OTX pulses from 2026-04-17 reveal a coordinated surge in credential theft operations targeting both high-value individuals and government infrastructure. The landscape is bifurcated between commodity infostealers and state-sponsored espionage.
Commodity Campaigns: Threat actors are aggressively distributing NWHStealer on Windows via fake VPN sites (e.g., Proton VPN impersonators) and gaming mods. Simultaneously, the notnullOSX stealer, developed by actor alh1mik, specifically targets macOS users with >$10k in crypto assets using ClickFix social engineering. A separate sophisticated chain involves Direct-Sys Loader and CGrabber Stealer, distributed via GitHub to harvest credentials and cryptocurrency via DLL sideloading and direct syscalls.
State-Sponsored Activity: APT28 (Fancy Bear) is actively exploiting Roundcube webmail vulnerabilities using the "SpyPress.Roundish" toolkit to target Ukrainian government entities, focusing on credential harvesting and 2FA secret extraction. Additionally, supply chain poisoning via HuggingFace (CVE-2026-39987) is being used to deploy the NKAbuse blockchain botnet.
Collective Objective: The primary objective across these disparate pulses is the theft of valid credentials (corporate, email, crypto wallets) to facilitate initial access, financial theft, and persistence.
Threat Actor / Malware Profile
| Malware Family / Actor | Distribution Method | Payload Behavior | C2 Communication | Persistence | Anti-Analysis |
|---|---|---|---|---|---|
| NWHStealer | Fake VPN sites, GitHub/GitLab, Gaming Mods | Steals browser data, saved passwords, crypto wallets. | HTTP/HTTPS to specific domains (e.g., get-proton-vpn.com). | Likely via Run Keys / Scheduled Tasks (Standard Infostealer). | Unknown/Standard. |
| notnullOSX | ClickFix, Malicious DMG files | Targets macOS, specifically looks for crypto wallets >$10k. | Custom C2 infrastructure (coockie.pro). | Launch Agents / Login Items. | Go-written, modular. |
| Direct-Sys / CGrabber | GitHub user attachment URLs (ZIP archives). | 5-stage chain; ChaCha20 encryption; Direct syscall execution. | Custom protocol; encrypted payloads. | DLL Sideloading (via Launcher_x64.exe). | Direct syscalls, anti-analysis checks, sandbox evasion. |
| APT28 (SpyPress.Roundish) | Roundcube Webmail Exploitation (XSS/CSS Injection). | Credential harvest, mail forwarding, address book theft, 2FA extraction. | Flask-based C2 server; Go-based implant (httd). | Webmail persistence (via rules/forwarding). | Polyscripting, XSS obfuscation. |
| NKAbuse | HuggingFace Spaces (CVE-2026-39987). | Blockchain botnet utilizing NKN network. | NKN Blockchain (P2P). | Systemd / Service persistence. | Unknown. |
IOC Analysis
The provided indicators span multiple infrastructure types crucial for detection and blocking.
- Domains & URLs: A high volume of typosquatted domains (e.g.,
get-proton-vpn.com,vpn-proton-setup.com) and suspicious file hosting URLs (onworks.net, GitHub attachment URLs) are present. SOC teams should immediately push these to DNS fireholes and Secure Web Gateways (SWG). - IPv4 Addresses: Several C2 IPs have been identified (e.g.,
111.90.145.139,83.217.209.88). These should be blocked at the perimeter. - File Hashes: A significant list of MD5, SHA1, and SHA256 hashes are available for the payload droppers and loaders. These must be imported into EDR solutions for immediate quarantine.
- Operationalization: Use SIEM correlation to match
DeviceNetworkEventsagainst the IP/Domain list. Use EDR to scanDeviceFileEventsfor the specific SHA256 hashes associated with NWHStealer and CGrabber.
Detection Engineering
YAML
---
title: Potential NWHStealer Fake VPN Installation
id: 9c8e1d2a-3f4b-4c5d-9e6f-1a2b3c4d5e6f
description: Detects execution of binaries from paths associated with fake Proton VPN installers or suspicious hardware utilities referenced in NWHStealer campaigns.
status: experimental
date: 2026/04/17
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/660f1a2b3c4d5e6f
tags:
- attack.initial_access
- attack.t1566.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\Installer.exe'
- '\Setup.exe'
Image|endswith:
- '\vpn-proton-setup.exe'
- '\hardware-visualizer.exe'
CommandLine|contains:
- '/silent'
- '/verysilent'
condition: selection
falsepositives:
- Legitimate VPN software installation
level: high
---
title: macOS notnullOSX Suspicious DMG Mount and Execution
id: a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects the mounting of DMG files followed by execution of unsigned binaries, a pattern associated with the notnullOSX campaign targeting crypto wallets.
status: experimental
date: 2026/04/17
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/660f1a2b3c4d5e6f
tags:
- attack.initial_access
- attack.t1566.001
logsource:
category: process_creation
product: macos
detection:
selection_mount:
Image|endswith: '/hdiutil'
CommandLine|contains: 'attach'
selection_exec:
Image|endswith:
- '.app/Contents/MacOS/'
- '.app/Contents/MacOS/applet'
Signed: 'false'
timeframe: 30s
condition: selection_mount | selection_exec
falsepositives:
- Installation of legitimate unsigned developer tools
level: high
---
title: APT28 Roundcube Webshell Activity
id: b2c3d4e5-6f7a-8b9c-0d1e-2f3a4b5c6d7e
description: Detects suspicious process execution patterns often associated with APT28 Roundcube exploitation, specifically web server processes spawning shells or Python interpreters.
status: experimental
date: 2026/04/17
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/660f1a2b3c4d5e6f
tags:
- attack.persistence
- attack.t1505.003
logsource:
category: process_creation
product: linux
detection:
selection_parent:
ParentImage|endswith:
- '/apache2'
- '/httpd'
- '/nginx'
selection_child:
Image|endswith:
- '/bash'
- '/sh'
- '/python3'
- '/python'
CommandLine|contains:
- 'curl'
- 'wget'
- 'base64'
condition: all of selection_*
falsepositives:
- Legitimate administrative web scripts
level: critical
kql
// Hunt for network connections to known C2 infrastructure and fake VPN domains
// Covers IPs from NKAbuse, notnullOSX, and NWHStealer
DeviceNetworkEvents
| where Timestamp > ago(1d)
| where RemoteIP in ("111.90.145.139", "160.30.128.96", "185.225.17.176", "38.147.173.172", "83.217.209.88")
or RemoteUrl has any ("get-proton-vpn.com", "vpn-proton-setup.com", "newworld-helloworld.icu", "coockie.pro", "sinixproduction.com", "zhblz.com")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteIP, RemoteUrl, RemotePort
| extend IoC_Type = iff(RemoteIP in ("111.90.145.139", "160.30.128.96", "185.225.17.176", "38.147.173.172", "83.217.209.88"), "IP", "Domain")
powershell
# IOC Hunt Script - NWHStealer & CGrabber Components
# Checks for specific file hashes and suspicious process execution patterns
$TargetHashes = @(
"5cb3b902ae5993ae4e502f1c29cfb4e0", # MD5 NWHStealer
"50fcf93b14a6898347d1ca2c43e1b180", # MD5 Direct-Sys Loader
"2494709b8a2646640b08b1d5d75b6bfb3167540ed4acdb55ded050f6df9c53b3", # SHA256 NWHStealer
"e97cb6cbcf2583fe4d8dcabd70d3f67f6cc977fc9a8cbb42f8a2284efe24a1e3" # SHA256 NWHStealer
)
$SuspiciousProcesses = @("vpn-proton-setup", "Launcher_x64")
Write-Host "[+] Starting IOC Hunt for NWHStealer / Direct-Sys Loader..." -ForegroundColor Cyan
# 1. Check for running suspicious processes
Write-Host "[+] Checking for suspicious process names..." -ForegroundColor Yellow
Get-Process | Where-Object { $SuspiciousProcesses -like "*$($_.ProcessName)*" } | Select-Object ProcessName, Id, Path
# 2. Scan C:\ for specific file hashes (Recursive scan, limited to common executable paths for performance)
Write-Host "[+] Scanning user directories and ProgramData for file hashes..." -ForegroundColor Yellow
$PathsToScan = @("C:\Users\", "C:\ProgramData\", "C:\Program Files\", "C:\Temp\")
foreach ($Path in $PathsToScan) {
if (Test-Path $Path) {
Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue -Include @("*.exe", "*.dll", "*.bin") | ForEach-Object {
$Hash = (Get-FileHash -Path $_.FullName -Algorithm MD5).Hash.ToLower()
if ($TargetHashes -contains $Hash) {
Write-Host "[!] ALERT: Malicious file found: $($_.FullName)" -ForegroundColor Red
}
}
}
}
# 3. Check DNS Cache for malicious domains
Write-Host "[+] Checking DNS Cache for fake VPN/C2 domains..." -ForegroundColor Yellow
$Domains = @("get-proton-vpn.com", "vpn-proton-setup.com", "newworld-helloworld.icu", "coockie.pro")
Get-DnsClientCache | Where-Object { $Domains -contains $_.Entry } | Select-Object Entry, Data, TimeToLive
Write-Host "[+] Hunt Complete." -ForegroundColor Green
# Response Priorities
**Immediate**
* **Block Indicators:** Immediately block all listed IPs and Domains at the firewall and proxy level.
* **Hunt Artifacts:** Execute the provided PowerShell script across endpoints to identify active NWHStealer or Direct-Sys infections.
* **Quarantine:** Isolate devices returning positive hits for the file hashes or C2 connections.
**24 Hours**
* **Credential Audit:** Force password resets and invalidate session tokens for users who may have accessed the fake VPN sites or whose devices are flagged for infostealer activity.
* **Identity Verification:** Review logs for `Roundcube` webmail access anomalies (specifically login times and locations) for government sector clients.
* **macOS Check:** Deploy a script to macOS endpoints to scan for the `notnullOSX` DMG mount artifacts and the specific SHA256 hashes provided.
**1 Week**
* **Architecture Hardening:** Patch CVE-2026-39987 (marimo platform) immediately. Restrict access to HuggingFace Spaces and GitHub raw user content to vetted developer accounts.
* **Policy Review:** Update acceptable use policies to prohibit the installation of unauthorized VPN software and gaming mods on corporate endpoints.
* **Webmail Security:** Implement Web Application Firewall (WAF) rules to block XSS and CSS injection attempts characteristic of the APT28 "SpyPress" toolkit.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-credentialsnwhstealerapt28credential-theftmac-malwareroundcube-exploit
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.