Back to Intelligence

NWHStealer, Speagle & The Gentlemen: OTX Pulse Analysis on Multi-Vector Infostealer Campaigns

SA
Security Arsenal Team
April 19, 2026
6 min read

Threat Summary

Recent OTX Pulse data reveals a surge in sophisticated credential theft campaigns employing diverse initial access vectors, ranging from supply chain compromises to SEO poisoning. The primary objective across these pulses is the harvesting of sensitive data (browser credentials, cryptocurrency wallets, and authentication tokens) to facilitate secondary operations such as ransomware deployment (The Gentlemen) or direct financial theft (NWHStealer, notnullOSX). A notable trend is the exploitation of trusted infrastructure, such as hijacking legitimate software updates (Cobra DocGuard) and abusing cloud repositories (HuggingFace), to bypass traditional network defenses.

Threat Actor / Malware Profile

1. NWHStealer (Windows)

  • Distribution: SEO poisoning via fake Proton VPN download sites, malicious gaming mods, and compromised file hosting services.
  • Payload Behavior: Modular infostealer targeting browser data (cookies, history), saved passwords, and cryptocurrency wallets.
  • C2 Communication: Establishes connections to domains mimicking legitimate services (e.g., get-proton-vpn.com) to exfiltrate data.
  • Persistence: Often executed via PowerShell scripts or droppers masquerading as hardware utilities.

2. Infostealer.Speagle (Windows)

  • Threat Actor: Runningcrab (associated with PlugX/Korplug campaigns).
  • Distribution: Supply chain attack targeting Cobra DocGuard software.
  • Payload Behavior: Hijacks the functionality of DocGuard to collect system information and sensitive data.
  • C2 Communication: Exfiltrates data to compromised legitimate servers, specifically using the path /CDGServer3/CDGClientDiagnostics on port 8090/8091 to blend in with normal traffic.

3. The Gentlemen (RaaS)

  • Malware Families: LockBit 5.0, Medusa, Qilin.
  • TTPs: Exploitation of FortiOS/FortiProxy vulnerabilities (CVE-2024-37085, CVE-2025-32463). Maintains a database of compromised devices for rapid re-entry.
  • Objective: Data exfiltration followed by double-extortion ransomware deployment.

4. notnullOSX (macOS)

  • Threat Actor: alh1mik.
  • Distribution: "ClickFix" social engineering (fake browser updates) and malicious DMG files.
  • Payload Behavior: Go-written modular stealer specifically targeting macOS users with >$10k crypto holdings.

5. NKAbuse (Blockchain Botnet)

  • Vector: Exploitation of CVE-2026-39987 in the marimo Python notebook platform via typosquatted HuggingFace Spaces.
  • C2: Utilizes the NKN blockchain for command and control, making detection difficult via traditional IP blocking.

IOC Analysis

The provided IOCs include high-fidelity indicators crucial for immediate network defense:

  • Domains: Typosquatted domains (e.g., get-proton-vpn.com, vpn-proton-setup.com) indicate credential harvesting landing pages. The domain coockie.pro is associated with the macOS notnullOSX C2.
  • URLs: Specific paths in the Speagle campaign (/CDGServer3/CDGClientDiagnostics) are unique identifiers of the supply chain attack.
  • IPs: Several hard-coded IPs (e.g., 83.217.209.88, 222.222.254.165) serve as C2 infrastructure for the stealers and botnets.
  • File Hashes: A comprehensive list of MD5, SHA1, and SHA256 hashes for the malware droppers and payloads across all campaigns.

Operational Guidance: SOC teams should immediately block listed domains and IPs at the perimeter. File hashes should be uploaded to EDR solutions for live hunting. The Speagle URL path is a critical signature for deep packet inspection (DPI) to prevent data exfiltration via the compromised DocGuard infrastructure.

Detection Engineering

Sigma Rules

YAML
title: Potential Infostealer Speagle C2 Communication
id: 4a8b12c3-8d4e-4f5g-6h7i-8j9k0l1m2n3o
description: Detects network connections to the compromised Cobra DocGuard server path associated with Infostealer.Speagle activity.
status: experimental
date: 2026/04/20
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/62c8f9a1c2d3e4f5
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationHostname|endswith: '.com' # Generic placeholder, replace with specific IP if known or use regex
        DestinationPort:
            - 8090
            - 8091
        request|contains: '/CDGServer3/CDGClientDiagnostics'
    condition: selection
falsepositives:
    - Legitimate use of Cobra DocGuard software (verify admin usage)
level: high
tags:
    - attack.exfiltration
    - attack.credential_access
---
title: Suspicious DNS Query for Fake VPN Services
id: b9c0d1e2-f3a4-5b6c-7d8e-9f0a1b2c3d4e
description: Detects DNS queries to domains known to be used by NWHStealer distribution campaigns.
status: experimental
date: 2026/04/20
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/62c8f9a1c2d3e4f6
logsource:
    category: dns
    product: windows
detection:
    selection:
        QueryName|contains:
            - 'get-proton-vpn.com'
            - 'vpn-proton-setup.com'
            - 'newworld-helloworld.icu'
    condition: selection
falsepositives:
    - Unknown
level: critical
tags:
    - attack.initial_access
    - attack.social_engineering
---
title: Potential Marimo Exploit via Python Process
id: c1d2e3f4-a5b6-c7d8-e9f0-a1b2c3d4e5f6
description: Detects python.exe spawning processes with network connections, potentially indicating exploitation of CVE-2026-39987 or similar RCE.
status: experimental
date: 2026/04/20
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/62c8f9a1c2d3e4f7
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\python.exe'
        CommandLine|contains:
            - 'pip install'
            - 'git clone'
    filter_legit:
        ParentImage|contains:
            - '\PyCharm\'
            - '\Visual Studio\'
    condition: selection and not filter_legit
falsepositives:
    - Developer activity
level: medium
tags:
    - attack.execution
    - attack.t1059.004

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Speagle Infostealer Network Traffic
DeviceNetworkEvents
| where RemoteUrl has @"CDGServer3/CDGClientDiagnostics" 
   or (RemotePort in (8090, 8091) and InitiatingProcessFileName has @"DocGuard")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort

// Hunt for NWHStealer Domain Connections
DeviceNetworkEvents
| where RemoteUrl in~ ("get-proton-vpn.com", "vpn-proton-setup.com", "newworld-helloworld.icu", "coockie.pro")
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl

// Hunt for File Hash Artifacts
DeviceFileEvents
| where SHA256 in~ (
    "03298f85eaf8880222cf8a83b8ed75d90712c34a8a5299a60f47927ad044b43b",
    "2494709b8a2646640b08b1d5d75b6bfb3167540ed4acdb55ded050f6df9c53b3",
    "3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235"
)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256

PowerShell IOC Hunt Script

PowerShell
# NWHStealer and Speagle IOC Hunter
# Checks for specific file hashes and network connections

$TargetHashes = @(
    "03298f85eaf8880222cf8a83b8ed75d90712c34a8a5299a60f47927ad044b43b",
    "d7f167cbf1676c14fd487219447e30fadf26885eb25ec4cafdeabe333bddf877",
    "2494709b8a2646640b08b1d5d75b6bfb3167540ed4acdb55ded050f6df9c53b3",
    "070402c2c531aa3a87b9ccd080532a51d17b01d982b205fc4487246d58de8913"
)

$SuspiciousDomains = @(
    "get-proton-vpn.com",
    "vpn-proton-setup.com",
    "newworld-helloworld.icu",
    "coockie.pro"
)

Write-Host "Scanning for Malicious Files..." -ForegroundColor Yellow

# Scan common download/user directories
$PathsToScan = @("$env:USERPROFILE\Downloads", "$env:USERPROFILE\AppData\Local\Temp", "C:\ProgramData")

foreach ($path in $PathsToScan) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($hash -in $TargetHashes) {
                Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

Write-Host "Checking DNS Cache for Suspicious Domains..." -ForegroundColor Yellow
$DnsCache = Get-DnsClientCache -ErrorAction SilentlyContinue
foreach ($domain in $SuspiciousDomains) {
    if ($DnsCache.Name -like "*$domain*") {
        Write-Host "[!] SUSPICIOUS DNS ENTRY FOUND: $domain" -ForegroundColor Red
    }
}

Write-Host "Hunt Complete." -ForegroundColor Green

Response Priorities

  • Immediate: Block all listed domains (get-proton-vpn.com, coockie.pro) and IPs (222.222.254.165, 83.217.209.88) on firewalls and proxies. Invalidate any credentials used on systems where Cobra DocGuard is installed.
  • 24 Hours: Conduct a credential audit for users who may have accessed the fake Proton VPN sites. Scan endpoints for the file hashes provided in the Speagle and NWHStealer pulses.
  • 1 Week: Patch FortiOS systems to address CVE-2024-37085 and CVE-2025-32463 to prevent The Gentlemen ransomware access. Review software supply chain integrity for DocGuard and update marimo platforms to mitigate CVE-2026-39987.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsnwhstealerthe-gentlemeninfostealersupply-chainransomware

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action