Host "[!] SUSPICIOUS CONNECTION: $remoteIP :$remotePort owned by $owningProcess" -ForegroundColor Red
}
}
Write-Host "[+] Checking DNS cache for malicious domains..." -ForegroundColor Cyan
Get-DnsClientCache | ForEach-Object {
if ($_.Name -in $MaliciousHostnames) {
Write-Host "[!] MALICIOUS DOMAIN IN CACHE: $($_.Name) resolved to $($_.Data)" -ForegroundColor Red
}
}
Write-Host "[+] Hunt complete." -ForegroundColor Green
Response Priorities
Immediate:
- Block IOCs: Immediately block all provided IPv4 addresses, URLs, and hostnames on firewalls, proxies, and endpoint security agents.
- Scan for File Hashes: Conduct a full disk scan on all endpoints for the listed SHA256, MD5, and SHA1 file hashes using your EDR solution. Isolate any hosts with positive matches.
- Patch Critical Vulnerabilities: Initiate emergency patching for CVE-2026-20128 and CVE-2025-32433, prioritizing all Cisco Catalyst SD-WAN, Fortinet, and other edge devices.
24h:
- Credential Reset: If credential-stealing malware is suspected, force a password reset for all users who may have been affected, especially those with administrative privileges.
- Identity Verification: Review logs from identity providers for anomalous login attempts or session hijacking attempts from the listed IP addresses.
- Hunt for Persistence: Execute the PowerShell hunt script and KQL queries to identify any persistence mechanisms (e.g., scheduled tasks, registry keys) that may have been established by the malware.
1 Week:
- Supply Chain Security: Review and harden the software supply chain, particularly for NPM packages. Implement strict controls on external package downloads and vetting.
- Application Control: Implement application allowlisting (e.g., AppLocker, WDAC) to restrict the execution of unauthorized scripts and binaries.
- Network Segmentation: Review and enforce network segmentation to limit lateral movement if an initial compromise occurs.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-credentialsinfostealergremlin-stealerottercookiethe-gentlemennpm-supply-chain
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.