Threat Summary
The latest OTX pulse data indicates a coordinated escalation in credential theft and initial access broker (IAB) activity across multiple vectors. Security Arsenal analysts have identified a concerning convergence of supply chain compromises (npm and GitHub), aggressive infostealer campaigns (Gremlin, OtterCookie), and RaaS operations (The Gentlemen) targeting edge infrastructure. The primary objective across these clusters is the harvesting of session cookies, SSH keys, and browser credentials to facilitate lateral movement, ransomware deployment, or cryptocurrency mining. Threat actors, specifically FAMOUS CHOLLIMA and The Gentlemen, are leveraging novel obfuscation techniques—including resource hiding in executables and trojanized AI code repositories—to evade EDR detection.
Threat Actor / Malware Profile
Gremlin Stealer
- Distribution: Malspam attachments often packed with commercial utilities utilizing instruction virtualization.
- Payload Behavior: Conceals malicious code within embedded resource files. Steals payment card info, browser data, Discord tokens, and Telegram sessions.
- C2 Communication: Exfiltrates data via Telegram, blending in with legitimate traffic.
- Anti-Analysis: Uses custom bytecode execution within a private virtual machine to bypass static analysis.
OtterCookie (FAMOUS CHOLLIMA)
- Distribution: Malicious npm packages (e.g.,
big.jsvariants) utilizing a "contagious interview" scheme targeting developers. - Payload Behavior: Acts as an infostealer and backdoor. Variants include BeaverTail and InvisibleFerret for credential theft and SSH persistence.
- C2 Communication: Uses Vercel infrastructure for C2 to appear as legitimate web traffic.
- Persistence: Establishes SSH backdoors and scheduled tasks.
The Gentlemen (RaaS)
- Distribution: Exploits vulnerabilities in Fortinet and Cisco edge appliances (CVE-2024-55591, CVE-2025-32433) via NTLM relay attacks.
- Payload Behavior: Deploys SystemBC proxy and other loader malware. Focuses on data leaks and selling access.
- Persistence: Leverages compromised edge devices and valid credentials.
- Recent Activity: Internal database "Rocket" leak exposed their operational infrastructure and division of labor.
Vidar / GhostSocks
- Distribution: Trojanized GitHub repositories claiming to contain leaked Anthropic Claude code.
- Payload Behavior: Vidar steals sensitive data; GhostSocks establishes a proxy network.
- Vector: Social engineering exploiting interest in AI/LLM leaks.
IOC Analysis
The indicators provided in this dataset span multiple layers of the attack chain:
- File Hashes (SHA256/MD5): A significant volume of hashes relate to the Gremlin Stealer variants and the Vidar/GhostSocks payloads. These should be immediately blocklisted on endpoints.
- IPv4 Addresses: IPs such as
194.87.92.109(Gremlin) and176.65.139.31(SD-WAN exploits) serve as C2 nodes or exploit landing pages. These should be blocked at the perimeter. - CVEs:
CVE-2026-20182,CVE-2026-20133, andCVE-2024-55591are critical. These indicate infrastructure vulnerabilities requiring patch management prioritization. - Operationalization: SOC teams should load the hashes into EDR solutions for immediate scanning. The IP addresses should be fed into firewall blocklists. The CVEs should trigger a vulnerability scan for all edge appliances.
Detection Engineering
Sigma Rules
YAML
title: Potential Gremlin Stealer Process Injection
id: 8c7f9b2a-1d3e-4a5f-9b6c-7d8e9f0a1b2c
description: Detects suspicious processes accessing browser credential files or memory patterns consistent with Gremlin Stealer resource hiding techniques.
status: experimental
date: 2026/05/16
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/660000000000
tags:
- attack.credential_access
- attack.t1005
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\\powershell.exe'
- '\\cmd.exe'
- '\\wscript.exe'
CommandLine|contains:
- 'Get-Process'
- 'ReadAllBytes'
- 'System.Reflection'
condition: selection
falsepositives:
- Legitimate system administration scripts
level: high
---
title: Suspicious NPM Process Spawn (OtterCookie)
id: 9d8e0f3b-2e4f-5b6a-0c1d-2e3f4a5b6c7d
description: Detects Node.js or npm spawning unusual child processes like PowerShell or CMD, characteristic of malicious npm packages like OtterCookie.
status: experimental
date: 2026/05/16
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/660000000001
tags:
- attack.initial_access
- attack.t1192
logsource:
category: process_creation
product: windows
detection:
selection_parent:
Image|endswith:
- '\
ode.exe'
- '\
pm.cmd'
selection_child:
Image|endswith:
- '\\powershell.exe'
- '\\cmd.exe'
- '\\wscript.exe'
condition: selection_parent and selection_child
falsepositives:
- Legitimate build scripts
level: medium
---
title: Cisco SD-WAN Vulnerability Exploitation Attempt
id: 0e1f2a3b-4c5d-6e7f-8a9b-0c1d2e3f4a5b
description: Detects potential exploitation attempts against Cisco Catalyst SD-WAN Manager related to CVE-2026-20182 and CVE-2026-20133.
status: experimental
date: 2026/05/16
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/660000000002
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
product: apache
definition: 'Requirements: At least one of the keywords in "cs-uri-query" or "cs-uri-stem"'
detection:
selection_uri:
cs-uri-query|contains:
- '/app/login'
- '/j_security_check'
selection_suspicious:
cs-uri-query|contains:
- 'authenticationBypass'
- 'matrixparams'
condition: selection_uri and selection_suspicious
falsepositives:
- Unknown
level: critical
KQL (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for Gremlin/OtterCookie File Hashes
DeviceFileEvents
| where Timestamp > ago(7d)
| where SHA256 in (
'1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5',
'2172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9b',
'd94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa',
'06f63fe3eba5a2d1e2177d49f25721c2bdd90f3c46f19e29740899fa908453bf'
)
| project Timestamp, DeviceName, FolderPath, SHA256, InitiatingProcessAccountName
// Hunt for Network Connections to Malicious IPs
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIP in (
'194.87.92.109',
'176.65.139.31',
'94.228.161.88',
'147.45.197.92'
)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName
PowerShell Hunt Script
PowerShell
# IOC Hunt Script for Gremlin Stealer and OtterCookie Indicators
# Requires Administrative Privileges
$MaliciousHashes = @(
\"1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5\",
\"2172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9b\",
\"281b970f281dbea3c0e8cfc68b2e9939b253e5d3de52265b454d8f0f578768a2\",
\"691896c7be87e47f3e9ae914d76caaf026aaad0a1034e9f396c2354245215dc3\",
\"971198ff86aeb42739ba9381923d0bc6f847a91553ec57ea6bae5becf80f8759\",
\"d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa\"
)
$MaliciousIPs = @(
\"194.87.92.109\",
\"176.65.139.31\"
)
Write-Host \"[+] Hunting for malicious file hashes...\" -ForegroundColor Cyan
# Check common download and temp directories
$Paths = @(\"$env:USERPROFILE\\Downloads\", \"$env:TEMP\", \"C:\\ProgramData\")
foreach ($Path in $Paths) {
if (Test-Path $Path) {
Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | Get-FileHash -Algorithm SHA256 -ErrorAction SilentlyContinue | Where-Object {
$MaliciousHashes -contains $_.Hash
} | ForEach-Object {
Write-Host \"[!] MALICIOUS FILE DETECTED: $($_.Path) (Hash: $($_.Hash))\" -ForegroundColor Red
}
}
}
Write-Host \"[+] Checking for active network connections to C2 IPs...\" -ForegroundColor Cyan
$Connections = Get-NetTCPConnection -ErrorAction SilentlyContinue | Where-Object {
$MaliciousIPs -contains $_.RemoteAddress
}
if ($Connections) {
$Connections | ForEach-Object {
$Process = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
Write-Host \"[!] SUSPICIOUS CONNECTION: Remote IP $($_.RemoteAddress):$($_.RemotePort) owned by $($Process.ProcessName) (PID: $($_.OwningProcess))\" -ForegroundColor Red
}
} else {
Write-Host \"[-] No suspicious connections found.\" -ForegroundColor Green
}
Write-Host \"[+] Hunt complete.\"
Response Priorities
Immediate (0-4 hours)
- Block IOCs: Upload all SHA256 hashes and IP addresses provided in the pulses to EDR, Firewalls, and SIEM blocklists.
- Isolate: Isolate any endpoints returning positive hits for the Gremlin or Vidar hashes.
- Hunt: Run the provided PowerShell script across the fleet to identify dropped payloads.
24 Hours
- Credential Reset: Force a password reset for any user accounts identified on compromised endpoints (specifically targeting browsers/SSH keys due to OtterCookie).
- Supply Chain Audit: Identify and quarantine any usage of the npm packages associated with the OtterCookie campaign. Audit GitHub repository clones related to "Claude Code".
- Patch Management: Identify all Cisco Catalyst SD-WAN and Fortinet edge appliances. Apply patches for CVE-2026-20182, CVE-2026-20133, CVE-2024-55591 immediately.
1 Week
- Architecture Hardening: Implement strict egress filtering for Telegram and Vercel APIs from non-developer workstations to impede data exfiltration.
- Policy Review: Review developer onboarding policies regarding "contagious interviews" and external package dependencies.
- Threat Hunt: Conduct a retrospective hunt for NTLM relay attempts targeting internal infrastructure originating from the DMZ.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-credentialsgremlin-stealerottercookienpm-supply-chainthe-gentlemen-raassd-wan-exploitation
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.