Recent OTX pulses indicate a surge in sophisticated credential theft campaigns targeting both corporate infrastructure and high-value individual crypto wallets. Threat actors are aggressively exploiting supply chain vectors, utilizing trusted platforms like HuggingFace Spaces and GitHub to distribute payloads such as NKAbuse, NWHStealer, and Direct-Sys Loader. Concurrently, nation-state actor APT28 (Fancy Bear) continues its operations against Ukrainian government entities using a specialized Roundcube exploitation toolkit (Operation Roundish). The collective objective across these disparate campaigns is the systematic harvesting of session cookies, cryptocurrency wallet keys, and government credentials, leveraging C2 mechanisms ranging from NKN blockchain nodes to Flask-based web servers.
Threat Actor / Malware Profile
NKAbuse / kagent
- Distribution: Typosquatted HuggingFace Spaces and exploitation of CVE-2026-39987 (Marimo pre-auth RCE).
- Payload Behavior: Deploys a blockchain botnet variant. The malware leverages the NKN blockchain network for Command & Control (C2), making traffic detection difficult via standard IP blocking.
- Persistence: Establishes persistence within the compromised Python notebook environment.
NWHStealer
- Distribution: SEO poisoning and fake websites impersonating legitimate services (Proton VPN), hardware utilities, and gaming mods hosted on GitHub/GitLab.
- Payload Behavior: Targeted theft of browser data, saved passwords, and cryptocurrency wallet information.
- C2 Communication: Standard HTTP/HTTPS to hardcoded domains.
notnullOSX (macOS)
- Actor: alh1mik (formerly 0xFFF).
- Distribution: "ClickFix" social engineering campaigns and malicious DMG files.
- Targeting: Specifically targets macOS users with cryptocurrency holdings exceeding $10,000.
- Behavior: Modular stealer written in Go; exfiltrates wallet keys and browser cookies.
Direct-Sys Loader / CGrabber Stealer
- Distribution: ZIP archives distributed via GitHub user attachment URLs.
- Behavior: A sophisticated five-stage malware chain. It exploits DLL sideloading via a legitimate Microsoft-signed binary (
Launcher_x64.exe). - Techniques: Uses ChaCha20 encryption, direct syscall execution to evade EDR hooks, and multiple anti-analysis checks.
APT28 (Fancy Bear) - Operation Roundish
- Distribution: Exploitation of Roundcube webmail vulnerabilities.
- Toolkit: Includes XSS payloads, CSS injection tools, and a Go-based implant (
SpyPress.Roundish,httd). - Objective: Credential harvesting, persistent mail forwarding, and 2FA secret extraction from government entities.
IOC Analysis
The provided IOCs offer a mix of network and file-based indicators:
- Domains: A high volume of typosquatted domains (e.g.,
get-proton-vpn.com) and C2 domains (e.g.,zhblz.com). These should be blocked immediately at the DNS layer. - IPv4s: Several IPs associated with NKAbuse infrastructure. SOC teams should look for long-lived connections to these IPs on non-standard ports.
- File Hashes: Numerous MD5, SHA1, and SHA256 hashes for loaders and stealer payloads. These should be ingested into EDR solutions for immediate quarantining.
- CVEs: CVE-2026-39987 is critical for patch management prioritization.
Operationalization: SOC teams should ingest the domain and IP lists into firewall blocklists and SIEM correlation engines. File hashes must be added to allowlist/blacklist configurations for endpoint detection tools.
Detection Engineering
Sigma Rules
YAML
---
title: NKAbuse Botnet via Marimo Exploitation
description: Detects potential exploitation of CVE-2026-39987 in Marimo or suspicious Python process spawning related to NKAbuse.
status: experimental
date: 2026/04/18
author: Security Arsenal
detection:
selection:
ParentImage|endswith: '/python'
Image|endswith:
- '/sh'
- '/bash'
- '/python'
condition: selection
falsepositives:
- Legitimate developer usage of Marimo notebooks
level: high
tags:
- attack.execution
- attack.t1059.004
---
title: Direct-Sys Loader DLL Sideloading
description: Detects DLL sideloading technique used by Direct-Sys Loader involving Launcher_x64.exe.
status: experimental
date: 2026/04/18
author: Security Arsenal
detection:
selection:
Image|endswith: '\\Launcher_x64.exe'
ModuleLoaded|contains: '.dll'
filter:
Signed: 'true'
condition: selection and not filter
falsepositives:
- Legitimate use of the signed loader (rare)
level: critical
tags:
- attack.defense_evasion
- attack.t1574.002
---
title: NWHStealer Fake VPN Installer Execution
description: Detects execution of binaries from suspicious paths resembling fake Proton VPN installers.
status: experimental
date: 2026/04/18
author: Security Arsenal
detection:
selection:
Image|contains:
- 'proton'
- 'vpn'
Image|endswith:
- '.exe'
- '.msi'
filter_legit_path:
Image|contains:
- 'Program Files'
- 'Program Files (x86)'
condition: selection and not filter_legit_path
falsepositives:
- Legitimate VPN installation from user downloads
level: medium
tags:
- attack.initial_access
- attack.t1190
KQL (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for NWHStealer and NKAbuse Network Indicators
let IOCs = dynamic(["get-proton-vpn.com", "vpn-proton-setup.com", "newworld-helloworld.icu", "zhblz.com", "sinixproduction.com", "evasivestars.com", "111.90.145.139", "160.30.128.96", "185.225.17.176", "38.147.173.172", "83.217.209.88"]);
DeviceNetworkEvents
| where RemoteUrl in IOCs or RemoteIP in IOCs
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| extend Timestamp = format_datetime(Timestamp, 'yyyy-MM-dd HH:mm:ss')
| sort by Timestamp desc
PowerShell Hunt Script
PowerShell
<#
.SYNOPSIS
Hunt for artifacts associated with NWHStealer, Direct-Sys Loader, and NKAbuse.
.DESCRIPTION
Checks for specific malicious domains in the hosts file and suspicious process executions.
#>
$MaliciousDomains = @("get-proton-vpn.com", "zhblz.com", "sinixproduction.com")
$HostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
$SuspiciousProcesses = @("Launcher_x64.exe")
# Check Hosts File for DNS Redirection
if (Test-Path $HostsPath) {
Write-Host "Checking Hosts file for malicious entries..." -ForegroundColor Cyan
$Content = Get-Content $HostsPath
foreach ($Domain in $MaliciousDomains) {
if ($Content -match $Domain) {
Write-Host "[ALERT] Malicious domain found in hosts file: $Domain" -ForegroundColor Red
}
}
}
# Check for Suspicious Processes
Write-Host "Checking for suspicious running processes..." -ForegroundColor Cyan
$Processes = Get-Process
foreach ($Proc in $SuspiciousProcesses) {
$Found = $Processes | Where-Object { $_.ProcessName -like "*$Proc*" }
if ($Found) {
Write-Host "[ALERT] Suspicious process detected: $($Found.ProcessName) (PID: $($Found.Id))" -ForegroundColor Red
}
}
Write-Host "Hunt complete."
Response Priorities
-
Immediate:
- Block all listed domains and IP addresses at the perimeter firewall and proxy.
- Identify and isolate systems communicating with
zhblz.comor NKN blockchain nodes. - Patch CVE-2026-39987 on all exposed Marimo notebook instances immediately.
-
24 Hours:
- Initiate credential resets for users who may have interacted with fake VPN sites or compromised gaming mods.
- Scan endpoints for the file hashes provided (NWHStealer, NKAbuse, Direct-Sys Loader).
- Review Roundcube webmail logs for indicators of Operation Roundish (XSS/CSS injection attempts).
-
1 Week:
- Review and restrict the use of HuggingFace Spaces and GitHub raw user content within the development environment.
- Implement strict application allowlisting for VPN software and hardware utilities.
- Enhance monitoring for direct syscall execution and API unhooking indicators often associated with Direct-Sys Loader.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-credentialsnkabusenwhstealerapt28infostealercredential-theft
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.