The latest OTX pulses for July 2026 highlight a convergence of AI exploitation, financially motivated malware frameworks, and state-sponsored espionage. Adversaries are increasingly abusing Large Language Models (LLMs) by framing exploit requests as Capture-The-Flag (CTF) challenges to bypass safety guardrails, resulting in the generation of working exploit code for CVE-2026-XXXX vulnerabilities affecting platforms like PraisonAI and LiteLLM.
Simultaneously, the OkoBot framework is aggressively targeting cryptocurrency users. Distributed via "ClickFix" attacks and fake GitHub repositories, this multi-stage malware chain deploys PowerShell scripts (TookPS), SSH tunnels, and modules like TeviRAT and Rilide to steal wallet keys. In parallel, the China-nexus threat actor UNC6508 continues its campaign against North American medical and defense research institutions. By exploiting REDCap servers and deploying the INFINITERED malware family, UNC6508 maintains persistent access for credential harvesting and data exfiltration.
Threat Actor / Malware Profile
OkoBot Framework
- Malware Families: TookPS, TeviRAT, Rilide, SeedHunter, OkoSpyware, HDUtil.
- Distribution: ClickFix social engineering (fake browser updates) and malicious GitHub repositories.
- Payload Behavior: Initial access via PowerShell scripts (TookPS) establishing an automated SSH bot. Modules are deployed for browser extension injection (Rilide) and direct cryptocurrency wallet theft.
- C2 Communication: Connects to specific C2 domains to receive module updates and exfiltrate data.
- Target Geography: Brazil, Canada, Mexico.
UNC6508 (China-nexus)
- Malware Families: INFINITERED.
- Target Sectors: Healthcare, Education, Defense, Government.
- Techniques: Exploits vulnerabilities in REDCap (research data capture). Uses trojanized legitimate files to survive software upgrades.
- Objective: Espionage and credential harvesting related to AI, medical, and national defense research.
LLM Jailbreakers
- Technique: "CTF Framing" – manipulating LLMs into generating exploit code by presenting requests as security research challenges.
- Impact: Facilitates the exploitation of CVE-2026-39987, CVE-2026-42271, and others in the wild.
IOC Analysis
This briefing provides three distinct classes of Indicators of Compromise (IOCs):
- Network Domains: OkoBot relies on specific domains (e.g.,
coffeesaloon.online,livewallpapers.online). SOC teams should immediately block these at the perimeter and DNS layer. - File Hashes:
- OkoBot (MD5):
b07d451ee65a1580f20a784c8f0e7a46,187a1f68ae786e53d3831166dc84e6d2. - UNC6508 (SHA256):
4efbef69eb3b09bacff892d6a55778d07c418e7f15eba3cf1245e8cdfd8dda0b(INFINITERED). These hashes should be loaded into EDR solutions for immediate alerting.
- OkoBot (MD5):
- CVEs (Vulnerability IOCs): CVE-2026-39987, CVE-2026-42271, CVE-2026-42302. These indicate specific software flaws being exploited in the wild via LLM-generated code.
Operationalization: Use the PowerShell script provided below to scan endpoints for the file hashes. Configure SIEM rules to alert on DNS queries to the OkoBot domains.
Detection Engineering
title: OkoBot C2 Domain Connection
id: 1a2b3c4d-5e6f-7890-abcd-ef1234567890
description: Detects network connections to known OkoBot Command and Control domains identified in OTX pulses.
status: experimental
date: 2026/07/16
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/6600000000000000
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
category: network_connection
detection:
selection:
dst_host|contains:
- 'coffeesaloon.online'
- 'livewallpapers.online'
- '2baserec2.guru'
- 'kbeautyreviews.com'
condition: selection
falsepositives:
- Unknown
level: critical
---
title: PowerShell ClickFix / TookPS Loader Pattern
id: 2b3c4d5e-6f78-90ab-cdef-1234567890ab
description: Detects suspicious PowerShell execution patterns often associated with ClickFix attacks and OkoBot TookPS loaders.
status: experimental
date: 2026/07/16
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/6600000000000000
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
detection:
selection_img:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
selection_cli:
CommandLine|contains:
- 'IEX'
- 'Invoke-Expression'
- 'DownloadString'
selection_suspicious:
CommandLine|contains:
- 'fake'
- 'update'
- 'browser'
- 'github'
condition: all of selection_*
falsepositives:
- Legitimate system administration scripts
level: high
---
title: UNC6508 INFINITERED Malware File Execution
id: 3c4d5e6f-7890-abcd-ef12-34567890abcd
description: Detects execution or presence of files matching SHA256 hashes associated with UNC6508 INFINITERED malware.
status: experimental
date: 2026/07/16
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/6600000000000000
tags:
- attack.defense_evasion
- attack.t1014
logsource:
category: file_event
detection:
selection:
TargetFilename|contains: 'C:\'
Hashes|contains:
- 'SHA256=4efbef69eb3b09bacff892d6a55778d07c418e7f15eba3cf1245e8cdfd8dda0b'
- 'SHA256=51a57bfc9ed3eb6451c1c289607814d59e1698c666fb97ac5f694c398f23d045'
- 'SHA256=58bb25777e0aa86bcd2125101e0bca4e8732b03d91bd8d2f205b446a2a8d5c86'
condition: selection
falsepositives:
- None
level: critical
kql
// OkoBot Network and Malware Hunt
// Look for C2 connections and suspicious PowerShell activity
let OkoBotDomains = dynamic(['coffeesaloon.online', 'livewallpapers.online', '2baserec2.guru', 'kbeautyreviews.com']);
let OkoBotHashes = dynamic(['b07d451ee65a1580f20a784c8f0e7a46', '187a1f68ae786e53d3831166dc84e6d2', 'd84e8dc509308523e0209d3cd3544619']);
let INFINITEREDHashes = dynamic(['4efbef69eb3b09bacff892d6a55778d07c418e7f15eba3cf1245e8cdfd8dda0b', '51a57bfc9ed3eb6451c1c289607814d59e1698c666fb97ac5f694c398f23d045']);
// Network Connection Hunt
DeviceNetworkEvents
| where RemoteUrl in (OkoBotDomains)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| union (
DeviceProcessEvents
| where ProcessCommandLine has_any ('IEX', 'DownloadString', 'Invoke-Expression')
| where ProcessCommandLine has_any ('fake', 'update', 'github')
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, FolderPath
)
| union (
DeviceFileEvents
| where SHA256 in (INFINITEREDHashes) or MD5 in (OkoBotHashes)
| project Timestamp, DeviceName, FileName, SHA256, MD5, FolderPath
)
powershell
# IOC Hunter for OkoBot and UNC6508
# Scans C: drive for specific MD5 and SHA256 hashes from the OTX pulses
$OkoBotMD5 = @(
'b07d451ee65a1580f20a784c8f0e7a46',
'187a1f68ae786e53d3831166dc84e6d2',
'd84e8dc509308523e0209d3cd3544619',
'83e6b8fcb92a0b13e109301f8ff649cf'
)
$InfiniteRedSHA256 = @(
'4efbef69eb3b09bacff892d6a55778d07c418e7f15eba3cf1245e8cdfd8dda0b',
'51a57bfc9ed3eb6451c1c289607814d59e1698c666fb97ac5f694c398f23d045',
'58bb25777e0aa86bcd2125101e0bca4e8732b03d91bd8d2f205b446a2a8d5c86',
'8f0158855a656b629ca76ebca565f18bc25563ded34b65d6771632c20edb68ec',
'ba6b73b0ca0dc7f86b3b397893ac32d729fd53f9df20643288f141f29d020af7',
'c1ac43d23f89d41eb4ff131678ab562ab2cfed9aa334b13767ef141d303b0e5b',
'db65c1b9f9e4cb4d729f45ad4b6fcf3e277caf9eb4c875425dec93fd883f9136'
)
Write-Host "[+] Starting IOC Scan on C:\..." -ForegroundColor Cyan
# Scan for OkoBot (MD5)
Write-Host "[+] Scanning for OkoBot MD5 Hashes..." -ForegroundColor Yellow
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | Get-FileHash -Algorithm MD5 | Where-Object { $OkoBotMD5 -contains $_.Hash } | Select-Object Path, Hash | Format-List
# Scan for INFINITERED (SHA256)
Write-Host "[+] Scanning for UNC6508 INFINITERED SHA256 Hashes..." -ForegroundColor Yellow
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | Get-FileHash -Algorithm SHA256 | Where-Object { $InfiniteRedSHA256 -contains $_.Hash } | Select-Object Path, Hash | Format-List
Write-Host "[+] Scan Complete." -ForegroundColor Green
# Response Priorities
Immediate
- Block Network IOCs: Sinkhole the OkoBot C2 domains (
coffeesaloon.online,livewallpapers.online, etc.) at the DNS and Firewall level. - Endpoint Sweep: Deploy the PowerShell script or EDR query to hunt for OkoBot MD5 hashes and INFINITERED SHA256 hashes on all critical endpoints.
24 Hours
- Identity Verification: If OkoBot or credential-harvesting activity is suspected within the crypto-trading or medical research sectors, initiate forced password resets and MFA challenges for privileged accounts.
- Log Review: Inspect LLM access logs (if applicable) for prompt injections using "CTF" or "CVE hunting" framing to identify potential internal AI abuse.
1 Week
- Patch Management: Prioritize patching for the CVE-2026 series identified in the LLM jailbreaking pulse (CVE-2026-39987, CVE-2026-42271) specifically on AI/ML infrastructure.
- Architecture Hardening: Review and restrict the use of unofficial GitHub repositories in developer environments to prevent ClickFix-style supply chain infections. Harden REDCap servers against UNC6508 exploitation vectors.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.