Back to Intelligence

Multi-Vector Credential Heist: NWHStealer, notnullOSX, and Chrome Extension Botnets — OTX Pulse Analysis

SA
Security Arsenal Team
April 16, 2026
6 min read

Date: 2026-04-17
Analyst: Security Arsenal Threat Intelligence Unit

Threat Summary

Current OTX pulse data indicates a convergence of high-volume credential theft operations targeting both consumer and enterprise environments. Adversaries are leveraging a diverse attack surface, ranging from supply chain vulnerabilities in development environments (CVE-2026-39987) to sophisticated social engineering campaigns (ClickFix) and typosquatting on legitimate platforms (HuggingFace).

The collective objective of these campaigns is financial siphoning, specifically targeting cryptocurrency wallets (notnullOSX, NWHStealer) and banking credentials (ClickFix Chrome extension). A notable infrastructure overlap involves the abuse of legitimate cloud services for command-and-control (C2), specifically HuggingFace Spaces and shared web infrastructure (cloudapi.stream).

Threat Actor / Malware Profile

1. NWHStealer (Windows)

  • Distribution: Fake VPN sites (e.g., get-proton-vpn.com), gaming mods, and hardware utilities hosted on GitHub/GitLab clones.
  • Payload Behavior: Targets browser data (cookies, passwords), cryptocurrency wallets, and saved credentials.
  • C2 Communication: Standard HTTP/HTTPS to hardcoded domains; distinct from blockchain-based C2s.

2. notnullOSX (macOS)

  • Actor: alh1mik (formerly 0xFFF).
  • Targeting: Exclusively targets macOS users with >$10k in crypto holdings.
  • Distribution: "ClickFix" social engineering (fake browser error prompts) and malicious DMG files.
  • Behavior: Go-written modular stealer.

3. Malicious Chrome Extension Campaign

  • Infrastructure: Shared C2 at cloudapi.stream and 144.126.135.238.
  • Scope: 108 extensions, ~20k installs. 54 extensions target Google OAuth2 identities; others exfiltrate Telegram sessions.
  • Brazilian Banking Variant (BCB): Uses Chrome Cloud Management enrollment tokens to force-install malicious extensions without user interaction, bypassing standard AV.

4. NKAbuse / kagent (Blockchain Botnet)

  • Vector: Exploits CVE-2026-39987 in marimo Python notebooks.
  • C2: Utilizes the NKN blockchain network for command and control, making traffic analysis significantly harder.

IOC Analysis

The provided indicators offer immediate blocking opportunities:

  • Domains & URLs: High-value indicators include cloudapi.stream (shared C2 for Chrome extensions), get-proton-vpn.com (NWHStealer), and xpie348.online (Brazilian ClickFix). The URL http://144.126.140.33:3000 serves as an open C2 panel.
  • IP Addresses: 144.126.135.238 and 144.126.140.33 are critical infrastructure nodes associated with the Chrome extension and Brazilian banking campaigns, respectively.
  • File Hashes: Multiple MD5 and SHA256 hashes are provided for NWHStealer and notnullOSX. These should be uploaded to EDR solutions for immediate scanning.

SOC Operationalization:

  1. Blocklist: Immediately add all listed domains and IPs to perimeter firewalls and secure web gateways (SWG).
  2. Certificate Revocation: Investigate OAuth tokens issued to applications associated with cloudapi.stream.
  3. Asset Inventory: Scan for marimo notebook instances exposed to the internet.

Detection Engineering

Sigma Rules

YAML
---
title: Potential Malicious Chrome Extension Connection to Cloudapi C2
id: 9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d
description: Detects network connections to known malicious C2 infrastructure used by infostealer Chrome extensions.
status: experimental
date: 2026/04/17
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/661f7e1d85f5a0d6c1d8e9f0
tags:
    - attack.credential_access
    - attack.collection
logsource:
    category: network_connection
product: windows
detection:
    selection:
        DestinationHostname|contains:
            - 'cloudapi.stream'
            - 'multiaccount.cloudapi.stream'
            - 'crm.cloudapi.stream'
            - 'xpie348.online'
    condition: selection
falsepositives:
    - Legitimate administrative traffic (unlikely given the specific TLD)
level: critical

---
title: NWHStealer Fake VPN Process Execution
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects execution of suspicious processes often associated with NWHStealer distribution from fake VPN directories.
status: experimental
date: 2026/04/17
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/661e9a0b85f5a0d6c1d8e9e5
tags:
    - attack.execution
    - attack.initial_access
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\vpn-client.exe'
            - '\proton-vpn-setup.exe'
            - '\installer.exe'
    selection_path:
        CurrentDirectory|contains:
            - '\Downloads\'
            - '\Temp\'
            - '\AppData\Local\Temp\'
    condition: all of selection_*
falsepositives:
    - Legitimate VPN software installations
level: high

---
title: Chrome Force-Install via Group Policy (ClickFix BCB)
id: 2b3c4d5e-6f7a-8b9c-0d1e-2f3a4b5c6d7e
description: Detects registry modifications indicative of force-installing Chrome extensions, a technique used in the Brazilian ClickFix campaign.
status: experimental
date: 2026/04/17
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/661e9a0b85f5a0d6c1d8e9e4
tags:
    - attack.persistence
    - attack.privilege_escalation
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: 'SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist'
    filter:
        Details|startswith: 'ghbmnnjooekpmoecnnnilnnbdlolhkhi' # Legitimate extension example, adjust for allowlist
    condition: selection and not filter
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for network connections to malicious infrastructure and IOCs
let MaliciousDomains = pack_array('cloudapi.stream', 'xpie348.online', 'get-proton-vpn.com', 'vpn-proton-setup.com');
let MaliciousIPs = pack_array('144.126.135.238', '144.126.140.33', '83.217.209.88', '111.90.145.139');
DeviceNetworkEvents
| where RemoteUrl in (MaliciousDomains) or RemoteIP in (MaliciousIPs)
| extend Timestamp = TimeGenerated, DeviceName = DeviceName, InitiatingProcessAccountName = InitiatingProcessAccountName
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessSHA256
| order by Timestamp desc

PowerShell Hunt Script

PowerShell
# IOC Hunt: Chrome Extension Force-Install and Suspicious File Presence
Write-Host "Starting Hunt for Chrome Extension Persistence and Malicious Files..." -ForegroundColor Cyan

# 1. Check for Force-Installed Chrome Extensions (ClickFix/Banking Campaign)
$RegPath = "HKLM:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist"
if (Test-Path $RegPath) {
    $Extensions = Get-Item $RegPath
    Write-Host "[ALERT] Found Force-Install Policy for Chrome Extensions:" -ForegroundColor Red
    $Extensions.Property | ForEach-Object {
        Write-Host "Extension ID: $_" -ForegroundColor Yellow
    }
} else {
    Write-Host "[INFO] No force-install Chrome policy detected in HKLM." -ForegroundColor Green
}

# 2. Scan for specific NWHStealer/NotnullOSX file hashes (Requires HashDB or manual check)
$TargetHashes = @( 
    "2494709b8a2646640b08b1d5d75b6bfb3167540ed4acdb55ded050f6df9c53b3", 
    "070402c2c531aa3a87b9ccd080532a51d17b01d982b205fc4487246d58de8913",
    "401c125517b1f845289bf0a7a33e5db0391034f631eab85dd65b76b7fec9a959"
)

Write-Host "Scanning drive C: for known malicious hashes..."
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { $_.Length -gt 0kb -and $_.Length -lt 50mb } | 
    ForEach-Object {
        $Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($TargetHashes -contains $Hash) {
            Write-Host "[MALWARE FOUND] $($_.FullName) matches known malicious hash." -ForegroundColor Red
        }
    }

Write-Host "Hunt Complete."


---

Response Priorities

Immediate (0-24 hours)

  • Network Blocking: Block all domains and IPs listed in the IOC Analysis at the perimeter and proxy level.
  • Endpoint Isolation: Isolate any endpoints returning positive hits for the provided file hashes or connecting to cloudapi.stream.
  • Browser Extension Audit: Emergency audit of all installed Chrome extensions across the organization. Remove any extensions not on the corporate allow-list.

24-48 Hours

  • Identity Assessment: If credential-stealing malware (NWHStealer/notnullOSX) is suspected, force password resets for high-privilege accounts and revoke active OAuth sessions for corporate Google accounts.
  • Credential Rotation: Rotate API keys and SSH keys found on developer workstations, specifically checking for exposure to marimo or Python environments.

1 Week

  • Architecture Hardening: Implement strict application allow-listing (AppLocker) to prevent the execution of unsigned binaries in user directories (Downloads, AppData\Local\Temp).
  • Supply Chain Security: Review external access policies to repositories like HuggingFace and enforce strict pre-approval for Python notebook dependencies.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealerchrome-extensionsnwhstealernotnullosxclickfix

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action
Multi-Vector Credential Heist: NWHStealer, notnullOSX, and Chrome Extension Botnets — OTX Pulse Analysis | Security Arsenal | Security Arsenal