NKAbuse, notnullOSX & APT28 Roundcube Toolkit: Enterprise Credential Theft & Infostealer Swarm

A massive surge in infostealer activity has been observed via the AlienVault OTX platform, indicating a coordinated shift towards high-value credential theft across multiple operating systems and platforms. Threat actors are aggressively exploiting new vulnerabilities (CVE-2026-39987) in developer tools (marimo), utilizing supply chain poisoning on HuggingFace, and deploying sophisticated loaders (Direct-Sys) to bypass EDR solutions. Concurrently, nation-state actors (APT28) are actively leveraging exposed webmail toolkits to harvest government credentials.

Threat Summary

The collective intelligence from these pulses reveals a multi-front assault on authentication data:

Developer Supply Chain Attack: Attackers are weaponizing the marimo Python notebook platform (CVE-2026-39987) to deploy the NKAbuse blockchain botnet. This highlights a shift from traditional phishing to poisoning development environments via HuggingFace Spaces.
Cross-Platform Credential Harvesting: While Windows remains the primary target via NWHStealer (fake VPNs/Gaming mods) and CGrabber (GitHub DLL sideloading), a significant threat actor (alh1mik) has re-emerged targeting macOS users with >$10k crypto holdings using the notnullOSX stealer.
Nation-State Espionage: APT28 is utilizing an exposed "Operation Roundish" toolkit against Ukrainian government entities, specifically targeting Roundcube webmail via XSS and CSS injection to steal 2FA secrets and emails.

Threat Actor / Malware Profile

Malware Family	Threat Actor	Distribution	Payload Behavior	C2 & Persistence
NKAbuse / kagent	Unknown	CVE-2026-39987 (marimo) via HuggingFace Spaces	Deploys blockchain botnet agent	C2 via NKN blockchain (decentralized); Persistence via Python scripts.
NWHStealer	Unknown	Fake Proton VPN sites, Gaming Mods	Steals browser data, passwords, crypto wallets	HTTP C2; Persistence via registry run keys.
notnullOSX	alh1mik	ClickFix Social Engineering, Malicious DMGs	Go-written modular stealer targeting crypto wallets	Custom C2; Persistence via LaunchAgents/LaunchDaemons.
Direct-Sys Loader / CGrabber	Unknown	GitHub user attachments (ZIP archives)	DLL Sideloading via `Launcher_x64.exe`; Direct Syscalls	ChaCha20 encrypted comms; Direct syscalls for anti-analysis.
SpyPress.Roundish	APT28 (Fancy Bear)	Roundcube Webmail Exploitation (XSS)	Credential harvesting, mail forwarding, 2FA extraction	Flask-based C2; Persistent via webmail injection.

IOC Analysis

The current IOC set indicates a high reliance on typosquatting (e.g., get-proton-vpn.com) and legitimate platform abuse (GitHub, HuggingFace).

Domains: SOC teams should immediately block all listed typosquatting domains associated with NWHStealer and the APT28 infrastructure (zhblz.com).
File Hashes: A large volume of MD5, SHA1, and SHA256 hashes are present for the NWHStealer and notnullOSX families. These should be uploaded to EDR quarantine lists.
IP Addresses: Several IPs (e.g., 83.217.209.88, 185.225.17.176) are associated with C2 infrastructure and should be blocked at the perimeter.

Operational Guidance

SOC teams should utilize YARA rules to scan for the specific hash signatures of the CGrabber and NKAbuse payloads. The use of NKN blockchain traffic by NKAbuse requires network monitoring for anomalous P2P traffic patterns on non-standard ports originating from developer workstations.

Detection Engineering

The following detection rules hunt for the specific behaviors observed in the NKAbuse, NWHStealer, and Direct-Sys Loader campaigns.

YAML

title: Potential CVE-2026-39987 Marimo Exploitation and NKAbuse Payload
date: 2026/04/17
author: Security Arsenal
status: stable
description: Detects potential exploitation of marimo notebooks leading to suspicious Python child processes or blockchain related connections.
references:
    - https://www.sysdig.com/blog/cve-2026-39987-update-how-attackers-weaponized-marimo-to-deploy-a-blockchain-botnet-via-huggingface
tags:
    - attack.execution
    - attack.t1059.006
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\python.exe'
        ParentCommandLine|contains: 'marimo'
    selection_suspicious_child:
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\bash.exe'
    selection_network:
        DestinationPort|startswith: 
            - '53' 
            - '443' 
            - '80'
        DestinationIp|contains: 
            - '160.30' 
            - '185.225' 
            - '111.90'
    condition: selection_parent and (selection_suspicious_child or selection_network)
falsepositives:
    - Legitimate developer usage of marimo launching shells
level: high

---

title: Suspicious Launcher_x64.exe DLL Sideloading (Direct-Sys Loader)
date: 2026/04/17
author: Security Arsenal
status: stable
description: Detects the execution pattern associated with Direct-Sys Loader where a signed Microsoft binary loads a suspicious DLL or spawns unexpected child processes.
references:
    - https://www.cyderes.com/howler-cell/direct-sys-loader-cgrabber-stealer-five-stage-malware-chain
tags:
    - attack.defense_evasion
    - attack.t1574.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_loader:
        Image|endswith: '\Launcher_x64.exe'
    selection_suspicious:
        CommandLine|contains:
            - 'rundll32.exe'
            - 'regsvr32.exe'
    selection_anomaly:
        Image|endswith: '\Launcher_x64.exe'
        ParentImage|endswith:
            - '\explorer.exe'
            - '\cmd.exe'
            - '\powershell.exe'
    condition: selection_loader and (selection_suspicious or selection_anomaly)
falsepositives:
    - Legitimate software installers using this specific launcher name (rare)
level: critical

---

title: macOS ClickFix Pattern and notnullOSX DMG Execution
date: 2026/04/17
author: Security Arsenal
status: stable
description: Detects the ClickFix social engineering pattern on macOS where curl downloads a payload and mounts a DMG, associated with notnullOSX distribution.
references:
    - https://moonlock.com/notorious-hacker-returns-notnullosx-stealer
tags:
    - attack.initial_access
    - attack.t1189
logsource:
    category: process_creation
    product: macos
detection:
    selection_clickfix:
        Image|endswith: '/curl'
        CommandLine|contains: 'hdiutil attach'
    selection_dmg_mount:
        Image|endswith: '/hdiutil'
        CommandLine|contains: 'attach'
    selection_chain:
        ParentImage|endswith: '/bash'
        Image|endswith: '/bash'
        CommandLine|contains: '.dmg'
    condition: 1 of selection_*
falsepositives:
    - Legitimate admin script mounting disk images
level: medium

KQL (Microsoft Sentinel)

Hunt for network connections to known malicious domains and the specific process execution patterns of NWHStealer and Direct-Sys Loader.

KQL — Microsoft Sentinel / Defender

// Hunt for Typosquatting Domains and Suspicious Processes
let MaliciousDomains = pack_array("get-proton-vpn.com", "vpn-proton-setup.com", "newworld-helloworld.icu", "sinixproduction.com", "evasivestars.com", "zhblz.com");
DeviceNetworkEvents
| where RemoteUrl in (MaliciousDomains) or RemoteUrl has "onworks.net"
| join kind=inner (DeviceProcessEvents
| where FileName in~ ("powershell.exe", "cmd.exe", "python.exe", "Launcher_x64.exe")
) on DeviceId
| project Timestamp, DeviceName, FileName, ProcessCommandLine, RemoteUrl, RemoteIP, InitiatingProcessFileName
| order by Timestamp desc

PowerShell Hunt Script

This script checks for the presence of specific artifacts associated with the NKAbuse (marimo context) and Direct-Sys Loader (Launcher_x64.exe) campaigns.

PowerShell

<#
.SYNOPSIS
    IOC Hunt Script for Infostealer Campaigns (NKAbuse, Direct-Sys, NWHStealer).
.DESCRIPTION
    Scans filesystem for suspicious binaries, checks hosts file for C2 domains,
    and checks for marimo specific python environments.
#>

$ErrorActionPreference = "SilentlyContinue"

# Indicators of Compromise (IOCs)
$IOC_Hashes = @(
    "1d36de06a6240919189cb46e0bcccc3c", 
    "bdcb5867f73beae89c3fce46ad5185be",
    "5cb3b902ae5993ae4e502f1c29cfb4e0",
    "50fcf93b14a6898347d1ca2c43e1b180"
)

$IOC_Domains = @(
    "get-proton-vpn.com",
    "vpn-proton-setup.com",
    "newworld-helloworld.icu",
    "zhblz.com",
    "sinixproduction.com"
)

$SuspiciousFiles = @("Launcher_x64.exe")

Write-Host "[+] Starting Hunt for Infostealer IOCs..." -ForegroundColor Cyan

# 1. Check for Suspicious Launcher Files
Write-Host "\n[*] Checking for Direct-Sys Loader artifacts..." -ForegroundColor Yellow
$PathsToSearch = @("C:\Users\", "C:\ProgramData\", "C:\Temp\")
foreach ($Path in $PathsToSearch) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | 
        Where-Object { $SuspiciousFiles -contains $_.Name } | 
        ForEach-Object {
            Write-Host "[!] FOUND: $($_.FullName)" -ForegroundColor Red
            $hash = Get-FileHash -Path $_.FullName -Algorithm MD5
            Write-Host "    MD5: $($hash.Hash)"
        }
    }
}

# 2. Check Hosts File for C2 Domains
Write-Host "\n[*] Checking Hosts file for malicious domains..." -ForegroundColor Yellow
$HostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
if (Test-Path $HostsPath) {
    $HostsContent = Get-Content $HostsPath
    foreach ($Domain in $IOC_Domains) {
        if ($HostsContent -match $Domain) {
            Write-Host "[!] ALERT: Domain $Domain found in Hosts file." -ForegroundColor Red
        }
    }
}

# 3. Check for Marimo/NKAbuse Python Paths
Write-Host "\n[*] Checking for Marimo/Python exploitation traces..." -ForegroundColor Yellow
$PythonPaths = @("C:\Python*\", "$env:USERPROFILE\AppData\Local\Programs\Python\")
foreach ($PPath in $PythonPaths) {
    Get-ChildItem -Path $PPath -Recurse -Filter "*.py" -ErrorAction SilentlyContinue | 
    Select-String -Pattern "marimo|nkn|blockchain" | 
    ForEach-Object {
        Write-Host "[!] SUSPICIOUS PYTHON SCRIPT: $($_.Path)" -ForegroundColor Red
    }
}

Write-Host "\n[+] Hunt Complete." -ForegroundColor Cyan

Response Priorities

Immediate:
- Block all listed IOCs (Domains, IPs, Hashes) at the perimeter and endpoint.
- Isolate systems with process executions matching Launcher_x64.exe or marimo exploitation patterns.
- Patch CVE-2026-39987 immediately across all developer environments.
24 Hours:
- Initiate credential resets for users who may have interacted with fake VPN sites or gaming mods (NWHStealer).
- Investigate macOS devices for signs of notnullOSX or ClickFix activity (DMG mounts).
- Review Roundcube webmail logs for XSS indicators related to APT28 activity.
1 Week:
- Implement strict egress filtering for P2P/blockchain protocols on developer workstations to mitigate NKAbuse C2.
- Review and restrict access to personal GitHub/HuggingFace repositories from corporate build pipelines.
- Enhance email filtering to detect typosquatting domains mimicking VPN providers.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub