Back to Intelligence

Lumma, Vidar, and Mr_Rot13: Multi-Vector Infostealer & Ransomware Campaigns Analysis

SA
Security Arsenal Team
May 11, 2026
6 min read

Recent OTX pulses indicate a convergence of sophisticated supply chain attacks, open-source repository abuse, and critical infrastructure exploitation. A coordinated set of campaigns targeting developers (via GitHub and NuGet) and government/defense sectors (via cPanel) has been observed. The primary objective across these vectors is credential theft (browser, crypto, SSH) and establishing persistence for ransomware deployment (The Gentleman). Notably, the TroyDen group is utilizing AI-generated biological lures to distribute LuaJIT-based loaders, while the Mr_Rot13 actor exploits a critical cPanel vulnerability (CVE-2026-41940) to plant SSH backdoors. Additionally, supply chain typosquatting on NuGet is delivering .NET obfuscated payloads, and the EtherRat framework is using Ethereum blockchain technology (EtherHiding) for C2 configuration.

Threat Actor / Malware Profile

Threat Actor / MalwareDistribution MethodPayload BehaviorC2 CommunicationPersistence & Evasion
TroyDen (Lure Factory)GitHub repositories with AI-generated taxonomy names.LuaJIT-based loader delivering Redline/LummaStealer.HTTP/HTTPS to dedicated C2 IPs.Two-component payload design; Prometheus obfuscator.
Unknown (NuGet Campaign)Typosquatting Chinese UI libraries on NuGet; version rotation..NET Reactor-protected infostealer (Lumma/Quantum).Posts data to dns-providersa2.com.Grafted onto legitimate decompiled code to evade static analysis.
EtherRat / TukTukMalicious MSI disguised as Sysinternals tools.EtherHiding for C2 config; deploys TukTuk DLL sideloading.Ethereum blockchain interactions + Cloudflare tunnels.Disguised as legitimate binaries (Greenshot).
Vidar StealerMulti-stage loader starting with MicrosoftToolkit.exe.AutoIt script masquerading as .bat file.Custom C2 protocol to gz.technicalprorj.xyz.Renames extensions (.dot to .bat); kills security processes.
Mr_Rot13Exploitation of CVE-2026-41940 in cPanel/WHM.Go-based installer planting SSH keys and webshells.Telegram for exfiltration; SSH backdoors.Cross-platform RAT (Filemanager); exploits 6-year-old logic flaw.

IOC Analysis

The provided IOCs represent a multi-faceted threat landscape:

  • IPv4 Addresses (8 items): Mostly associated with the TroyDen campaign's infrastructure. These should be blocked immediately at the firewall and proxy level.
  • Domains (3 items): Include C2 infrastructure for the NuGet campaign (dns-providersa2.com) and the Mr_Rot13 group (wrned.com, wpsock.com). These domains should sinkholed or blocked via DNS filtering.
  • File Hashes (SHA1/SHA256/MD5): A mix of payload hashes for LuaJIT scripts, AutoIt loaders, and .NET assemblies. EDR solutions should be configured to look for these specific hashes. The presence of MD5 hashes in the cPanel pulse suggests older or *nix-based utility compilation.
  • CVEs (CVE-2026-41940, CVE-2025-55182): Critical vulnerabilities in cPanel and an unspecified vulnerability exploited by EtherRat. Patch management is the primary remediation.

Operationalizing IOCs: SOC teams should upload the CSV of these indicators into their SIEM (e.g., Splunk, Sentinel) to correlate against NetworkCommunicationEvents and FileCreationEvents. The file hashes should be added to blocklists in Endpoint Detection and Response (EDR) tools like CrowdStrike or SentinelOne.

Detection Engineering

YAML
title: Potential TroyDen LuaJIT Infostealer Activity
id: 4a2b1c3d-5e6f-7g8h-9i0j-1k2l3m4n5o6p
description: Detects execution of LuaJIT processes often associated with TroyDen lure factory campaigns targeting developers.
status: experimental
date: 2026/05/11
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6123456789abcdef
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\luajit.exe'
            - '\lua51.dll'
            - '\lua52.dll'
    selection_parent:
        ParentImage|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\explorer.exe'
    condition: selection_img and selection_parent
falsepositives:
    - Legitimate developer usage of Lua scripting environments
level: high
---
title: Malicious NuGet Supply Chain Execution
id: b5c4d3e2-1f0a-9b8c-7d6e-5f4a3b2c1d0e
description: Detects suspicious child processes spawned by NuGet or MSBuild, indicative of supply chain attacks involving obfuscated .NET payloads.
status: experimental
date: 2026/05/11
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/9876543210fedcba
tags:
    - attack.initial_access
    - attack.t1195.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|contains:
            - 'nuget.exe'
            - 'msbuild.exe'
            - 'dotnet.exe'
    selection_cli:
        CommandLine|contains:
            - 'DownloadString'
            - 'IEX'
            - 'FromBase64String'
    condition: selection_parent and selection_cli
falsepositives:
    - Legitimate build scripts performing web requests
level: medium
---
title: Vidar Stealer AutoIt Loader Pattern
id: c1d2e3f4-a5b6-c7d8-e9f0-a1b2c3d4e5f6
description: Detects AutoIt3.exe spawning masqueraded batch scripts or PowerShell, indicative of the multi-stage Vidar loader.
status: experimental
date: 2026/05/11
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/1122334455667788
tags:
    - attack.defense_evasion
    - attack.t1036.005
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        Image|endswith: '\AutoIt3.exe'
    selection_child:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\cscript.exe'
    selection_extension:
        CommandLine|contains:
            - '.bat'
            - '.cmd'
            - '.dot'
    condition: selection_parent and selection_child and selection_extension
falsepositives:
    - Legitimate AutoIt automation scripts
level: high


kql
// Hunt for TroyDen and Vidar C2 Domains and IPs
DeviceNetworkEvents
| where RemoteUrl in ("dns-providersa2.com", "git.justdotrip.com", "gz.technicalprorj.xyz", "wpsock.com", "wrned.com") 
   or RemoteIP in ("89.169.12.241", "213.176.73.80", "213.176.73.130", "217.119.129.121", "217.119.129.76", "94.156.154.6", "213.176.73.159", "217.119.129.118")
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| extend ThreatIntel = "OTX Pulse Match: Infostealer C2"


powershell
# IOC Hunt Script for TroyDen, NuGet, and Mr_Rot13 Campaigns
# Checks for specific file hashes and suspicious network connections

$targetHashes = @(
    "efb675de4b3af3dac3c9cae91075fd7cc2f4f98e", # NuGet SHA1
    "019e6c2cf58386039133981f3377b085fbd70c98ae8613c7c6a4f10a9f2d9824", # NuGet SHA256
    "34e2d63b5db7e24c808711c2ca0c0a42afde97a0086d7d81609110c002d18d7c", # NuGet SHA256
    "73ce2438d4ed475e03727b7b000d2794", # EtherRat MD5
    "7ac9278876c83c9b597fae68acb6fbf9", # Vidar MD5
    "02a5990b11293236e01f174f5999df20"  # Mr_Rot13 MD5
)

Write-Host "[+] Scanning for malicious file hashes..." -ForegroundColor Cyan

Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { $_.Length -gt 0kb -and $_.Length -lt 10mb } | 
    ForEach-Object {
        $hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
        if ($targetHashes -contains $hash) {
            Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
        }
    }

Write-Host "[+] Checking for established C2 connections..." -ForegroundColor Cyan

$targetIPs = @("89.169.12.241","213.176.73.80","217.119.129.121")
$connections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue

foreach ($ip in $targetIPs) {
    $found = $connections | Where-Object { $_.RemoteAddress -eq $ip }
    if ($found) {
        Write-Host "[!] C2 CONNECTION DETECTED to $ip (Owning PID: $($found.OwningProcess))" -ForegroundColor Red
        $proc = Get-Process -Id $found.OwningProcess -ErrorAction SilentlyContinue
        Write-Host "    Process: $($proc.ProcessName) ($($proc.Path))" -ForegroundColor Yellow
    }
}


# Response Priorities

*   **Immediate:** Block all listed IPv4 addresses and domains at the perimeter firewall and proxy. Hunt for the presence of `luajit.exe`, `AutoIt3.exe`, and the specific MD5/SHA hashes provided in the pulses on endpoints.
*   **24 Hours:** Initiate credential resets for developer accounts and privileged users if activity is detected within the environment, specifically targeting browser-stored credentials and crypto wallets.
*   **1 Week:** Patch cPanel instances against CVE-2026-41940 and review NuGet package source permissions. Implement strict allow-listing for GitHub repositories accessed by build pipelines.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialslumma-stealervidar-stealermr-rot13supply-chain-attackcredential-theft

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action