Back to Intelligence

LeakNet Ransomware, Hydra Saiga Espionage, and notnullOSX: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
April 17, 2026
6 min read

Recent OTX pulses highlight a convergence of sophisticated tactics across ransomware, state-sponsored espionage, and financial theft. LeakNet, a ransomware operator, has scaled operations by abandoning initial access brokers in favor of direct campaigns using ClickFix social engineering and a novel Deno-based in-memory loader. Their post-exploitation involves jli.dll side-loading and PsExec lateral movement.

Parallel to this, Hydra Saiga, a suspected Kazakhstani state-sponsored actor, continues its covert espionage campaign against critical infrastructure (Energy, Water, Government) across Central Asia and the EMEA region. The group utilizes custom implants (JLORAT, Telemiris) and leverages the Telegram Bot API for C2 communications to blend in with normal traffic.

Finally, the threat actor alh1mik has resurfaced with notnullOSX, a Go-written macOS stealer targeting high-value cryptocurrency wallets (> $10k). Distribution relies on ClickFix lures and malicious DMG files, sharing the social engineering vector observed in the LeakNet campaign.

Threat Actor / Malware Profile

LeakNet (Ransomware Operator)

  • Objective: Data extortion and encryption for ransom.
  • Distribution: ClickFix tech support scams on compromised websites; compromised S3 buckets.
  • Payload Behavior: Uses a Deno-based loader to execute payloads in-memory, avoiding disk signatures.
  • Persistence & Lateral Movement: Side-loads jli.dll; uses PsExec for internal propagation.

Hydra Saiga (Nation-State)

  • Objective: Long-term espionage and infiltration of critical utilities.
  • Malware: JLORAT, Telemiris (Custom implants).
  • C2 Communication: Uses Telegram Bot API, making traffic detection difficult due to the ubiquity of Telegram.
  • Techniques: Living off the Land (LotL) binaries, likely leveraging valid certificates to sign malware.

notnullOSX (Financial Theft)

  • Actor: alh1mik (formerly 0xFFF).
  • Objective: Theft of cryptocurrency wallets and browser data.
  • Targeting: macOS users specifically holding >$10k in crypto.
  • Distribution: ClickFix lures + malicious DMG installers.

IOC Analysis

  • Domains: 15+ domains identified across campaigns (e.g., okobojirent.com, allcloudindex.com, coockie.pro). SOC teams should immediately block these at the DNS layer and inspect logs for any historical resolution or connection attempts.
  • IPv4: 83.217.209.88 associated with notnullOSX infrastructure.
  • File Hashes (SHA256): 7 specific hashes for the notnullOSX stealer binaries. These should be added to EDR blocklists and used to hunt for dropped files on macOS endpoints.
  • Operationalization: Use SIEM correlations to alert on DNS requests to the listed domains. For macOS fleets, execute a hash scan of the /Applications and ~/Downloads directories.

Detection Engineering

Sigma Rules

YAML
---
title: Potential LeakNet ClickFix or Deno Loader Activity
id: 4f8c3b1a-9c0d-4e5f-8a2b-1c3d4e5f6a7b
description: Detects suspicious execution patterns associated with LeakNet campaigns, specifically Deno execution or side-loading of jli.dll.
status: experimental
author: Security Arsenal
date: 2026/04/17
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection_deno:
    Image|endswith:
      - '\deno.exe'
      - '\deno'
  selection_sideload:
    Image|endswith:
      - '\rundll32.exe'
      - '\svchost.exe'
    CommandLine|contains: 'jli.dll'
  condition: 1 of selection_*
falsepositives:
  - Legitimate developer usage of Deno
level: high
---
title: Hydra Saiga Telegram C2 Activity
id: 5a9d4c2b-0d1e-4f6a-8b3c-2d4e5f6a7b8c
description: Detects non-browser processes connecting to Telegram Bot API endpoints, a potential C2 channel used by Hydra Saiga.
status: experimental
author: Security Arsenal
date: 2026/04/17
tags:
  - attack.command_and_control
  - attack.t1071.001
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationHostname|contains: 'api.telegram.org'
  filter_legit_browsers:
    Image|endswith:
      - '\chrome.exe'
      - '\firefox.exe'
      - '\msedge.exe'
      - '\opera.exe'
  condition: selection and not filter_legit_browsers
falsepositives:
  - Legitimate Telegram desktop clients
level: medium
---
title: notnullOSX and ClickFix MacOS Stealer
id: 6b0e5d3c-1e2f-4g7h-9i0j-3e4f5g6h7i8j
description: Detects execution of suspicious DMG mount or unsigned Go binaries associated with notnullOSX activity.
status: experimental
author: Security Arsenal
date: 2026/04/17
tags:
  - attack.execution
  - attack.t1059.004
logsource:
  category: process_creation
  product: macos
detection:
  selection_dmg:
    Image|endswith: '/hdiutil'
    CommandLine|contains: 'attach'
  selection_go_binary:
    Image|endswith: '/Contents/MacOS/'
    CommandLine|contains: '/tmp/'
  condition: 1 of selection_*
falsepositives:
  - Legitimate software installation
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for LeakNet and Hydra Saiga Network IOCs
let Domains = dynamic(["okobojirent.com", "mshealthmetrics.com", "serialmenot.com", "neremedysoft.com", "cnoocim.com", "apiclofront.com", "crahdhduf.com", "delhedghogeggs.com", "allcloudindex.com", "docworldme.com", "pweobmxdlboi.com", "wincorpupdates.com", "adm-govuz.com", "coockie.pro"]);
let IP = "83.217.209.88";
DeviceNetworkEvents
| where RemoteUrl in~ (Domains) or RemoteIP == IP
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| extend ThreatActor = iff(RemoteUrl in~ ("okobojirent.com", "mshealthmetrics.com", "serialmenot.com", "neremedysoft.com", "cnoocim.com", "apiclofront.com", "crahdhduf.com", "delhedghogeggs.com"), "LeakNet", iff(RemoteUrl in~ ("allcloudindex.com", "docworldme.com", "pweobmxdlboi.com", "wincorpupdates.com", "adm-govuz.com"), "Hydra Saiga", "notnullOSX"))

PowerShell Hunt Script

PowerShell
# LeakNet and notnullOSX IOC Hunter
# Checks for Deno processes, jli.dll loads, and network connections to suspicious domains

$suspiciousDomains = @(
    "okobojirent.com", "mshealthmetrics.com", "serialmenot.com", "neremedysoft.com", 
    "cnoocim.com", "apiclofront.com", "crahdhduf.com", "delhedghogeggs.com", 
    "allcloudindex.com", "docworldme.com", "pweobmxdlboi.com", "wincorpupdates.com", 
    "adm-govuz.com", "coockie.pro"
)

Write-Host "[*] Checking for Deno processes (LeakNet)..."
$denoProcess = Get-Process -Name "deno" -ErrorAction SilentlyContinue
if ($denoProcess) {
    Write-Host "[!] ALERT: Deno process found! PID: $($denoProcess.Id)" -ForegroundColor Red
} else {
    Write-Host "[-] No Deno process found." -ForegroundColor Green
}

Write-Host "[*] Checking for jli.dll side-loading (LeakNet)..."
$modules = Get-Process | ForEach-Object { $_.Modules } | Where-Object { $_.FileName -like "*jli.dll" }
if ($modules) {
    Write-Host "[!] ALERT: jli.dll loaded in memory by process!" -ForegroundColor Red
    $modules | Select-Object FileName, @{Name="Process";Expression={$_.Process.ProcessName}}
} else {
    Write-Host "[-] No suspicious jli.dll loads detected." -ForegroundColor Green
}

Write-Host "[*] Checking DNS Cache for suspicious domains..."
$dnsCache = Get-DnsClientCache
$foundDomains = @()
foreach ($domain in $suspiciousDomains) {
    $match = $dnsCache | Where-Object { $_.Entry -like "*$domain*" }
    if ($match) {
        $foundDomains += $domain
    }
}

if ($foundDomains.Count -gt 0) {
    Write-Host "[!] ALERT: Found suspicious domains in DNS Cache:" -ForegroundColor Red
    $foundDomains | ForEach-Object { Write-Host " - $_" }
} else {
    Write-Host "[-] No suspicious domains in DNS cache." -ForegroundColor Green
}

Write-Host "[*] Checking for established connections to 83.217.209.88 (notnullOSX)..."
$netstat = netstat -ano | Select-String "83.217.209.88"
if ($netstat) {
    Write-Host "[!] ALERT: Connection to C2 IP detected:" -ForegroundColor Red
    $netstat
} else {
    Write-Host "[-] No connections to C2 IP found." -ForegroundColor Green
}

Response Priorities

  • Immediate:

    • Block all listed domains and the IP 83.217.209.88 on perimeter firewalls and DNS resolvers.
    • Quarantine endpoints matching the notnullOSX file hashes.
    • Hunt for and kill any running deno.exe processes not associated with approved development work.

  • 24 Hours:

    • Initiate credential resets for users who may have interacted with ClickFix lures (specifically targeting finance/admin teams).
    • Review logs for access to S3 buckets (LeakNet vector) and verify permission boundaries.
    • Isolate macOS endpoints with evidence of DMG mounting from untrusted sources.

  • 1 Week:

    • Implement strict egress filtering for Telegram API usage for non-browser applications (Hydra Saiga).
    • Conduct security awareness training focused on "ClickFix" (fake browser error/captchas requiring terminal commands).
    • Review and restrict the use of development tools (like Deno) on production endpoints.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptleaknethydra-saiganotnullosxclickfixransomware

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action