Back to Intelligence

Needle C2, PCPJack Cloud Worm & Beagle Backdoor: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
May 12, 2026
6 min read

Recent OTX Pulse data highlights a convergence of high-risk threats targeting enterprise credentials and cryptocurrency assets. The intelligence reveals three distinct active campaigns:

  1. Needle (ThreatNeedle/RustyStealer): A Malware-as-a-Service (MaaS) platform specifically designed to pilfer cryptocurrency keys. It employs sophisticated browser extension spoofing (MetaMask, Phantom, Trust Wallet) and a Rust-based desktop agent impersonating hardware wallet interfaces (Exodus, Trezor, Ledger).
  2. PCPJack: A self-propagating cloud worm leveraging the Sliver C2 framework. It actively evicts the previous threat actor "TeamPCP" from compromised environments while harvesting credentials from cloud platforms, containers, and developer tools.
  3. Beagle/DonutLoader: A social engineering campaign utilizing a fraudulent "Claude AI" website to distribute a backdoor. The infection chain relies on DLL sideloading via a legitimate, signed G DATA antivirus updater.

Collectively, these threats emphasize a shift toward modular, credential-focused attack chains targeting both end-user financial assets and cloud infrastructure identities.

Threat Actor / Malware Profile

Needle (ThreatNeedle / RustyStealer)

  • Distribution: Malicious browser extensions and fake desktop wallet applications.
  • Behavior: modular payload capable of swapping wallet addresses during transactions (clipboard hijacking/wallet spoofer) and directly extracting stored keys.
  • C2 Communication: Reports indicate the C2 infrastructure was accidentally left exposed in the malware binaries, allowing researchers to decrypt the protocol.
  • Persistence: Browser extension persistence and fake application installations.

PCPJack

  • Distribution: Exploits cloud vulnerabilities (CVEs listed in IOCs) to propagate across Kubernetes and Docker environments.
  • Behavior: Systematically removes artifacts of the "TeamPCP" actor while harvesting credentials from cloud metadata services, config files, and productivity apps.
  • C2 Communication: Utilizes the Sliver C2 framework, known for its encrypted beaconing and strong OPSEC capabilities.

Beagle (DonutLoader)

  • Distribution: Malvertising via a fake Claude AI download site (claude-pro[.]com). Payload delivered as a 505MB ZIP archive.
  • Behavior: Uses DonutLoader to shellcode execute the Beagle backdoor. Employs DLL sideloading to load malicious code within the memory space of a signed G DATA updater process to bypass security controls.

IOC Analysis

The provided indicators span multiple vectors requiring different detection priorities:

  • Network Infrastructure:
    • 130.12.180.135 (Needle C2)
    • lastpass-login-help.com (PCPJack credential harvesting)
    • claude-pro.com (Beagle distribution)
  • File Hashes: SHA256 and MD5 hashes provided for PCPJack components and Needle payloads. These should be blocklisted on endpoints and scanned for in EDR telemetry.
  • Vulnerabilities: PCPJack exploits specific CVEs (2025-29927, 2025-48703, 2025-55182, 2026-1357). SOC teams must prioritize patching these specific flaws in cloud environments.

Operational Guidance: SOCs should immediately load these IOCs into blocklists. Given the DLL sideloading technique in the Beagle campaign, allow-listing based solely on certificate validity (G DATA) is insufficient; behavioral analysis of signed binaries is required.

Detection Engineering

Sigma Rules

YAML
---
title: Potential Needle Crypto-Stealer Process Masquerading
description: Detects processes impersonating popular crypto wallets (Exodus, Trezor, Ledger) running from suspicious user directory paths, indicative of Needle or RustyStealer activity.
status: stable
date: 2026/05/13
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6641a0b0727952d4f6763b72
tags:
    - attack.defense_evasion
    - attack.t1036.005
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\exodus.exe'
            - '\trezor.exe'
            - '\ledger.exe'
    filter_legit:
        Image|contains:
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate installations moved to non-standard folders
level: high
---
title: Suspicious G DATA Updater DLL Sideloading
description: Detects the G DATA updater process loading a DLL from an unexpected location, a behavior associated with the Beagle backdoor campaign using DonutLoader.
status: stable
date: 2026/05/13
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6641a0b0727952d4f6763b72
tags:
    - attack.defense_evasion
    - attack.t1574.002
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\g_update.exe'
    filter:
        ImageLoaded|contains: 'C:\Program Files\G DATA\'
    condition: selection and not filter_legit
falsepositives:
    - Rare development instances of the updater
level: critical
---
title: PCPJack Cloud Worm CVE Exploitation Attempt
description: Identifies potential exploitation attempts for CVEs associated with the PCPJack cloud worm activity in cloud environment logs.
status: stable
date: 2026/05/13
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6641a0b0727952d4f6763b72
tags:
    - attack.initial_access
    - attack.t1190
logsource:
    product: cloud
    service: azure
detection:
    selection:
        AadTenantId|startswith: '...'
    condition: selection # Placeholder for specific cloud log syntax logic regarding CVE exploitation
falsepositives:
    - Vulnerability scanning
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for PCPJack and Needle C2 Network Connections
let IOCs = dynamic(["130.12.180.135", "lastpass-login-help.com", "claude-pro.com"]);
DeviceNetworkEvents
| where RemoteUrl has_any(IOCs) or RemoteIP in ("130.12.180.135")
| extend Timestamp = TimeGenerated, DeviceName = DeviceName, InitiatingProcessFileName = InitiatingProcessFileName, RemoteUrl = RemoteUrl
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort

// Hunt for Beagle Backdoor File Hashes
let FileHashes = pack_array("e41c635e4c3514e266d143d544ad1abde5db3dcfe6cccdf9bb7a218003f8ab6a", "b8e7288656eca9750a5490aa96d3594b");
DeviceFileEvents
| where SHA256 in FileHashes or MD5 in FileHashes
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, MD5, InitiatingProcessAccountName

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    IOC Hunt Script for Needle, PCPJack, and Beagle Indicators.
.DESCRIPTION
    Checks for suspicious crypto wallet processes in user directories, 
    specific file hashes, and DNS cache for malicious domains.
#>

$MaliciousHashes = @(
    "e41c635e4c3514e266d143d544ad1abde5db3dcfe6cccdf9bb7a218003f8ab6a",
    "b8e7288656eca9750a5490aa96d3594b"
)

$SuspiciousProcesses = @("exodus.exe", "trezor.exe", "ledger.exe")
$MaliciousDomains = @("claude-pro.com", "lastpass-login-help.com")

Write-Host "[+] Checking for impersonating wallet processes..." -ForegroundColor Cyan
Get-Process | Where-Object {
    $SuspiciousProcesses -contains $_.Name -and 
    $_.Path -notmatch "Program Files"
} | Select-Object ProcessName, Path, Id | Format-Table -AutoSize

Write-Host "[+] Scanning for malicious file hashes..." -ForegroundColor Cyan
$PathsToScan = @("C:\Users\", "C:\ProgramData\")
foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Get-ChildItem $Path -Recurse -ErrorAction SilentlyContinue | Where-Object {
            $_.Length -gt 0 -and $_.Extension -in @('.exe', '.dll', '.zip')
        } | ForEach-Object {
            $hash = Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue
            if ($MaliciousHashes -contains $hash.Hash) {
                Write-Host "[!] MALICIOUS FILE FOUND: " $_.FullName -ForegroundColor Red
            }
        }
    }
}

Write-Host "[+] Checking DNS Cache for malicious domains..." -ForegroundColor Cyan
Get-DnsClientCache | Where-Object { $MaliciousDomains -contains $_.Entry } | Format-Table -AutoSize

Response Priorities

Immediate (0-24h)

  • Network Blocking: Block all IPs and domains listed in the IOC section at the perimeter firewall and proxy level.
  • Endpoint Isolation: Isolate any endpoints returning hits for the file hashes (e41c63..., b8e72...) or connecting to 130.12.180.135.
  • Credential Reset: If credential theft is suspected (PCPJack/Needle), force a reset of cloud service accounts and crypto wallet keys accessed from affected machines.

24h

  • Threat Hunt: Execute the provided PowerShell script across the enterprise fleet to identify latent malware artifacts.
  • Container Audit: Audit Kubernetes and Docker logs for signs of PCPJack exploitation (TeamPCP artifacts or unusual Sliver C2 traffic).
  • Application Control: Implement block-listing rules for the G DATA updater loading unsigned DLLs from non-standard paths to mitigate Beagle variants.

1 Week

  • Vulnerability Management: Patch systems against the specific CVEs leveraged by PCPJack (CVE-2025-29927, CVE-2025-48703, CVE-2025-55182, CVE-2026-1357).
  • Architecture Review: Review cloud security posture to limit lateral movement capabilities (e.g., restricting pod-to-pod communication, enforcing least privilege for service accounts).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwareneedle-malwarepcpjack-wormbeagle-backdoorcrypto-stealercloud-credential-theft

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action