Back to Intelligence

Jalisco Toolkit, Miasma v3 & TuxBot Botnet: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
July 15, 2026
6 min read

Recent OTX pulses indicate a convergence of sophisticated supply chain compromises, AI-enhanced phishing campaigns, and modular IoT botnets. Threat actors are actively leveraging Large Language Models (LLMs) to develop malware (TuxBot v3) and utilizing legitimate CI/CD pipelines (GitHub Actions) to distribute malicious npm packages (Miasma v3). Simultaneously, Phishing-as-a-Service (PhaaS) kits like Jalisco and OmegaLord are being used to bypass MFA and harvest OAuth tokens at scale, while a Romanian threat actor uses compromised terminal servers to stage bulk credential theft campaigns affecting millions of recipients. The collective objective is widespread credential harvesting, initial access brokerage, and the establishment of DDoS infrastructure.

Threat Actor / Malware Profile

TuxBot v3 / Gafgyt / Mirai (IoT Botnet)

  • Distribution: Telnet brute-force (1,496 credential pairs) exploiting over 30 IoT devices via known CVEs (CVE-2014-2321, CVE-2018-10562, etc.).
  • Payload Behavior: Modular C-based bot agents compiled for 17 architectures. Includes DDoS-for-hire capabilities.
  • C2 Communication: Go-based command-and-control server.
  • Persistence: IoT device infection via default credentials and unpatched firmware.
  • Anti-Analysis: Code partially generated using LLMs to evade signature detection and lower development barriers.

Miasma v3 (Supply Chain Worm)

  • Distribution: Compromised npm packages (@asyncapi/*) published via hijacked GitHub Actions OIDC tokens.
  • Payload Behavior: Worm capabilities previously seen in Red Hat packages, obfuscated via obfuscator.io.
  • Persistence: Dependency confusion; developers installing compromised packages introduce malware into build environments.
  • C2 Communication: Contacts hardcoded C2 infrastructure (e.g., 85.137.53.71).

Jalisco / OmegaLord (PhaaS / Credential Theft)

  • Distribution: AI-powered phishing campaigns, device code phishing.
  • Payload Behavior: "Jalisco" provisions fresh OAuth codes in real-time to defeat time-based controls; "OmegaLord" harvests credentials.
  • C2 Communication: Dynamic domains (e.g., authplanned.online, sessionopen0.site) used for phishing panels and data exfiltration.
  • Anti-Analysis: PhaaS kits obscure infrastructure rotation and use valid-looking SSL/TLS certificates.

Romanian Bulk Phishing Actor (Credential Harvesting)

  • Distribution: Compromised government terminal servers used to stage attacks via Gammadyne Mailer.
  • Payload Behavior: Phishing templates targeting retail/government; project files named 'dracii'.
  • Persistence: Terminal Server compromise allows persistent access for email spamming.

IOC Analysis

The indicators provided include a mix of network infrastructure, file hashes, and vulnerability identifiers.

  • IPv4 & Domains: SOC teams should immediately block the IPs 185.10.68.127 and 85.137.53.71 (TuxBot and Miasma C2s) and the specific domains associated with the Jalisco toolkit (e.g., authplanned.online, grantfundingapplications.com). These should be fed into firewall blocklists and DNS sinkholing solutions.
  • File Hashes: Multiple SHA256 hashes are provided for the Romanian phishing stager and MD5 for Jalisco components. These should be queried in EDR solutions to identify potential execution or staging on endpoints.
  • CVEs: The list of CVEs (e.g., CVE-2017-17215, CVE-2018-20062) is critical for vulnerability scanning. Organizations should scan their IoT footprint and external network perimeter for these specific vulnerabilities to prevent TuxBot infections.

Detection Engineering

Sigma Rules

YAML
title: Potential TuxBot or Miasma C2 Connection
id: 4a8f9c1e-5b6d-4c7e-8a3f-1d2e3f4a5b6c
description: Detects network connections to known Command and Control servers associated with TuxBot IoT botnet and Miasma worm.
author: Security Arsenal
date: 2026/07/15
status: stable
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationIp|contains:
            - '185.10.68.127'
            - '85.137.53.71'
    filter:
        DestinationPort:
            - 80
            - 8080
            - 8081
            - 8091
    condition: selection
falsepositives:
    - Legitimate administrative access to these specific IPs (unlikely)
level: high

title: Suspicious Bulk Emailer Execution - Gammadyne Mailer
id: 7b2g1d3e-6c7a-4b9f-9b4c-2e3f4a5b6c7d
description: Detects the execution of Gammadyne Mailer (GMW.exe), often used in bulk phishing campaigns as observed in the Romanian threat actor activity.
author: Security Arsenal
date: 2026/07/15
status: experimental
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\GMW.exe'
            - '\Gammadyne Mailer.exe'
    condition: selection
falsepositives:
    - Authorized marketing campaigns using this software
level: medium

title: Suspicious AsyncAPI Npm Package Installation
id: 9c3h2f4g-7d8b-5c0a-0d5e-3f4a5b6c7d8e
description: Detects installation of specific compromised AsyncAPI npm packages associated with the Miasma v3 worm.
author: Security Arsenal
date: 2026/07/15
status: stable
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\npm.cmd'
            - '\node.exe'
        CommandLine|contains:
            - '@asyncapi/generator'
            - '@asyncapi/generator-helpers'
            - '@asyncapi/generator-components'
            - '@asyncapi/specs'
    condition: selection
falsepositives:
    - Legitimate developer installation of these packages (verify version)
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for network connections to known C2 infrastructure
DeviceNetworkEvents
| where RemoteIP in ("185.10.68.127", "85.137.53.71") 
   or RemoteUrl has_any ("obfuscator.io", "authplanned.online", "levaquin2us.top", "sessionopen0.site")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemoteUrl, RemotePort

// Hunt for Phishing Stager File Hashes
DeviceFileEvents
| where SHA256 in (
    "13ac78f8f2ed76a03c85f0cdef07e5463aa64458303c0949090fcd81868ba8ca",
    "375c2c84e2ca022c565507523b75c9c08a455479861ea41fc9b9ff74b3453445",
    "5d2ad1795b0dfc4a58424b2fa2f002246f653b119d362954ae270b6998e9d575",
    "6c428acbd91be85fedf9cbb334457ddea08ff624d4de88041749578e968d62a8",
    "7fda5f10a2bc212daaa467484c56eb8abf3f3681f6405c5c2fac16d4124e44ca",
    "95fc58dc321b07ecc99d95359bcdee08a5beb519ead8e70e40f33928533a1b14",
    "c5ec55270af084d3c07d2918098d598bc2c5ca42f4189d69cdfcae2c958e5ec7"
    )
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName

// Hunt for Telnet activity indicating potential IoT Brute Force
DeviceProcessEvents
| where ProcessVersionInfoOriginalFileName =~ "telnet.exe"
| summarize count() by DeviceName, AccountName, Timestamp

PowerShell Hunt Script

PowerShell
# IOC Hunt Script: Check for Miasma C2 Domains in Hosts File and Gammadyne Process

Write-Host "Starting IOC Hunt..." -ForegroundColor Cyan

# 1. Check Hosts file for malicious domains
$HostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
$MaliciousDomains = @("obfuscator.io", "authplanned.online", "levaquin2us.top", "sessionopen0.site")
$HostsContent = Get-Content $HostsPath

$Found = $false
foreach ($line in $HostsContent) {
    foreach ($domain in $MaliciousDomains) {
        if ($line -match $domain) {
            Write-Host "[ALERT] Malicious domain found in hosts file: $line" -ForegroundColor Red
            $Found = $true
        }
    }
}

if (-not $Found) {
    Write-Host "[INFO] No malicious domains found in hosts file." -ForegroundColor Green
}

# 2. Check for Gammadyne Mailer Process
$Process = Get-Process -Name "GMW" -ErrorAction SilentlyContinue
if ($Process) {
    Write-Host "[ALERT] Gammadyne Mailer process detected! PID: $($Process.Id)" -ForegroundColor Red
    $Process | Format-List *
} else {
    Write-Host "[INFO] Gammadyne Mailer process not found." -ForegroundColor Green
}

# 3. Check for recent AsyncAPI npm packages (Basic check)
# Note: This requires Node.js to be installed and npm global list accessible
try {
    $NpmList = npm list -g --depth=0 2>$null
    if ($NpmList -match "@asyncapi/generator") {
        Write-Host "[WARN] AsyncAPI generator package found in global npm." -ForegroundColor Yellow
    }
} catch {
    Write-Host "[INFO] npm not found or unable to list packages." -ForegroundColor Gray
}

Write-Host "Hunt Complete." -ForegroundColor Cyan

Response Priorities

  • Immediate:

    • Block all listed IPv4 addresses and domains at the firewall and proxy level.
    • Scan endpoints for the file hashes associated with the Romanian phishing stager.
    • Investigate any running instances of GMW.exe (Gammadyne Mailer) on corporate servers.
  • 24 Hours:

    • Audit Active Directory and Entra ID logs for OAuth token anomalies or "device code" authentication flows indicative of Jalisco toolkit usage.
    • Identify and quarantine developer workstations that may have pulled the compromised @asyncapi npm packages.
  • 1 Week:

    • Patch IoT devices and network edge equipment against the CVEs listed in the TuxBot pulse.
    • Review and harden CI/CD pipelines, specifically GitHub Actions OIDC permissions, to prevent supply chain hijacking.
    • Conduct a review of outbound Telnet/SSH traffic from the network to identify potential brute-force activity.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsjalisco-toolkitmiasma-v3tuxbot-botnetphishing-aassupply-chain

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.