Recent OTX pulses indicate a coordinated surge in credential harvesting campaigns targeting cloud infrastructure, financial systems, and cryptocurrency assets. The intelligence highlights the emergence of NadMesh, a product-grade Go-based botnet autonomously scanning and exploiting AI infrastructure and cloud services (Kubernetes, Docker, Redis) to harvest credentials. Concurrently, the Kratos PhaaS platform is intensifying attacks on Microsoft 365 users across the US and EU, utilizing sophisticated anti-bot techniques to harvest login credentials. In the APAC region, threat actors are leveraging Remcos RAT via GST-themed phishing campaigns employing bitmap steganography to evade detection. Additionally, the OkoBot framework has been identified targeting cryptocurrency wallets through PowerShell loaders and SSH tunneling. Collectively, these pulses reveal a multi-vector threat landscape focused on identity compromise and service hijacking.
Threat Actor / Malware Profile
NadMesh (Botnet)
- Type: Industrial-grade Go-based Botnet
- Distribution: Autonomous scanning of over 90 cloud provider address ranges.
- Behavior: Targets AI infrastructure and cloud services (Redis, Docker, MCP, Kubernetes). Utilizes 20+ exploitation vectors, including specific CVEs (e.g., CVE-2016-0638), to gain access and harvest credentials.
- Persistence: Scans for exposed services and establishes C2 via specific domains (e.g.,
cdnorigin.net).
Remcos RAT
- Type: Remote Access Trojan
- Distribution: Malicious RAR archives distributed via GST refund phishing emails targeting Indian entities.
- Behavior: Uses a multi-stage .NET infection chain. Employs bitmap steganography to hide payloads and fileless execution techniques to evade AV.
- Persistence: Uses dynamic DNS for C2 communication and standard persistence mechanisms common to RATs.
OkoBot Framework
- Type: Modular Cryptocurrency Stealer
- Distribution: Fake software on GitHub or "ClickFix" attacks delivering PowerShell scripts (TookPS).
- Behavior: Deploys over 20 malicious modules, including browser extension injectors (Rilide) and SSH tunneling utilities (HDUtil) to siphon cryptocurrency wallet data.
- Persistence: Establishes SSH tunnels and injects malicious browser extensions.
Kratos PhaaS
- Type: Phishing-as-a-Service
- Distribution: Links to convincing Microsoft 365 login pages.
- Behavior: Uses trusted platforms and anti-bot verification (e.g., Cloudflare turnstiles) to evade automated analysis and harvest M365 credentials.
- Persistence: N/A (Web-based credential theft).
IOC Analysis
The provided IOCs include a mix of network infrastructure and file artifacts:
- Domains & Hostnames: Key indicators for blocking include
cdnorigin.net(NadMesh),buenne.de(Kratos), andcoffeesaloon.online(OkoBot). SOC teams should immediately block these at the proxy/DNS firewall level. - File Hashes: A significant number of MD5 hashes are provided for Remcos RAT and OkoBot components. These should be uploaded to EDR solutions for blacklist matching.
- IP Addresses:
209.99.186.235is identified as NadMesh infrastructure. - CVEs:
CVE-2016-0638is specifically cited by NadMesh, suggesting specific vulnerability scanning behavior.
Detection Engineering
---
title: Potential NadMesh Botnet C2 Activity
id: 2026/07/18/001
description: Detects network connections to known NadMesh botnet C2 infrastructure or suspicious domains associated with cloud exploitation.
author: Security Arsenal
date: 2026/07/18
status: experimental
references:
- https://blog.xlab.qianxin.com/nadmesh-botnet-analysis-a-product-grade-threat-for-the-ai-service-era-en/
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
category: network_connection
detection:
selection:
dest.ip:
- '209.99.186.235'
dest.domain|contains:
- 'cdnorigin.net'
condition: selection
falsepositives:
- Unknown
level: critical
---
title: Remcos RAT & OkoBot Hash Detection
id: 2026/07/18/002
description: Detects execution of files with known hashes associated with Remcos RAT and OkoBot malware families.
author: Security Arsenal
date: 2026/07/18
status: experimental
references:
- https://www.seqrite.com/blog/behind-the-refund-from-gst-phishing-to-remcos-rat-through-a-multi-stage-net-infection-chain/
- https://securelist.com/okobot-framework-targets-cryptocurrency-wallets/120660/
tags:
- attack.execution
- attack.t1204
logsource:
category: process_creation
detection:
selection_hash:
md5|contains:
- '07d7d21c2c0920d198efb9ea54900a80'
- '20476f3a51dfddf3dc0603fc7858d894'
- 'b07d451ee65a1580f20a784c8f0e7a46'
- '187a1f68ae786e53d3831166dc84e6d2'
condition: selection_hash
falsepositives:
- Unlikely
level: high
---
title: Kratos PhaaS Access Patterns
id: 2026/07/18/003
description: Identifies potential access to known Kratos PhaaS infrastructure targeting Microsoft 365 credentials.
author: Security Arsenal
date: 2026/07/18
status: experimental
references:
- https://any.run/cybersecurity-blog/kratos-phaas-account-takeover/
tags:
- attack.credential_access
- attack.t1566.002
logsource:
category: proxy
detection:
selection_domains:
dest.domain|endswith:
- 'buenne.de'
- 'enerdizerandtron.de'
- 'ihrsupportcenter.de'
- 'rundwasser.de'
- 'sonnenbrillenspot.de'
- 'abal.my'
condition: selection_domains
falsepositives:
- Legitimate access to these specific domains (if any)
level: medium
kql
// Hunt for connections to NadMesh, OkoBot, and Kratos infrastructure
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (
"cdnorigin.net",
"buenne.de",
"enerdizerandtron.de",
"coffeesaloon.online",
"livewallpapers.online",
"2baserec2.guru"
)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
// Hunt for Remcos and OkoBot file hashes
DeviceProcessEvents
| where Timestamp > ago(30d)
| where SHA256 in (
"fc4109f5dd1d30b65dd60e57dc639ac1d313bfa5241e36e61fbc4aabc1cda482", // NadMesh SHA256
"31c69b3e12936abca770d430066f379ec1d997ec" // NadMesh SHA1
)
or MD5 in (
"07d7d21c2c0920d198efb9ea54900a80",
"20476f3a51dfddf3dc0603fc7858d894",
"b07d451ee65a1580f20a784c8f0e7a46",
"d84e8dc509308523e0209d3cd3544619"
)
| project Timestamp, DeviceName, FileName, FolderPath, MD5, SHA256, AccountName
powershell
# PowerShell script to hunt for NadMesh and OkoBot IOCs on endpoints
# Requires Administrator privileges
$MaliciousHashes = @(
"07d7d21c2c0920d198efb9ea54900a80",
"20476f3a51dfddf3dc0603fc7858d894",
"2a34bdd25b404737ee5d3b52bf0b3b70",
"3757dccb2adae65ccdf8d5e5c948b927",
"7842d12d9e37c75076133be5b9904cb2",
"cc34d9760394104ad47877a0d57e9c63",
"b07d451ee65a1580f20a784c8f0e7a46",
"187a1f68ae786e53d3831166dc84e6d2",
"d84e8dc509308523e0209d3cd3544619",
"83e6b8fcb92a0b13e109301f8ff649cf",
"ca024acead8f54cfe5b07ac4bdf7fcea"
)
$C2Domains = @(
"cdnorigin.net",
"coffeesaloon.online",
"livewallpapers.online",
"2baserec2.guru",
"kbeautyreviews.com"
)
Write-Host "[*] Scanning for known malicious file hashes..."
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue |
Where-Object { $_.Length -gt 0 } |
ForEach-Object {
$hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
if ($MaliciousHashes -contains $hash) {
Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName) (MD5: $hash)" -ForegroundColor Red
}
}
Write-Host "[*] Checking DNS cache for C2 domains..."
Get-DnsClientCache | Where-Object { $C2Domains -contains $_.Entry } |
Select-Object Entry, Data, Type |
ForEach-Object {
Write-Host "[!] SUSPICIOUS DNS ENTRY: $($_.Entry) -> $($_.Data)" -ForegroundColor Yellow
}
Response Priorities
Immediate Actions:
- Block all IOCs (IPs, Domains, Hashes) at perimeter firewalls, proxies, and EDR systems.
- Isolate endpoints exhibiting behavior associated with Remcos RAT or OkoBot (PowerShell -> SSH tunnel).
- Scan cloud environments (Kubernetes/Docker/Redis) for signs of NadMesh exploitation (specifically CVE-2016-0638).
24-Hour Actions:
- Initiate credential resets for any users who may have interacted with the GST phishing emails or Kratos PhaaS landing pages.
- Review Microsoft 365 Unified Audit Logs for failed login attempts originating from Kratos-infrastructure-associated geolocations.
- Audit browser extensions on corporate assets to identify unauthorized injectors (Rilide).
1-Week Actions:
- Harden cloud infrastructure: patch CVE-2016-0638 and restrict exposure of Redis/Docker/Kubernetes management ports to the internet.
- Implement email filtering rules for GST-themed phishing and M365 lookalike domains.
- Conduct a review of PowerShell execution policies and logging to detect ClickFix-style attacks.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.