Back to Intelligence

Multi-Vector Credential Harvesting: Gremlin, Vidar, and OtterCookie Campaigns via SD-WAN Exploits & NPM Supply Chain

SA
Security Arsenal Team
May 16, 2026
5 min read

Recent OTX pulses indicate a surge in credential theft campaigns leveraging diverse attack vectors ranging from software supply chain compromises to network edge exploitation. Intelligence reveals distinct but concurrent operations: the FAMOUS CHOLLIMA group (North Korea) targeting developers via malicious npm packages (OtterCookie), the exploitation of Cisco Catalyst SD-WAN vulnerabilities by UAT-8616 to establish webshells and persistence, and opportunistic actors weaponizing the Claude Code leak on GitHub to distribute Vidar Stealer. Additionally, The Gentlemen RaaS operation continues to leverage leaked Fortinet and Cisco credentials for NTLM relay attacks. Collectively, these campaigns aim to harvest session tokens, SSH keys, and browser credentials to facilitate initial access, data exfiltration, and financial fraud.

Threat Actor / Malware Profile

Gremlin Stealer

  • Distribution: Phishing attachments with resource-hiding techniques; often distributed alongside other loaders like GuLoader.
  • Payload Behavior: Utilizes commercial packing with instruction virtualization to evade analysis. Targets browser data (payment cards, saved passwords), Discord tokens, and cryptocurrency wallets.
  • C2 Communication: Connects to hard-coded IP infrastructure (e.g., 194.87.92.109) to exfiltrate harvested data via HTTP/HTTPS.
  • Persistence: Registry run keys or scheduled tasks (typical of .NET stealers).

OtterCookie (NPM Supply Chain)

  • Threat Actor: FAMOUS CHOLLIMA.
  • Distribution: "Contagious interview" campaign; malicious npm packages cloning legitimate libraries (e.g., big.js) with obfuscated payloads.
  • Payload Behavior: Python/Node-based stealer targeting .npmrc, AWS/GCP credentials, and SSH keys. Deploys additional payloads like BeaverTail.
  • Persistence: Through compromised development environments and poisoned project dependencies.

Vidar Stealer & GhostSocks (GitHub Delivery)

  • Distribution: Social engineering via trojanized GitHub repositories claiming to contain leaked Claude Code source.
  • Payload Behavior: Vidar steals sensitive data; GhostSocks acts as a proxy/tunnel for C2 operations.
  • C2 Communication: Connects to specific VPS endpoints (e.g., 147.45.197.92, 94.228.161.88) and resolves domains like rti.cargomanbd.com.

IOC Analysis

The provided IOCs span multiple infrastructure types crucial for detection:

  • File Hashes (SHA256/MD5): Numerous samples for Gremlin, Vidar, and webshells. SOC teams should block execution at the endpoint via EDR and hash-based allowlisting policies.
  • Network Indicators (IPv4/Domains): IPs such as 194.87.92.109 (Gremlin) and 176.65.139.31 (SD-WAN exploitation) and domains like rti.cargomanbd.com should be blocked on perimeter firewalls and proxies.
  • CVEs: CVE-2026-20128 and CVE-2026-20133 (Cisco SD-WAN) and CVE-2024-55591 (Fortinet) are critical for vulnerability management prioritization.
  • Operationalization: Ingest these indicators into your SIEM's threat intel feeds (e.g., Splunk ES, Microsoft Sentinel) to correlate against DeviceNetworkEvents, SecurityEvent, and FileProfile logs.

Detection Engineering

Sigma Rules

YAML
title: Potential Gremlin Stealer Process Execution
id: 4a8f9c1d-5b6a-4e8f-9a1b-2c3d4e5f6a7b
description: Detects suspicious execution patterns associated with Gremlin Stealer, often involving PowerShell spawning from unusual parent processes or packed executables.
status: experimental
date: 2026/05/16
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
    Image|endswith:
      - '\mshta.exe'
      - '\regsvr32.exe'
    CommandLine|contains:
      - ' -enc '
      - 'FromBase64String'
  condition: selection
falsepositives:
  - Administrative scripts
level: high
---
title: Malicious NPM Package Execution (OtterCookie)
id: 7b8f9c1d-5b6a-4e8f-9a1b-2c3d4e5f6a7c
description: Detects execution of Node.js processes triggered by specific suspicious package installation patterns associated with the OtterCookie campaign.
status: experimental
date: 2026/05/16
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection_img:
    Image|endswith: '\node.exe'
  selection_cli:
    CommandLine|contains:
      - 'npm install'
      - 'npm ci'
  selection_suspicious:
    CommandLine|contains:
      - 'postinstall'
      - 'preinstall'
  condition: all of selection_*
falsepositives:
  - Legitimate developer builds
level: medium
---
title: Webshell Upload via Cisco SD-WAN Exploitation
id: 8c9f9c1d-5b6a-4e8f-9a1b-2c3d4e5f6a7d
description: Detects potential webshell activity (Godzilla/Behinder) on network appliances or web servers following exploitation of CVE-2026-20128.
status: experimental
date: 2026/05/16
author: Security Arsenal
logsource:
  category: web_access
  product: apache
detection:
  selection_uri:
    cs-uri-query|contains:
      - 'passwd='
      - 'cmd='
  selection_header:
    cs-user-agent|contains:
      - 'Godzilla'
      - 'Behinder'
  condition: 1 of selection*
falsepositives:
  - Administrative management interfaces
level: critical

KQL (Microsoft Sentinel)

Hunt for network connections to the specific C2 infrastructure identified in the pulses:

KQL — Microsoft Sentinel / Defender
DeviceNetworkEvents
| where RemoteIP in ("194.87.92.109", "176.65.139.31", "147.45.197.92", "94.228.161.88")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemoteUrl, RemotePort
| extend FullUrl = strcat(RemoteUrl, ":", RemotePort)
| order by Timestamp desc


Hunt for potential file execution of the malicious hashes (requires FileProfile enabled):

kql
DeviceFileEvents
| where SHA256 in (
    "1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5",
    "06f63fe3eba5a2d1e2177d49f25721c2bdd90f3c46f19e29740899fa908453bf",
    "7d5e84dd59165422f31a5a0e53aabba657a6fbccc304e8649f72d49e468ae91a"
)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName

PowerShell Hunt Script

PowerShell
# IOC Hunter for Gremlin & Vidar Infrastructure
$TargetIPs = @(
    "194.87.92.109",
    "176.65.139.31",
    "147.45.197.92",
    "94.228.161.88"
)
$TargetDomain = "rti.cargomanbd.com"

Write-Host "[+] Hunting for established network connections to known C2 IPs..."

$connections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue

foreach ($ip in $TargetIPs) {
    $matches = $connections | Where-Object { $_.RemoteAddress -eq $ip }
    if ($matches) {
        Write-Host "[!] ALERT: Found connection to $ip" -ForegroundColor Red
        $matches | ForEach-Object { 
            $proc = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
            Write-Host "    PID: $($_.OwningProcess) | Process: $($proc.ProcessName) | LocalPort: $($_.LocalPort)"
        }
    }
}

# DNS Cache Check for the specific domain
try {
    $dnsEntry = Get-DnsClientCache -Entry $TargetDomain -ErrorAction SilentlyContinue
    if ($dnsEntry) {
        Write-Host "[!] ALERT: Found DNS cache entry for $TargetDomain" -ForegroundColor Red
        Write-Host "    Data: $($dnsEntry.Data) | Type: $($dnsEntry.Type)"
    }
} catch {
    # No cache entry found
}

Write-Host "[+] Hunt complete."

Response Priorities

  • Immediate:

    • Block all IOCs (IPs, Domains, Hashes) at the perimeter and endpoints.
    • Initiate vulnerability scans for CVE-2026-20128 and CVE-2026-20133 on all Cisco Catalyst SD-WAN infrastructure.
    • Isolate any devices triggering the Sigma rules for webshell or stealer activity.

  • 24 Hours:

    • Conduct credential rotation for any accounts identified on compromised development machines (potential OtterCookie targets).
    • Review git history and npm package manifests for dependency confusion or malicious imports linked to the "Claude Code" or "Contagious Interview" campaigns.
    • Analytically hunt for The Gentlemen activity (NTLM relay) by reviewing Windows Security Event logs for Event ID 4624/4625 anomalies.

  • 1 Week:

    • Implement stricter controls on npm package registries and GitHub repository usage.
    • Patch all edge appliances (Cisco/Fortinet) to mitigate against "The Gentlemen" initial access vectors.
    • Update EDR policies to detect commercial packing/VM-based obfuscation techniques used by Gremlin Stealer.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsgremlin-stealervidar-stealernpm-supply-chainsd-wan-exploitationcredential-theft

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action