Back to Intelligence

Gremlin Stealer, OtterCookie, and Vidar: Multi-Vector Infostealer Campaigns Targeting Credentials and Data

SA
Security Arsenal Team
May 16, 2026
8 min read

Recent OTX Pulse data highlights a surge in infostealer activity utilizing diverse distribution vectors, including software supply chain compromises (npm), social engineering via high-profile leaks (Claude Code), and sophisticated packing techniques. Threat actors are aggressively targeting credentials, payment card details, and session tokens.

  • Gremlin Stealer: Employs commercial-grade packing and instruction virtualization to hide in plain sight, utilizing embedded resource files for payload concealment.
  • OtterCookie (FAMOUS CHOLLIMA): A North Korean-linked campaign leveraging the npm ecosystem with a "contagious interview" tactic, using benign wrapper packages to pull malicious dependencies.
  • Vidar Stealer: Distributed via trojanized GitHub repositories exploiting the recent Claude Code leak as a social engineering lure.

Collectively, these campaigns demonstrate a clear objective: theft of sensitive identity and financial data for initial access or direct fraud. The attack chains typically follow a pattern of phishing/social engineering -> execution of obfuscated code -> credential/data harvesting -> exfiltration via Telegram, C2, or other channels.

Threat Actor / Malware Profile

Gremlin Stealer

  • Distribution: Likely via malspam or malicious downloads, concealed within resource files of packed executables.
  • Payload Behavior: Siphons payment card details, browser data, and potentially session tokens (Discord/Telegram).
  • C2 Communication: Specific C2 details not provided in the pulse, but known to use Telegram exfiltration tags.
  • Persistence: Standard infostealer persistence mechanisms (e.g., registry run keys, scheduled tasks) are expected.
  • Anti-Analysis: Uses a commercial packer with instruction virtualization, transforming code into custom bytecode executed by a private virtual machine to evade static and dynamic analysis.

OtterCookie / BeaverTail (FAMOUS CHOLLIMA)

  • Distribution: Supply chain attack on the npm package registry. Uses a two-layer strategy: benign wrapper packages that clone legitimate libraries (e.g., big.js) and then pull in malicious dependencies containing the payload. Associated with "contagious interview" campaigns targeting developers.
  • Payload Behavior: An infostealer that targets credentials, cookies, and other browser data. May deploy an SSH backdoor (InvisibleFerret).
  • C2 Communication: Uses Vercel as a C2 infrastructure, blending in with legitimate traffic.
  • Persistence: Not explicitly detailed, but often involves establishing persistence on developer workstations.
  • Anti-Analysis: Uses code obfuscation within the malicious npm packages to evade detection.

Vidar Stealer & GhostSocks

  • Distribution: Social engineering via GitHub. Attackers create trojanized repositories claiming to contain the leaked Claude Code source code to trick users into downloading and executing malicious payloads.
  • Payload Behavior: Vidar is an information stealer targeting passwords, cookies, credit card info, and more. GhostSocks is a proxy trojan.
  • C2 Communication: Uses IPs and hostnames associated with the campaign for C2 operations (e.g., rti.cargomanbd.com).
  • Persistence: Typical infostealer persistence methods.
  • Anti-Analysis: Relies on the perceived legitimacy of the GitHub repository and user trust in the "leaked" software.

IOC Analysis

The provided IOCs include:

  • File Hashes (SHA256, SHA1, MD5): These are critical for identifying malicious files on endpoints. SOC teams should use EDR solutions to scan for these hashes.
  • IPv4 Addresses (e.g., 194.87.92.109, 176.65.139.31): These are C2 servers or download hosts. Firewall and proxy logs should be queried for connections to these IPs.
  • URLs and Hostnames (e.g., https://147.45.197.92:443, rti.cargomanbd.com): These are used for payload delivery or C2 communication. Web proxies and DNS logs should be queried.
  • CVEs (e.g., CVE-2025-32433, CVE-2026-20133): These vulnerabilities are exploited for initial access or privilege escalation. Vulnerability management teams should prioritize patching for these CVEs.

Operationalization:

  • Hash Scanning: EDR tools like CrowdStrike Falcon, SentinelOne, or Microsoft Defender for Endpoint can be configured to alert on or quarantine files matching these hashes.
  • Network Blocking: Firewall rules should be created to block outbound traffic to the listed IPs and domains. SIEM solutions can be used to generate alerts for any connection attempts.
  • CVE Patching: Vulnerability scanners should be run to identify systems vulnerable to the listed CVEs, and patching should be prioritized.

Detection Engineering

Sigma Rules

YAML
detection:
  selection_source:
    Image|endswith:
      - '\node.exe'
      - '\npm.cmd'
  selection_cmdline:
    CommandLine|contains:
      - 'install'
      - 'ci'
  selection_npm_registry:
    CommandLine|contains|any:
      - 'registry.npmjs.org'
      - 'npm.pkg.github.com'
  condition: all of selection_*
  timeframe: 1h
falsepositives:
  - Legitimate npm package installations by developers
level: low
---
detection:
  selection_process_creation:
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
      - '\wscript.exe'
      - '\cscript.exe'
  selection_parent_process:
    ParentImage|endswith:
      - '\node.exe'
  selection_suspicious_args:
    CommandLine|contains|any:
      - 'downloadstring'
      - 'iex'
      - 'invoke-expression'
      - 'base64'
  condition: all of selection_*
falsepositives:
  - Developer scripts that use dynamic execution
level: high
---
detection:
  selection_suspicious_download:
    Image|endswith:
      - '\git.exe'
      - '\powershell.exe'
      - '\curl.exe'
      - '\wget.exe'
  selection_github_domain:
    DestinationHostname|contains:
      - 'github.com'
      - 'gist.githubusercontent.com'
  selection_suspicious_keywords:
    CommandLine|contains|any:
      - 'claude'
      - 'leak'
      - 'anthropic'
  selection_file_extension:
    TargetFilename|endswith:
      - '.exe'
      - '.dll'
      - '.zip'
      - '.js'
  condition: all of selection_*
falsepositives:
  - Legitimate cloning of repositories related to AI or coding assistants
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for network connections to known malicious IPs and domains from pulses
let MaliciousIOCs = dynamic(["194.87.92.109", "176.65.139.31", "147.45.197.92", "94.228.161.88", "rti.cargomanbd.com"]);
DeviceNetworkEvents
| where RemoteIP in (MaliciousIOCs) or RemoteUrl has_any (MaliciousIOCs)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemoteUrl, RemotePort
| extend TailoredIndicator = iff(RemoteIP in (MaliciousIOCs), "IP Match", "Domain Match")


kql
// Hunt for suspicious process execution patterns related to npm and scripts
DeviceProcessEvents
| where (ProcessVersionInfoOriginalFileName in ("node.exe", "npm.cmd") or FileName =~ "node.exe")
    and (ProcessCommandLine contains "install" or ProcessCommandLine contains "ci")
| where ProcessCommandLine contains any("-g", "--global") or ProcessCommandLine contains "registry"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine


kql
// Hunt for file creation related to GitHub downloads and suspicious keywords
DeviceFileEvents
| where (InitiatingProcessFileName in ("powershell.exe", "cmd.exe", "git.exe", "curl.exe", "wget.exe")
    and (RequestingProcessCommandLine contains "github" or InitiatingProcessCommandLine contains "github"))
    and (RequestingProcessCommandLine contains any("claude", "leak", "anthropic") or FileName contains any("claude", "leak"))
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine

PowerShell Hunt Script

PowerShell
# IOC Hunt Script for Gremlin, OtterCookie, and Vidar related artifacts

# Malicious File Hashes from the pulses
$MaliciousHashes = @(
    "1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5",
    "2172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9b",
    "281b970f281dbea3c0e8cfc68b2e9939b253e5d3de52265b454d8f0f578768a2",
    "691896c7be87e47f3e9ae914d76caaf026aaad0a1034e9f396c2354245215dc3",
    "971198ff86aeb42739ba9381923d0bc6f847a91553ec57ea6bae5becf80f8759",
    "9aab30a3190301016c79f8a7f8edf45ec088ceecad39926cfcf3418145f3d614",
    "9fda1ddb1acf8dd3685ec31b0b07110855832e3bed28a0f3b81c57fe7fe3ac20",
    "d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa",
    "77c73bd5e7625b7f691bc00a1b561a0f",
    "d8256fbc62e85dae85eb8d4b49613774",
    "06f63fe3eba5a2d1e2177d49f25721c2bdd90f3c46f19e29740899fa908453bf",
    "7d5e84dd59165422f31a5a0e53aabba657a6fbccc304e8649f72d49e468ae91a"
)

# Suspicious IPs
$MaliciousIPs = @("194.87.92.109", "176.65.139.31", "147.45.197.92", "94.228.161.88")

# Suspicious Domains
$MaliciousDomains = @("rti.cargomanbd.com")

function Check-FileHashes {
    Write-Host "Checking for malicious file hashes on the system..."
    $Drives = Get-PSDrive -PSProvider FileSystem
    foreach ($Drive in $Drives) {
        Get-ChildItem -Path $Drive.Root -Recurse -ErrorAction SilentlyContinue | Get-FileHash -Algorithm SHA256, MD5 -ErrorAction SilentlyContinue | Where-Object {
            $MaliciousHashes -contains $_.Hash -or $MaliciousHashes -contains $_.Hash.ToLower()
        } | ForEach-Object {
            Write-Host "[!] FOUND MALICIOUS FILE: $($_.Path) | HASH: $($_.Hash) | ALGORITHM: $($_.Algorithm)" -ForegroundColor Red
        }
    }
}

function Check-NetworkConnections {
    Write-Host "Checking for active network connections to suspicious IPs..."
    $Connections = Get-NetTCPConnection -State Established, Listen -ErrorAction SilentlyContinue
    foreach ($Conn in $Connections) {
        if ($MaliciousIPs -contains $Conn.RemoteAddress) {
            $Process = Get-Process -Id $Conn.OwningProcess -ErrorAction SilentlyContinue
            Write-Host "[!] FOUND CONNECTION TO MALICIOUS IP: $($Conn.RemoteAddress):$($Conn.RemotePort) | LOCAL PORT: $($Conn.LocalPort) | PROCESS: $($Process.ProcessName) (PID: $($Conn.OwningProcess))" -ForegroundColor Red
        }
    }
}

function Check-DNSCache {
    Write-Host "Checking DNS cache for suspicious domains..."
    $DnsCache = Get-DnsClientCache -ErrorAction SilentlyContinue
    foreach ($Entry in $DnsCache) {
        if ($MaliciousDomains -contains $Entry.Name) {
            Write-Host "[!] FOUND SUSPICIOUS DNS ENTRY: $($Entry.Name) | DATA: $($Entry.Data)" -ForegroundColor Red
        }
    }
}

# Main Execution
Write-Host "Starting IOC Hunt Script..." -ForegroundColor Cyan
Check-FileHashes
Check-NetworkConnections
Check-DNSCache
Write-Host "IOC Hunt Script completed." -ForegroundColor Cyan


# Response Priorities

Immediate (0-24 hours)

  1. Block Indicators: Immediately block all listed IP addresses, domains, and URLs at the network perimeter (firewall, proxy, web gateway).
  2. Hunt for Execution Artifacts: Use the provided PowerShell script and Sigma rules to hunt for the malicious file hashes and process execution patterns across all endpoints.
  3. Isolate Infected Hosts: If any endpoint is found to be communicating with the malicious C2 infrastructure or hosting the malicious files, isolate it from the network immediately to prevent further data exfiltration.

Short-term (24-48 hours)

  1. Identity Verification: If credential-stealing malware (Gremlin, OtterCookie, Vidar) is suspected to have run, initiate a forced password reset and multi-factor authentication (MFA) challenge for all affected user accounts. Review recent access logs for anomalous activity.
  2. Review GitHub Access: Investigate if any developers have cloned or interacted with repositories related to "Claude Code" or other suspicious projects. Revoke any credentials or tokens that may have been exposed.
  3. Scan npm Packages: For development teams, audit the package. files and node_modules directories of active projects for any of the malicious packages associated with the OtterCookie campaign (e.g., big.js variants).

Medium-term (1 week)

  1. Architecture Hardening: Implement application control policies to restrict the execution of unsigned binaries, especially in user directories.
  2. Software Supply Chain Security: Enforce the use of private npm registries and implement a package approval process. Enable and review Dependabot or similar tools for dependency scanning.
  3. Developer Security Awareness: Conduct targeted security training for developers on the risks of supply chain attacks, malicious repositories, and social engineering lures (e.g., "leaked" code).
  4. Patch Management: Prioritize and apply patches for the CVEs listed in the pulses (e.g., CVE-2026-20133, CVE-2025-32433) on all affected network appliances and endpoints.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealergremlin-stealerottercookievidarcredential-harvesting

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action