Back to Intelligence

Gremlin Stealer, SD-WAN Exploits & NPM Supply Chain Attacks: Credential Theft Campaigns — OTX Pulse Analysis

SA
Security Arsenal Team
May 15, 2026
6 min read

Threat Summary

Recent OTX pulses reveal a coordinated surge in credential theft campaigns targeting both enterprise infrastructure and the software supply chain. Threat actors are aggressively exploiting high-severity vulnerabilities in edge devices, specifically Cisco Catalyst SD-WAN (CVE-2026-20182, CVE-2026-20133), to gain initial access and deploy webshells (XenShell) and cryptocurrency miners. Concurrently, a sophisticated supply chain operation is utilizing malicious npm packages (OtterCookie) and trojanized GitHub repositories leveraging the "Claude Code" leak to distribute info-stealers like Gremlin, Vidar, and GhostSocks. The collective objective of these clusters is the harvesting of browser credentials, SSH keys, and session tokens for initial access brokerage and financial fraud.

Threat Actor / Malware Profile

Gremlin Stealer & GuLoader

  • Distribution: Phishing attachments utilizing commercial-grade packing utilities and instruction virtualization to hide payloads in resource files.
  • Behavior: Siphons payment card details, browser data, and Discord tokens. Uses a private virtual machine to execute custom bytecode, bypassing standard static analysis.
  • C2: Established communication to hard-coded C2 infrastructure (e.g., 194.87.92.109) for data exfiltration via Telegram or HTTP.

OtterCookie & NPM Campaign (FAMOUS CHOLLIMA)

  • Distribution: "Contagious Interview" scheme; malicious npm packages act as benign wrappers cloning legitimate libraries (e.g., big.js) while pulling malicious dependencies.
  • Behavior: Infostealer targeting developer credentials, SSH keys, and browser sessions.
  • Persistence: Uses obfuscated JavaScript to execute shell commands on the host system during package installation.

The Gentlemen RaaS

  • Distribution: Exploits vulnerabilities in Fortinet and Cisco edge appliances (CVE-2024-55591) and utilizes NTLM relay attacks. Recently suffered a leak of their internal "Rocket" database.
  • Behavior: Delivers SystemBC (a proxy/RAT) to maintain persistence and facilitate lateral movement.
  • C2: Uses customized C2 panels to manage infected hosts and sell access.

UAT-8616 (SD-WAN Exploitation)

  • Distribution: Active exploitation of CVE-2026-20182 (Authentication Bypass) on Cisco Catalyst SD-WAN Controllers.
  • Behavior: Deploys webshells (Godzilla, Behinder) and cryptocurrency miners (XMRig).

IOC Analysis

The provided indicators consist of:

  1. IPv4 Addresses: C2 infrastructure for Gremlin Stealer (194.87.92.109) and SD-WAN related actors. These should be blocked immediately at the perimeter.
  2. File Hashes (SHA256/MD5): Identifies packed payloads for Gremlin, XenShell, and Vidar. SOC teams should hunt for these hashes in EDR telemetry and SIEM logs.
  3. CVE Identifiers: Critical for vulnerability management. Prioritize patching for CVE-2026-20182, CVE-2026-20133, and CVE-2024-55591.

Operational Guidance:

  • Tooling: Use YARA rules matching the specific entropy and resource section characteristics of Gremlin. Employ network logs (NetFlow/Zeek) to detect outbound connections to the listed IPs on non-standard ports.

Detection Engineering

Sigma Rules

YAML
title: Potential Gremlin Stealer VM-Based Packed Payload
id: 89c92f1b-4b8e-4f3a-8b6d-3e4b6f5a8c9d
description: Detects suspicious child processes often spawned by heavily packed malware like Gremlin Stealer using instruction virtualization.
status: experimental
date: 2026/05/15
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\mshta.exe'
      - '\wscript.exe'
    Image|endswith:
      - '\rundll32.exe'
      - '\regsvr32.exe'
    CommandLine|contains:
      - ' -i '
      - ' EntryPoint '
      - ' #1 '
  condition: selection
falsepositives:
  - Legitimate software installers
level: high
tags:
  - attack.defense_evasion
  - attack.execution
  - attack.t1204

---

title: NPM Supply Chain Attack - OtterCookie Pattern
id: a7b3c9d2-4e1f-3a5b-8c6d-7e8f9a0b1c2d
description: Detects Node.js spawning a shell, a common behavior in malicious npm packages like OtterCookie to execute payloads.
status: experimental
date: 2026/05/15
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\node.exe'
      - '\npm.cmd'
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
      - '\wscript.exe'
  condition: selection
falsepositives:
  - Legitimate build scripts
level: high
tags:
  - attack.initial_access
  - attack.supply_chain
  - attack.t1195

---

title: Cisco SD-WAN Exploitation Activity - UAT-8616
id: b1c2d3e4-5f6a-7b8c-9d0e-1f2a3b4c5d6e
description: Detects potential webshell upload activity or exploitation of Cisco SD-WAN vulnerabilities associated with UAT-8616.
status: experimental
date: 2026/05/15
author: Security Arsenal
logsource:
  category: web
  product: apache
  # or nginx/iis depending on deployment
detection:
  selection_uri:
    Uri|contains:
      - '/vpnportal/'
      - '/uploads/'
  selection_keywords:
    Uri|contains:
      - 'shell.php'
      - '.aspx?'
      - 'eval('
  condition: all of selection_*
falsepositives:
  - Administrative management activity
level: critical
tags:
  - attack.initial_access
  - attack.exploitation
  - attack.t1190

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Gremlin and Vidar Stealer File Hashes
DeviceProcessEvents
| where SHA256 in (
    '1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5', 
    '971198ff86aeb42739ba9381923d0bc6f847a91553ec57ea6bae5becf80f8759', 
    '06f63fe3eba5a2d1e2177d49f25721c2bdd90f3c46f19e29740899fa908453bf'
)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, AccountName;

// Hunt for Network Connections to known C2 IPs
DeviceNetworkEvents
| where RemoteIP in ('194.87.92.109', '176.65.139.31', '94.228.161.88')
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName;

// Hunt for CVE-2026-20182 Exploitation Attempts
DeviceProcessEvents
| where ProcessCommandLine has 'CVE-2026-20182' or ProcessCommandLine has 'CVE-2026-20133'
| project Timestamp, DeviceName, ProcessCommandLine, AccountName;

PowerShell Hunt Script

PowerShell
# IOC Hunt Script for Gremlin, OtterCookie, and Gentlemen Campaigns
# Requires Administrator Privileges

$HashList = @(
    "1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5",
    "2172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9b",
    "d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa",
    "3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235",
    "06f63fe3eba5a2d1e2177d49f25721c2bdd90f3c46f19e29740899fa908453bf",
    "51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2"
)

$PathsToScan = @("C:\Users\", "C:\ProgramData\", "C:\Windows\Temp")

Write-Host "[+] Starting IOC Scan..." -ForegroundColor Cyan

# Scan for Malicious Files
foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Write-Host "[+] Scanning $Path..." -ForegroundColor Yellow
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | Get-FileHash -Algorithm SHA256 -ErrorAction SilentlyContinue | Where-Object { 
            $HashList -contains $_.Hash 
        } | ForEach-Object {
            Write-Host "[!] ALERT: Malicious file found: $($_.Path) (SHA256: $($_.Hash))" -ForegroundColor Red
        }
    }
}

# Check for Suspicious NPM Activity (OtterCookie Check)
Write-Host "[+] Checking NPM Cache for suspicious packages..." -ForegroundColor Yellow
$NpmCache = "$env:APPDATA\npm-cache"
if (Test-Path $NpmCache) {
    # Check for recently created packages in the last 7 days
    $DateCutoff = (Get-Date).AddDays(-7)
    Get-ChildItem -Path $NpmCache -Recurse -Filter "package." | Where-Object { $_.LastWriteTime -gt $DateCutoff } | ForEach-Object {
        Write-Host "[?] Suspicious recent NPM package: $($_.FullName)" -ForegroundColor DarkYellow
    }
}

Write-Host "[+] Scan Complete." -ForegroundColor Cyan

Response Priorities

Immediate (0-24h)

  1. Block Indicators: immediately firewall block the IPv4 C2 addresses (194.87.92.109, 176.65.139.31, etc.) and domains identified in the pulses.
  2. Patch Critical Vulnerabilities: Emergency patching for Cisco Catalyst SD-WAN (CVE-2026-20182, CVE-2026-20133) and Fortinet (CVE-2024-55591). Disable management interfaces from the internet if patching is delayed.
  3. Hunt for Webshells: Scan web servers for artifacts associated with Godzilla, Behinder, and XenShell.

Short-term (24-48h)

  1. Credential Audit: If Gremlin or Vidar is suspected, force reset of browser-saved credentials, cookies, and session tokens (especially for Discord, Telegram, and banking sites).
  2. Developer Environment Review: Audit GitHub repositories and NPM packages used in the last 30 days. Remove any packages attributed to "Claude Code" leaks or suspicious "big.js" variants.

Long-term (1 Week+)

  1. Supply Chain Security: Implement software composition analysis (SCA) for NPM and Python packages to detect dependency confusion.
  2. Edge Segmentation: Enforce strict segmentation for SD-WAN controllers and VPN concentrators to limit lateral movement from webshell exploitation.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsgremlin-stealerottercookiesd-wan-exploitationthe-gentlemen-raasvidar-stealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action