NWHStealer, notnullOSX, & Chrome Extension Botnets: OTX Pulse Analysis — Credential Theft Campaign

Intelligence Report Date: 2026-04-16
Source: AlienVault OTX Live Pulses
TLP: White

Threat Summary

A coordinated wave of credential theft and infostealer campaigns has been identified across the threat landscape, targeting Windows, macOS, and browser platforms simultaneously. The intelligence highlights a diversification of delivery vectors, ranging from the exploitation of a critical RCE vulnerability (CVE-2026-39987) in the marimo notebook platform to distribute blockchain-based malware, to large-scale social engineering campaigns utilizing "ClickFix" tactics and fake VPN sites.

The primary objective across these disjointed campaigns is financial theft, specifically targeting cryptocurrency wallets (both high-value macOS users and Windows users) and banking credentials. A notable shift involves the weaponization of legitimate developer tools (HuggingFace) and browser extension ecosystems (Chrome Web Store) to establish persistent command-and-control (C2) channels and exfiltrate session tokens, bypassing traditional antivirus detections.

Threat Actor / Malware Profile

1. NWHStealer (Windows)

• Distribution: Fake websites impersonating Proton VPN (get-proton-vpn.com), hardware utilities, and gaming mods hosted on GitHub/GitLab.
• Payload Behavior: A modular infostealer written to harvest browser data, saved passwords, and cryptocurrency wallet keys.
• C2 Communication: Standard HTTP/HTTPS C2; IOCs indicate specific infrastructure supporting the distribution sites.
• Persistence: Unknown in this pulse, but typically via startup registry keys or scheduled tasks.

2. notnullOSX (macOS)

• Threat Actor: alh1mik (formerly 0xFFF).
• Distribution: "ClickFix" social engineering lures and malicious DMG files disguised as legitimate applications.
• Payload Behavior: Go-written modular stealer specifically targeting macOS users with >$10k in crypto holdings. Modular design allows for flexible targeting.
• C2 Communication: Encrypted HTTP/HTTPS to actor-controlled infrastructure (coockie.pro).
• Anti-Analysis: Written in Go to complicate static analysis; targets high-value individuals to evade low-volume sandboxes.

3. Malicious Chrome Extension Campaign (Session Hijacking)

• Actors: Unknown (Global), ANTONIO EDUARDO FREDERICO (Brazil).
• Infrastructure: Shared C2 infrastructure at cloudapi.stream (Global) and xpie348.online (Brazil).
• Distribution: "ClickFix" attacks force-installing extensions via Chrome Cloud Management enrollment tokens; Typosquatting.
• Payload Behavior:
  • Global Campaign: 108 extensions stealing Google OAuth2 tokens and exfiltrating Telegram Web sessions.
  • Brazil Campaign: Impersonates "Banco Central do Brasil" tool for banking fraud.
• Persistence: Browser extension persistence via enterprise policy enforcement (Cloud Management).

4. NKAbuse (Blockchain Botnet)

• Vector: Exploitation of CVE-2026-39987 in marimo Python notebooks.
• Delivery: Typosquatted HuggingFace Spaces.
• C2: Utilizes the NKN blockchain network for obfuscated command and control.

IOC Analysis

The provided indicators of compromise (IOCs) span multiple infrastructure types, requiring a layered detection approach:

• Domains: High-risk domains include typosquatted services (get-proton-vpn.com), C2 servers (cloudapi.stream, coockie.pro), and fake update servers (xpie348.online). SOC teams should immediately block these at the perimeter and DNS resolver level.
• File Hashes: Numerous MD5, SHA1, and SHA256 hashes are provided for Windows payloads (NWHStealer), macOS binaries (notnullOSX), and Brazilian banking malware. EDR solutions should be configured to quarantine processes matching these hashes immediately.
• IP Addresses: Several IPv4 addresses (e.g., 144.126.135.238, 83.217.209.88) are associated with C2 infrastructure and should be blacklisted.
• CVEs: CVE-2026-39987 is critical for environments running marimo notebooks.

Operationalization: Use the YARA/Sigma rules below to hunt for file hashes and process execution. Firewall and SIEM logs should be queried for the specific domains and IPs listed.

Detection Engineering

---
title: Potential NWHStealer Activity via Fake VPN Sites
id: 5f8a9b2c-1d3e-4a5f-9b6c-7d8e9f0a1b2c
description: Detects process execution patterns associated with NWHStealer distribution via fake Proton VPN installers or similar utilities.
status: experimental
date: 2026/04/16
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6261f8a9b2c1d3e4
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\Installer.exe'
            - '\setup.exe'
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
        CommandLine|contains:
            - 'get-proton-vpn'
            - 'vpn-proton-setup'
            - 'newworld-helloworld'
    condition: selection
falsepositives:
    - Legitimate VPN software installation (unlikely to use these specific typosquatted domains in cmdline)
level: high
tags:
    - attack.defense_evasion
    - attack.credential_access
    - attack.t1055
---
title: Chrome Extension Shared C2 Communication
id: 6a7b8c9d-2e4f-5a6b-8c9d-0e1f2a3b4c5d
description: Detects outbound network connections to the shared C2 infrastructure associated with 108 malicious Chrome extensions.
status: experimental
date: 2026/04/16
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6261f8a9b2c1d3e5
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationHostname|contains:
            - 'cloudapi.stream'
            - 'multiaccount.cloudapi.stream'
            - 'crm.cloudapi.stream'
        Initiated: 'true'
    condition: selection
falsepositives:
    - Unknown (Legitimate traffic to this domain is highly unlikely given the pulse context)
level: critical
tags:
    - attack.command_and_control
    - attack.exfiltration
    - attack.t1071.001
---
title: macOS notnullOSX Stealer Execution
id: 7b8c9d0e-3f5a-6b7c-9d0e-1f2a3b4c5d6e
description: Detects execution of suspicious DMG mounted applications or unsigned binaries associated with the notnullOSX stealer campaign.
status: experimental
date: 2026/04/16
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6261f8a9b2c1d3e6
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        Image|contains:
            - '/Volumes/'
            - '/Users/Downloads/'
        Image|endswith:
            - '.app/Contents/MacOS/'
        CommandLine|contains:
            - 'coockie.pro'
    condition: selection
falsepositives:
    - Legitimate user execution of downloaded applications
level: medium
tags:
    - attack.initial_access
    - attack.execution
    - attack.t1204


kql
// Hunt for network connections to known Stealer and Chrome Extension C2s
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (
    "cloudapi.stream", 
    "coockie.pro", 
    "get-proton-vpn.com", 
    "vpn-proton-setup.com",
    "newworld-helloworld.icu",
    "xpie348.online"
)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| summarize Count=count() by DeviceName, RemoteUrl
| order by Count desc


powershell
# IOC Hunt Script for Windows Infostealers (NWHStealer) & Fake VPN Installers
# Requires administrative privileges to check file hashes and registry paths.

$TargetHashes = @(    "5cb3b902ae5993ae4e502f1c29cfb4e0",
    "2494709b8a2646640b08b1d5d75b6bfb3167540ed4acdb55ded050f6df9c53b3",
    "401c125517b1f845289bf0a7a33e5db0391034f631eab85dd65b76b7fec9a959"
)

$SuspiciousDomains = @(    "get-proton-vpn.com",
    "vpn-proton-setup.com"
)

Write-Host "[+] Checking for file artifacts associated with NWHStealer..." -ForegroundColor Cyan

# Get all files in common download directories
$Paths = @("$env:USERPROFILE\Downloads", "$env:PUBLIC\Downloads", "C:\Temp")

foreach ($Path in $Paths) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $FileHash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
            if ($TargetHashes -contains $FileHash) {
                Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName) (MD5: $FileHash)" -ForegroundColor Red
            }
        }
    }
}

Write-Host "[+] Checking hosts file for suspicious domains..." -ForegroundColor Cyan
$HostsPath = "$env:windir\System32\drivers\etc\hosts"
if (Test-Path $HostsPath) {
    $HostsContent = Get-Content $HostsPath
    foreach ($Domain in $SuspiciousDomains) {
        if ($HostsContent -match $Domain) {
            Write-Host "[!] Suspicious entry found in hosts file for: $Domain" -ForegroundColor Yellow
        }
    }
}

Write-Host "[+] Hunt complete." -ForegroundColor Green

Response Priorities

• Immediate:

  • Block all listed domains (cloudapi.stream, get-proton-vpn.com, coockie.pro, xpie348.online) and IPs at the firewall and proxy level.
  • Quarantine any endpoints matching the provided file hashes (MD5/SHA256) for NWHStealer, notnullOSX, and the Brazilian banking malware.
  • Isolate systems showing signs of Chrome Extension force-installation via enterprise policy tokens unrelated to corporate management.

• 24 Hours:

  • Initiate credential resets for users who may have interacted with fake VPN sites or downloaded gaming mods.
  • Revoke OAuth2 tokens and Google sessions for accounts identified in the Chrome extension logs.
  • Patch marimo platforms immediately to mitigate CVE-2026-39987 exploitation.

• 1 Week:

  • Review and restrict Chrome Web Store installation policies; transition to allowlist mode for browser extensions.
  • Implement DNS filtering to prevent access to typosquatted domains targeting VPN providers.
  • Conduct a hunt for macOS devices communicating with coockie.pro or 83.217.209.88.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub