Back to Intelligence

Lumma Remus, PCPJack & NuGet Supply Chain: Multi-Front Credential Theft Campaign

SA
Security Arsenal Team
May 10, 2026
5 min read

Threat Summary

OTX pulses from 2026-05-11 reveal a coordinated surge in credential theft activity leveraging diverse attack vectors ranging from software supply chain compromises to cloud-native worming. The primary threat landscape is dominated by the evolution of the Lumma Stealer family (now Remus), a sophisticated supply chain attack via NuGet, and the PCPJack cloud worm targeting infrastructure credentials.

Simultaneously, a critical PAN-OS zero-day (CVE-2026-1281/1340) is being actively exploited to gain root access on firewalls, likely serving as a pivot point for network credential harvesting. A distinct APT campaign, Operation GriefLure, is also utilizing spear-phishing to target military and healthcare sectors in Southeast Asia.

Collective Objective: The overarching goal across these disparate campaigns is the exfiltration of high-value credentials—specifically browser cookies, cryptocurrency wallets, SSH keys, and cloud infrastructure keys.

Threat Actor / Malware Profile

1. Remus (Lumma Stealer 64-bit Variant)

  • Family: Lumma Stealer (Tenzor)
  • Distribution: Initially distributed via cracked software; recent shifts indicate usage of "EtherHiding"—using the Ethereum blockchain for C2 address resolution to evade takedowns.
  • Behavior: 64-bit infostealer targeting browser credentials, crypto wallets, and 2FA extensions.
  • Anti-Analysis: Incorporates application-bound encryption bypass and checks for virtual environments.

2. PCPJack

  • Type: Cloud Worm / Credential Thief
  • Target: Kubernetes clusters, Docker containers, and cloud environments.
  • Behavior: Propagates across exposed cloud infrastructure, specifically evicting the TeamPCP threat actor to monopolize the host. Harvests credentials from developer tools and cloud metadata services.
  • C2: Utilizes Sliver framework for C2 communication.

3. Malicious NuGet Campaign

  • Vector: Supply Chain (Typosquatting)
  • Technique: Impersonates popular Chinese UI libraries. Uses .NET Reactor to obfuscate payloads.
  • Payload: Deploys Quantum, AgentRacoon, and ArrowRAT.
  • Persistence: Version rotation (publishing updates) to evade basic hash detection.

IOC Analysis

Indicator Types:

  • Domains: High-volume C2 domains (e.g., dns-providersa2.com, forestoaker.com) and typosquatted infrastructure.
  • File Hashes: SHA256/SHA1 hashes for the malicious NuGet packages and PCPJack binaries.
  • CVEs: Critical vulnerabilities including CVE-2026-1281, CVE-2025-55182, and CVE-2025-29927.
  • IP Addresses: Scanning infrastructure associated with the PAN-OS exploitation attempts.

Operational Guidance: SOC teams should immediately import the listed domains and file hashes into EDR alerting rules. The IP 149.104.66.84 and the PAN-OS CVEs should be prioritized for firewall signature updates. Given the use of "EtherHiding," network teams should monitor for high-entropy connections to public Ethereum RPC nodes from non-developer workstations.

Detection Engineering

Sigma Rules

YAML
title: Potential Malicious NuGet Package Execution
id: 5c8d4a1b-2e3f-4a5b-9c6d-7e8f9a0b1c2d
description: Detects execution of processes spawned by nuget.exe or dotnet.exe connecting to known malicious C2 domains associated with the supply chain attack.
status: experimental
date: 2026/05/11
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66000000/
tags:
    - attack.supply_chain
    - attack.execution
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated|contains:
            - 'nuget.exe'
            - 'dotnet.exe'
    filter_c2:
        DestinationHostname|contains:
            - 'dns-providersa2.com'
            - 'git.justdotrip.com'
    condition: selection and filter_c2
falsepositives:
    - Legitimate nuget traffic to internal mirrors
level: critical
---
title: Lumma Remus and PCPJack C2 Communication
id: a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Identifies network connections to domains associated with Lumma Stealer (Remus), PCPJack, and credential theft infrastructure.
status: experimental
date: 2026/05/11
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66000001/
logsource:
    category: network_connection
    product: windows
detection:
    selection_malware:
        DestinationHostname|contains:
            - 'forestoaker.com'
            - 'krondez.com'
            - 'baxe.pics'
            - 'vinte.online'
            - 'coox.live'
            - 'lastpass-login-help.com'
    condition: selection_malware
falsepositives:
    - Unknown
level: high
---
title: PAN-OS Captive Portal Exploitation Attempt
id: b2c3d4e5-6f7a-8b9c-0d1e-2f3a4b5c6d7e
description: Detects potential exploitation attempts against the PAN-OS User-ID Authentication Portal vulnerability (CVE-2026-1281) via specific path patterns or User-Agents.
status: experimental
date: 2026/05/11
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66000004/
logsource:
    category: webserver
    product: pan-os
detection:
    selection_path:
        c-uri|contains:
            - '/cgi-bin/useridLogin.cgi'
            - '/api/'
    selection_suspicious:
        c-uri|re: '.*\.%2e.*'
        | cs-user-agent|contains:
            - 'sqlmap'
            - 'nmap'
    condition: selection_path and selection_suspicious
falsepositives:
    - Misconfigured security scans
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for malicious domains and IPs related to Infostealers and Cloud Worms
let IOCs = dynamic(["dns-providersa2.com", "forestoaker.com", "krondez.com", "lastpass-login-help.com", "149.104.66.84"]);
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any(IOCs) or RemoteIP has_any(IOCs)
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| extend AlertContext = pack("Device", DeviceName, "Process", InitiatingProcessFileName, "RemoteUrl", RemoteUrl)

PowerShell Hunt Script

PowerShell
# IOC Hunter for NuGet Malware and PCPJack Hashes
$TargetHashes = @(    "efb675de4b3af3dac3c9cae91075fd7cc2f4f98e",
    "019e6c2cf58386039133981f3377b085fbd70c98ae8613c7c6a4f10a9f2d9824",
    "34e2d63b5db7e24c808711c2ca0c0a42afde97a0086d7d81609110c002d18d7c",
    "596c453c9dbb7240f1ce05cc025496524ce7c538c23a9b2171174bf32b5691a1",
    "b037fa1dd769891b538d9ca26131890c93e3458eec96c5354bdebe50d04a5b3d",
    "e41c635e4c3514e266d143d544ad1abde5db3dcfe6cccdf9bb7a218003f8ab6a",
    "6c6cbed6aad96564ed87094785be07a1"
)

Write-Host "Scanning for known malicious file hashes..." -ForegroundColor Cyan

$Drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root

foreach ($Drive in $Drives) {
    Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue | Get-FileHash -Algorithm SHA1, MD5, SHA256 -ErrorAction SilentlyContinue | Where-Object { 
        $_.Hash -in $TargetHashes 
    } | ForEach-Object {
        Write-Host "[!] MALICIOUS FILE FOUND: $($_.Path) | Hash: $($_.Hash)" -ForegroundColor Red
    }
}

# Check for suspicious NuGet cache
$NugetPath = "$env:USERPROFILE\.nuget\packages"
if (Test-Path $NugetPath) {
    Write-Host "Checking NuGet packages for recent suspicious activity..." -ForegroundColor Cyan
    Get-ChildItem -Path $NugetPath -Recurse -Filter "*.nupkg" | Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) } | Select-Object FullName, LastWriteTime
}


---

Response Priorities

  • Immediate (0-4h):

    • Block all listed domains and IPs (149.104.66.84, dns-providersa2.com, lastpass-login-help.com) at the perimeter and proxy.
    • Identify and isolate hosts communicating with PAN-OS exploitation IPs; validate firewall logs for CVE-2026-1281.
    • Execute the PowerShell hunt script on developer workstations and build servers to locate malicious NuGet packages.

  • Within 24h:

    • Force password resets for cloud and developer credentials if activity related to PCPJack is suspected or found.
    • Audit all NuGet package sources in enterprise CI/CD pipelines; remove any untrusted or public feeds.
    • Review Kubernetes and Docker logs for signs of PCPJack worm propagation (e.g., unexpected container eviction).

  • Within 1 Week:

    • Patch PAN-OS devices to the latest secure versions addressing the buffer overflow vulnerability.
    • Implement strict allow-listing for NuGet package sources.
    • Enhance egress filtering to block access to public Ethereum RPC nodes from non-approved endpoints to counter EtherHiding techniques.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialslumma-stealerpcpjacknugetpan-osinfostealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action