Recent OTX pulses indicate a coordinated surge in credential theft activity leveraging diverse initial access vectors. Security researchers have identified active exploitation of Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20128, CVE-2026-20133) by actor UAT-8616 to deploy webshells and miners. Simultaneously, North Korean threat actor FAMOUS CHOLLIMA is utilizing the npm supply chain to distribute the OtterCookie infostealer via malicious packages. In a separate campaign, adversaries are capitalizing on the recent Claude Code leak, trojanizing GitHub repositories to distribute Vidar Stealer and GhostSocks. These campaigns converge on a primary objective: exfiltrating session tokens, credentials, and cryptocurrency wallets to facilitate further intrusion and financial theft.
Threat Actor / Malware Profile
-
FAMOUS CHOLLIMA (North Korea)
- Malware: OtterCookie, BeaverTail, InvisibleFerret.
- Distribution: Malicious npm packages (e.g.,
big.jsvariants) employing a two-layer strategy where benign wrappers pull malicious dependencies. - Behavior: Targets the Technology sector. Steals browser credentials and establishes SSH backdoors.
- C2: Communicates over non-standard ports, often leveraging Vercel infrastructure for blending.
-
Unknown (Commercially motivated)
- Malware: Gremlin Stealer, Vidar, GhostSocks.
- Distribution:
- Gremlin: Embedded resources within packed executables using instruction virtualization.
- Vidar: Trojanized GitHub repositories masquerading as leaked Claude Code source.
- Behavior:
- Gremlin: Siphons payment card details, browser data, and Discord tokens. Uses commercial packers for evasion.
- Vidar: Information theft (v18.7) and proxy capabilities (GhostSocks).
- Persistence: Scheduled tasks, registry run keys, and service creation.
-
UAT-8616
- Malware: XenShell, Godzilla, Behinder, Sliver, XMRig.
- Distribution: Exploitation of Cisco Catalyst SD-WAN Manager (CVE-2026-20128).
- Behavior: Authentication bypass to gain administrative privileges, deployment of webshells and cryptocurrency miners.
IOC Analysis
The provided pulses offer a mix of infrastructure and file-based indicators critical for detection:
- File Hashes (SHA256/MD5): Multiple samples for Gremlin Stealer (e.g.,
1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5), Vidar Stealer, and webshell components. These should be blocked in EDR solutions and used to quarantine existing files. - IPv4 Addresses: Key C2 and infrastructure IPs include
194.87.92.109(Gremlin),176.65.139.31(Cisco SD-WAN exploitation), and147.45.197.92/94.228.161.88(Vidar C2). These should be immediately blocked on perimeter firewalls and proxied through secure web gateways. - CVEs: CVE-2026-20128 and CVE-2026-20133 (Cisco SD-WAN); CVE-2025-32433 (Fortinet/Cisco edge appliances). These require immediate patching or signature-based detection on network devices.
- Operationalization: SOC teams should load hashes into CrowdStrike/Falcon or SentinelOne. IPs should be added to blocklists. CVE tags can be used to query vulnerability scanners for unpatched assets.
Detection Engineering
YAML
title: Potential OtterCookie NPM Supply Chain Compromise
id: 3a1b2c3d-4e5f-6789-0abc-def123456789
description: Detects suspicious child processes spawned by node.exe, indicative of malicious npm packages like OtterCookie loading payloads.
status: experimental
date: 2026/05/17
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/6646a0e8c6d7a1d2b3c4d5e6
tags:
- attack.initial_access
- attack.t1195.002
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\node.exe'
filter_legit:
Image|contains:
- '\node_modules\'
CommandLine|contains:
- 'npm run'
- 'webpack'
- 'gulp'
condition: selection and not filter_legit
falsepositives:
- Legitimate build scripts spawning cmd or powershell
level: high
---
title: Gremlin Stealer Resource Execution Anomaly
date: 2026/05/17
id: 4b2c3d4e-5f6a-7890-1bcd-ef2345678901
description: Detects execution of binaries with characteristics of Gremlin Stealer (instruction virtualization/loaders) launching suspicious processes.
status: experimental
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/6646a0e8c6d7a1d2b3c4d5e7
tags:
- attack.defense_evasion
- attack.execution
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\rundll32.exe'
- '\regsvr32.exe'
- '\mshta.exe'
selection_cli:
CommandLine|contains:
- '.js:'
- 'javascript:'
- 'vbscript:'
selection_parent:
ParentImage|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\wscript.exe'
condition: all of selection_*
falsepositives:
- Low
level: critical
---
title: Cisco SD-WAN Exploitation Attempt by UAT-8616
date: 2026/05/17
id: 5c3d4e5f-6a7b-8901-2cde-f34567890123
description: Detects potential exploitation of CVE-2026-20128/2026-20133 targeting Cisco Catalyst SD-WAN components characterized by suspicious URI paths or authentication bypasses.
status: experimental
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/6646a0e8c6d7a1d2b3c4d5e8
tags:
- attack.initial_access
- attack exploitation
logsource:
category: webserver
detection:
selection_cve:
csUriQuery|contains:
- 'vpnportal'
- 'dataservice'
selection_bypass:
csMethod|contains:
- 'POST'
filter_404:
scStatus == '404'
condition: selection_cve and selection_bypass and not filter_404
falsepositives:
- Unknown
level: high
kql
// Hunt for Gremlin and Vidar C2 Infrastructure IPs
let IoC_IPs = pack_array("194.87.92.109", "176.65.139.31", "147.45.197.92", "94.228.161.88");
DeviceNetworkEvents
| where RemoteIP in (IoC_IPs)
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort, RemoteUrl
| extend SuspiciousScore = iff(RemotePort in (443, 80), "Medium", "High")
| order by Timestamp desc
;
// Hunt for malicious file hashes on endpoints
let IoC_Hashes = pack_array(
"1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5",
"06f63fe3eba5a2d1e2177d49f25721c2bdd90f3c46f19e29740899fa908453bf",
"d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa"
);
DeviceFileEvents
| where SHA256 in (IoC_Hashes) or MD5 in ("d75cb9920d1d3d280518ddccfe4789d2", "adf675ffc1acb357f2d9f1a94e016f52")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName
| order by Timestamp desc
powershell
# IOC Hunt Script: Gremlin, OtterCookie & Vidar Indicators
# Requires Administrator privileges
Write-Host "[*] Starting Threat Hunt for OTX Pulse Indicators..." -ForegroundColor Cyan
# Known Malicious IPs from Pulses
$MaliciousIPs = @(
"194.87.92.109",
"176.65.139.31",
"147.45.197.92",
"94.228.161.88"
)
# Known Malicious File Hashes (SHA256)
$MaliciousHashes = @(
"1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5",
"2172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9b",
"06f63fe3eba5a2d1e2177d49f25721c2bdd90f3c46f19e29740899fa908453bf"
)
# 1. Check Network Connections for C2 IPs
Write-Host "[+] Checking active network connections for malicious IPs..." -ForegroundColor Yellow
$ActiveConnections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue
foreach ($IP in $MaliciousIPs) {
$Matches = $ActiveConnections | Where-Object { $_.RemoteAddress -eq $IP }
if ($Matches) {
Write-Host "[!] ALERT: Connection found to C2 IP $IP" -ForegroundColor Red
$Matches | Format-Table LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess
# Get Process Details
$Matches | ForEach-Object { Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue | Select-Object ProcessName, Path, StartTime }
}
}
# 2. Scan for suspicious NPM packages (OtterCookie vector)
Write-Host "[+] Checking for suspicious npm package creation (last 7 days)..." -ForegroundColor Yellow
$UserFolders = @("C:\Users\*")
$RecentNpm = Get-ChildItem -Path $UserFolders -Filter "package." -Recurse -ErrorAction SilentlyContinue | Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) }
if ($RecentNpm) {
Write-Host "[!] INFO: Recent package. files found. Verify manually for OtterCookie/BeaverTail." -ForegroundColor Yellow
$RecentNpm | Select-Object FullName, LastWriteTime
}
# 3. Check for specific file hashes (Signature check simulation)
Write-Host "[+] Scanning common download directories for known malware hashes..." -ForegroundColor Yellow
$Paths = @("$env:USERPROFILE\Downloads", "$env:TEMP", "C:\Windows\Temp")
foreach ($Path in $Paths) {
if (Test-Path $Path) {
Get-ChildItem -Path $Path -File -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
$FileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
if ($MaliciousHashes -contains $FileHash) {
Write-Host "[!] CRITICAL: Malicious file found: $($_.FullName)" -ForegroundColor Red
}
}
}
}
Write-Host "[*] Hunt complete." -ForegroundColor Green
# Response Priorities
* **Immediate**:
* Block all listed IPv4 addresses (`194.87.92.109`, `176.65.139.31`, `147.45.197.92`, `94.228.161.88`) at the perimeter firewall and proxy.
* Quarantine endpoints matching the provided SHA256/MD5 hashes.
* Apply emergency patches or mitigations for CVE-2026-20128 (Cisco SD-WAN).
* **24 Hours**:
* Conduct a credential audit for any accounts associated with Cisco SD-WAN infrastructure.
* Enforce MFA resets for users who may have interacted with "Claude Code" repositories on GitHub in the last week.
* Scan software repositories for dependencies matching the malicious npm packages (OtterCookie).
* **1 Week**:
* Implement SBOM (Software Bill of Materials) analysis for all npm packages used in development environments.
* Review network segmentation to prevent lateral movement from web-facing VPN/SD-WAN appliances.
* Harden GitHub usage policies and enforce signed commits for internal tooling.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-credentialsinfostealernpm-supply-chaincisco-sdwanvidar-stealernorth-korea-apt
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.