NWHStealer, notnullOSX & ClickFix: OTX Analysis of Multi-Platform Infostealer Surge

Date: 2026-04-16
Source: AlienVault OTX (Open Threat Exchange)
TLP: White
Category: Infostealer & Credential Theft

Threat Summary

Recent OTX pulse data indicates a coordinated surge in credential theft activity across Windows, macOS, and browser-based platforms. The threat landscape is dominated by three distinct yet operationally overlapping campaigns:

Supply Chain & Blockchain Abuse: The weaponization of CVE-2026-39987 in the marimo Python notebook platform to deliver the NKAbuse blockchain botnet via HuggingFace, leveraging NKN blockchain infrastructure for C2.
Broad-Spectrum Windows Infostealing: The NWHStealer campaign is aggressively targeting users via SEO poisoning (fake Proton VPN sites), gaming mods, and code repositories to harvest browser data and crypto wallets.
High-Value macOS Targeting: The alh1mik threat actor has re-emerged with notnullOSX, a Go-based stealer explicitly targeting macOS holders of $10k+ in crypto, distributed via ClickFix social engineering.
Browser Extension Takeover: A massive campaign involving 108 malicious Chrome extensions is utilizing a shared C2 (cloudapi[.]stream) to hijack Google OAuth2 sessions and Telegram Web data, alongside a specific Brazilian ClickFix operation force-installing banking stealers via unauthenticated C2 infrastructure.

Objective: Financial theft, cryptocurrency siphoning, and long-term session hijacking for banking fraud.

Threat Actor / Malware Profile

NWHStealer (Windows)

Distribution: Fake VPN download sites (e.g., get-proton-vpn.com), fake hardware utilities, gaming modifications, GitHub/GitLab repositories.
Payload Behavior: Steals saved passwords, browser cookies/history, and cryptocurrency wallet keys.
C2 Communication: Standard HTTP/HTTPS to dedicated command servers; IOCs indicate ties to file hosting infrastructure.

notnullOSX (macOS)

Threat Actor: alh1mik (formerly 0xFFF).
Distribution: ClickFix social engineering (fake browser updates) and malicious DMG files.
Payload Behavior: Modular Go-written stealer. Exclusively targets high-net-worth crypto users (> $10k holdings).
Persistence: Likely LaunchAgents/LaunchDaemons (typical for macOS stealers like Atomic/Poseidon families mentioned in context).

NKAbuse / kagent (Cross-Platform)

Distribution: Exploitation of CVE-2026-39987 in marimo notebooks; typosquatted HuggingFace Spaces.
Payload Behavior: Deploys a blockchain botnet variant.
C2 Communication: Utilizes the NKN blockchain network for command and control, making traffic analysis significantly harder.

Malicious Chrome Extension Campaign

Distribution: Web Store submissions (initially) followed by force-installation via Chrome Cloud Management policies (ClickFix).
Payload Behavior: Steals Google Identity (OAuth2) tokens, exfiltrates Telegram Web sessions.
C2 Communication: Shared infrastructure at cloudapi[.]stream and specific unauthenticated endpoints (e.g., xpie348.online).

IOC Analysis

The provided pulses offer a rich set of indicators that SOC teams should operationalize immediately:

Domains & URLs: High-risk domains include get-proton-vpn.com, cloudapi[.]stream, and xpie348.online. These should be blocked at the perimeter and DNS layer.
IP Addresses: Several malicious IPs were identified, including 144.126.135.238, 144.126.140.33 (associated with the unauthenticated C2), and 111.90.145.139.
File Hashes: A variety of MD5, SHA1, and SHA256 hashes are provided for the NWHStealer payloads and macOS DMGs. These should be added to allowlist blocklists in EDR solutions.
CVEs: CVE-2026-39987 (Critical) is the entry point for the NKAbuse campaign.

Operationalization:

SIEM: Ingest IOCs into threat intel platforms (e.g., Splunk, Sentinel) to alert on matches in NetworkEvents or FileCreation events.
EDR: Hunt for file hashes and process execution from suspicious parent processes (e.g., browsers spawning installers).

Detection Engineering

Sigma Rules

YAML

title: Potential Malicious Chrome Extension Force Install via ClickFix
id: 8c4f9c21-1a2b-4c3d-8e5f-6a7b8c9d0e1f
description: Detects the modification of Chrome ExtensionInstallForcelist policies, a common technique in ClickFix campaigns to force-install malicious extensions like the Brazilian Banking Stealer.
status: experimental
date: 2026/04/16
author: Security Arsenal Research
references:
    - https://intel.breakglass.tech/post/clickfix-chrome-extension-banking-stealer-59-victims-unauthenticated-c2
tags:
    - attack.persistence
    - attack.t1547.001
logsource:
    product: windows
    registry:
        - create
        - modify
detection:
    selection:
        TargetObject|contains: '\Software\Policies\Google\Chrome\ExtensionInstallForcelist'
    filter:
        Details|contains: 'ghbmnnjooekpmoecnnnilnnbdlolhkhi' # Example of known good, adjust as needed
    condition: selection and not filter
falsepositives:
    - Legitimate administrative software deployment
level: high
---
title: Suspicious NWHStealer Fake VPN Installer Execution
id: a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d
description: Detects execution of installers from suspicious paths or with names mimicking Proton VPN, a known vector for NWHStealer distribution.
status: experimental
date: 2026/04/16
author: Security Arsenal Research
references:
    - https://securityboulevard.com/2026/04/from-fake-proton-vpn-sites-to-gaming-mods-this-windows-infostealer-is-everywhere/
tags:
    - attack.execution
    - attack.t1204
logsource:
    product: windows
    process_creation:
    - create
detection:
    selection_img:
        Image|endswith:
            - '\setup.exe'
            - '\installer.exe'
            - '\updater.exe'
    selection_cli:
        CommandLine|contains:
            - 'proton'
            - 'vpn'
            - 'setup'
    selection_parent:
        ParentImage|endswith:
            - '\chrome.exe'
            - '\firefox.exe'
            - '\msedge.exe'
    condition: all of selection_*
falsepositives:
    - Legitimate VPN software updates
level: medium
---
title: NKAbuse C2 Network Connection via NKN Blockchain
id: f0e1d2c3-b4a5-467b-8c9d-0e1f2a3b4c5d
description: Detects network connections to known NKAbuse infrastructure IPs or non-standard ports associated with NKN blockchain C2 activity observed in the CVE-2026-39987 exploit.
status: experimental
date: 2026/04/16
author: Security Arsenal Research
references:
    - https://www.sysdig.com/blog/cve-2026-39987-update-how-attackers-weaponized-marimo-to-deploy-a-blockchain-botnet-via-huggingface
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    product: windows
    network_connection:
    - create
detection:
    selection_ip:
        DestinationIp|contains:
            - '111.90.145.139'
            - '185.225.17.176'
            - '38.147.173.172'
    selection_port:
        DestinationPort in range:
            - 9000-10000 # Typical NKN node ranges vary, monitor for suspicious non-HTTP traffic
    condition: 1 of selection_*
falsepositives:
    - Legitimate blockchain node traffic (rare in typical corp env)
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for connections to malicious C2 infrastructure (ClickFix & Chrome Extension campaign)
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in ("cloudapi.stream", "xpie348.online", "get-proton-vpn.com", "vpn-proton-setup.com") 
   or RemoteIP in ("144.126.135.238", "144.126.140.33", "83.217.209.88")
| extend DeviceCustom = pack_all()
| summarize Count=count(), Devices=dcount(DeviceId) by RemoteUrl, RemoteIP, DeviceName
| order by Count desc


kql
// Hunt for ClickFix execution pattern: PowerShell/Certutil downloading update.xml from non-Microsoft domains
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine contains "update.xml" 
   and (InitiatingProcessFileName =~ "powershell.exe" or InitiatingProcessFileName =~ "cmd.exe" or InitiatingProcessFileName =~ "certutil.exe")
| where ProcessCommandLine !contains "microsoft.com" and ProcessCommandLine !contains "windowsupdate.com"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, FolderPath

PowerShell Hunt Script

PowerShell

<#
.SYNOPSIS
    Hunt script for NWHStealer indicators and Chrome Extension persistence.
.DESCRIPTION
    Checks for specific file hashes mentioned in OTX pulses and suspicious Chrome registry policies.
#>

# Define NWHStealer Hashes from OTX Pulse
$MaliciousHashes = @( 
    "5cb3b902ae5993ae4e502f1c29cfb4e0", # MD5
    "2494709b8a2646640b08b1d5d75b6bfb3167540ed4acdb55ded050f6df9c53b3", # SHA256
    "e97cb6cbcf2583fe4d8dcabd70d3f67f6cc977fc9a8cbb42f8a2284efe24a1e3"  # SHA256
)

Write-Host "[+] Scanning for NWHStealer File Hashes..."
$PathsToScan = @("$env:USERPROFILE\Downloads", "$env:TEMP", "C:\ProgramData", "$env:PUBLIC")

foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | Where-Object { $_.Length -gt 0kb -and $_.Length -lt 50mb } | ForEach-Object {
            $Hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash.ToLower()
            if ($MaliciousHashes -contains $Hash) {
                Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

Write-Host "[+] Checking for Malicious Chrome Extension Policies (ClickFix)..."
$RegPath = "HKLM:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist"
if (Test-Path $RegPath) {
    $Policies = Get-Item $RegPath
    $Policies.Property | ForEach-Object {
        $Val = Get-ItemProperty -Path $RegPath -Name $_
        # Alert on any forced extensions that are not standard corporate apps
        Write-Host "[!] Suspicious Chrome Policy Found: $_ = $($Val.$_)" -ForegroundColor Yellow
    }
} else {
    Write-Host "[-] No system-wide Chrome force-install policies detected."
}

Write-Host "[+] Checking for NWHStealer Domains in DNS Cache..."
$Domains = @("get-proton-vpn.com", "vpn-proton-setup.com", "newworld-helloworld.icu")
$DnsCache = Get-DnsClientCache -ErrorAction SilentlyContinue
foreach ($Domain in $Domains) {
    if ($DnsCache | Where-Object { $_.Entry -like "*$Domain*" }) {
        Write-Host "[!] Hit found in DNS Cache for: $Domain" -ForegroundColor Red
    }
}


---

Response Priorities

Immediate (0-24 hours)

Block IOCs: Immediately block all listed domains (cloudapi.stream, get-proton-vpn.com, etc.) and IP addresses at the firewall and proxy level.
Policy Audit: Scan registry keys on endpoints for HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist to identify force-installed malicious extensions.
Hunt for Malware: Execute the PowerShell script across the fleet to locate NWHStealer binaries.

24 Hours

Identity Verification: If credential theft is suspected (NWHStealer, notnullOSX), force password resets and enforce MFA for affected accounts, specifically targeting crypto wallets and banking portals.
Session Revocation: Revoke all Google OAuth tokens and Telegram Web sessions for users identified in the malicious extension campaign.

1 Week

Patch Management: Ensure CVE-2026-39987 patches are applied to all marimo notebook instances (though often dev-tools, sanitize usage).
Architecture Hardening: Implement strict allowlisting for browser extensions. Disable Chrome Cloud Management enrollment for unmanaged devices or require strict certificate validation for policy payloads.
User Awareness: Update security training to include "ClickFix" fake browser update tactics and the risks of downloading software from non-vendor sources (fake VPNs).

Related Resources

Security Arsenal Incident Response
Managed SOC & MDR Services
AlertMonitor Threat Detection
From The Dark Side Intel Hub