Back to Intelligence

Lumma Stealer, PCPJack Cloud Worm, and PAN-OS Zero-Day Activity: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
May 8, 2026
6 min read

Recent OTX pulses indicate a surge in multi-vector credential theft campaigns targeting developers, cloud infrastructure, and perimeter network devices. The threat landscape is dominated by the evolution of the Lumma Stealer family (now as the 64-bit "Remus" variant), a new cloud-native worm dubbed PCPJack, and a critical PAN-OS zero-day exploitation (CVE-2023-33538) allowing unauthenticated RCE. Concurrently, the Operation GriefLure APT campaign continues to target military and healthcare sectors in Southeast Asia using living-off-the-land techniques.

Collectively, these campaigns highlight a shift towards "credential harvesting at scale"—attacking build pipelines (NuGet), cloud control planes (K8s/Docker), and edge firewalls to harvest identities and establish persistence.

Threat Actor / Malware Profile

Lumma Stealer (Remus Variant)

  • Distribution: Typosquatting malicious NuGet packages (e.g., impersonating Chinese UI libraries) and phishing campaigns.
  • Behavior: A 64-bit infostealer targeting browser credentials, cryptocurrency wallets (MetaMask, Exodus), SSH keys, and local files.
  • C2 Communication: Utilizes "EtherHiding" (blockchain-based C2) to evade takedowns; standard HTTPS C2 to domains like forestoaker.com and krondez.com.
  • Anti-Analysis: Employs application-bound encryption bypasses and specific checks for virtual environments.

PCPJack

  • Distribution: Exploits vulnerabilities in exposed cloud infrastructure (CVE-2025-29927, CVE-2026-1357).
  • Behavior: A sophisticated worm that propagates across Kubernetes and Docker environments, specifically hunting for and evicting the "TeamPCP" threat actor while stealing cloud provider credentials, AWS/GCP keys, and application passwords.
  • Payload: Uses the Sliver C2 framework for post-exploitation.

CL-STA-1132 (PAN-OS Exploit)

  • Distribution: Direct exploitation of PAN-OS User-ID Authentication Portal (buffer overflow).
  • Behavior: Unauthenticated Remote Code Execution (RCE) with root privileges.
  • Tools: Deploys EarthWorm and ReverseSocks5 for tunneling and lateral movement.

Operation GriefLure

  • Targeting: Viettel (Vietnam Military Telecom) and St. Luke's Medical Center (Philippines).
  • Behavior: Spear-phishing using weaponized legal documents. Uses DLL sideloading (sfsvc.exe, 360.dll) to execute payloads.

IOC Analysis

The provided indicators span multiple infrastructure types:

  • Domains/URLs: Typosquatted NuGet repositories, Infostealer C2s (dns-providersa2.com, vinte.online), and fake credential portals (lastpass-login-help.com).
  • File Hashes: SHA256/MD5 hashes for .NET payloads (protected with .NET Reactor), Sliver binaries, and APT loaders.
  • CVEs: Critical vulnerabilities in PAN-OS and Cloud platforms (CVE-2023-33538, CVE-2025-48703).

Operational Guidance: SOC teams should ingest these hashes into EDR alerting and block the listed domains at the proxy/DNS level. The CVEs should be prioritized for immediate patching or mitigation.

Detection Engineering

YAML
---
title: Potential Malicious NuGet Package Execution
id: 6e1e9c12-b3d4-4b2e-9e5a-1f2a3b4c5d6e
description: Detects execution of processes originating from NuGet package directories or suspicious dotnet restore commands matching typosquatting patterns observed in OTX pulses.
status: experimental
date: 2026/05/08
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6e1e9c12-b3d4-4b2e-9e5a-1f2a3b4c5d6e
tags:
    - attack.supply_chain
    - attack.execution
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentImage|endswith:
            - '\nuget.exe'
            - '\dotnet.exe'
        Image|endswith:
            - '\msbuild.exe'
            - '\csc.exe'
            - '\cmd.exe'
    filter_legit:
        CommandLine|contains:
            - 'microsoft'
            - 'nuget.org'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate developer build environments
level: high
---
title: Lumma Stealer Remus Variant Browser Data Access
id: 7f2f0d23-c4e5-5c3f-0f6b-2g3b4c5d6e7f
description: Detects suspicious access to browser credential files (SQLite/Local Storage) by processes not part of the browser, indicative of infostealer activity like Lumma/Remus.
status: experimental
date: 2026/05/08
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/7f2f0d23-c4e5-5c3f-0f6b-2g3b4c5d6e7f
tags:
    - attack.credential_access
logsource:
    product: windows
    category: file_access
detection:
    selection:
        TargetFilename|contains:
            - '\AppData\Local\Google\Chrome\User Data\Default\Login Data'
            - '\AppData\Local\Google\Chrome\User Data\Default\Cookies'
            - '\AppData\Roaming\Mozilla\Firefox\Profiles'
            - '\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Login Data'
    filter_main_browsers:
        Image|endswith:
            - '\chrome.exe'
            - '\firefox.exe'
            - '\brave.exe'
            - '\msedge.exe'
    condition: selection and not filter_main_browsers
falsepositives:
    - Legitimate password managers
    - Backup software
level: high
---
title: PCPJack Cloud Worm Sliver C2 Implant
id: 8g3g1e34-d5f6-6d4g-1g7c-3h4c5d6e7f8g
description: Detects execution of Sliver C2 implants or tools often associated with PCPJack cloud worm activity in Linux environments.
status: experimental
date: 2026/05/08
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/8g3g1e34-d5f6-6d4g-1g7c-3h4c5d6e7f8g
tags:
    - attack.execution
    - attack.command_and_control
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '/sliver'
            - '/sliver-client'
            - '/tmp/sliver'
    selection_network:
        CommandLine|contains:
            - 'http://'
            - 'mtls://'
    condition: selection or selection_network
falsepositives:
    - Authorized red team exercises
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for malicious domains and IPs identified in OTX pulses
let IoC_Domains = dynamic(["dns-providersa2.com", "forestoaker.com", "krondez.com", "baxe.pics", "vinte.online", "coox.live", "lastpass-login-help.com"]);
let IoC_IPs = dynamic(["149.104.66.84"]);
DeviceNetworkEvents
| where RemoteUrl in (IoC_Domains) or RemoteIP in (IoC_IPs)
| extend Timestamp = TimeGenerated, DeviceName = DeviceName, InitiatingProcessAccountName = InitiatingProcessAccountName
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort, ActionType
| order by Timestamp desc


kql
// Hunt for specific file hashes associated with Lumma and PCPJack
let IoC_Hashes = dynamic([
    "efb675de4b3af3dac3c9cae91075fd7cc2f4f98e", 
    "019e6c2cf58386039133981f3377b085fbd70c98ae8613c7c6a4f10a9f2d9824",
    "b037fa1dd769891b538d9ca26131890c93e3458eec96c5354bdebe50d04a5b3d",
    "e41c635e4c3514e266d143d544ad1abde5db3dcfe6cccdf9bb7a218003f8ab6a",
    "197f11a7b0003aa7da58a330c2fa2a96a670de91d39ddebc7a51ac1d9404a7e6"
]);
DeviceProcessEvents
| where SHA256 in (IoC_Hashes) or MD5 in (IoC_Hashes) or SHA1 in (IoC_Hashes)
| project Timestamp, DeviceName, FileName,FolderPath, SHA256, AccountName, InitiatingProcessFileName
| order by Timestamp desc

PowerShell Hunt Script

PowerShell
# IOC Hunt for Operation GriefLure and Persistence Mechanisms
$MaliciousFiles = @(
    "sfsvc.exe",
    "360.dll"
)

$SuspiciousRegPaths = @(
    "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
    "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
)

Write-Host "[*] Checking for malicious file persistence..." -ForegroundColor Cyan

foreach ($path in $SuspiciousRegPaths) {
    if (Test-Path $path) {
        Get-ItemProperty $path -ErrorAction SilentlyContinue | 
        ForEach-Object {
            $regValues = $_.PSObject.Properties | Where-Object {$_.Value -is [string] -and $_.Name -notlike "PS*"}
            foreach ($val in $regValues) {
                foreach ($malFile in $MaliciousFiles) {
                    if ($val.Value -like "*$malFile*") {
                        Write-Host "[!] ALERT: Found IOC in Registry: $($path)\$($val.Name) -> $($val.Value)" -ForegroundColor Red
                    }
                }
            }
        }
    }
}

Write-Host "[*] Checking hosts file for malicious domains..." -ForegroundColor Cyan
$HostsPath = "$env:windir\System32\drivers\etc\hosts"
if (Test-Path $HostsPath) {
    $content = Get-Content $HostsPath
    $SuspiciousDomains = @("www.whatsappcenter.com", "dns-providersa2.com")
    foreach ($line in $content) {
        if ($line -notmatch "^#" -and $line -match "\d+") {
            foreach ($dom in $SuspiciousDomains) {
                if ($line -like "*$dom*") {
                    Write-Host "[!] ALERT: Found malicious domain in hosts file: $line" -ForegroundColor Red
                }
            }
        }
    }
}

Response Priorities

  • Immediate: Block all listed domains and IPs at the perimeter. Patch PAN-OS devices immediately to address CVE-2023-33538. Scan developer workstations for the listed malicious NuGet package hashes.
  • 24 Hours: Initiate credential rotation for cloud accounts (AWS/Azure/GCP) if PCPJack indicators are found, and enforce MFA for all VPN/SSH access. Hunt for sfsvc.exe and 360.dll as part of the GriefLure response.
  • 1 Week: Conduct a supply chain audit of internal NuGet feeds. Review Kubernetes/Docker logs for signs of PCPJack propagation (unusual pod creation or eviction events).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialslumma-stealerpcpjackpanos-rcenuget-supply-chainapt-grie flure

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action