Back to Intelligence

OkoBot, LummaC2 & O-UNC-038: Credential Harvesting & Infostealer Surge — OTX Analysis

SA
Security Arsenal Team
July 15, 2026
5 min read

Recent OTX pulses indicate a converged threat landscape focused on credential theft and initial access via diverse vectors. A primary concern is the emergence of the OkoBot framework, which targets cryptocurrency wallets through a sophisticated infection chain involving TookPS PowerShell scripts and malicious browser extensions like Rilide. Concurrently, traditional infostealers (LummaC2, Vidar, ACRStealer) are seeing a resurgence, distributed primarily via SEO poisoning campaigns masquerading as cracked software on cloud storage platforms (Mediafire, Mega).

On the enterprise front, O-UNC-038 is actively conducting a recruitment-themed phishing campaign (Operation Fake KickOff), abusing SaaS platforms to bypass MFA and harvest corporate credentials. Meanwhile, a NuGet supply chain attack is distributing malicious "game cheat" tools (pepesoft.exe) that deploy surveillance payloads using DNS-over-HTTPS for evasion.

Threat Actor / Malware Profile

OkoBot Framework

  • Malware Families: TookPS, TeviRAT, Rilide, SeedHunter, OkoSpyware, HDUtil.
  • Distribution: ClickFix attacks, fake software repositories on GitHub.
  • Behavior: Deploys an automated SSH bot for C2 persistence. Utilizes browser extension injectors to install Rilide for cryptocurrency theft.
  • Persistence: Scheduled tasks executed via PowerShell; SSH tunneling for covert communication.

Infostealer Families (LummaC2, Vidar, Remus)

  • Actors: Unknown, utilizing widespread SEO poisoning.
  • Distribution: High volume distribution via illegal software downloads (cracks/keygens) hosted on Mediafire and Mega.
  • Payload: EXE files (84.5%) and DLL side-loading (15.5%).
  • Objective: Theft of browser credentials, cookies, and cryptocurrency wallet data.

O-UNC-038 (Operation Fake KickOff)

  • Targeted Industries: HR, Aerospace, Finance, Healthcare, Technology.
  • Technique: Phishing emails impersonating legitimate recruitment firms (Robert Half, Aquent). Abuses SaaS platforms (Google Workspace) and "Browser-in-the-Browser" techniques for Adversary-in-the-Middle (AITM) attacks to bypass MFA.

NuGet Supply Chain (Pepesoft)

  • Vector: Malicious NuGet packages posing as game cheats (Albion Online, GTA5RP).
  • Evasion: Uses DNS-over-HTTPS (DoH) to bypass network controls and fetches second-stage PyInstaller payloads.

IOC Analysis

The intelligence dump provides a mix of infrastructure and file-based indicators essential for detection:

  • Domains (Phishing & C2):

    • Phishing: fifahr-careers.com, adidas-hiring.com (O-UNC-038).
    • C2/Infrastructure: apdhlhs3.xyz, bduwih8.pro (Infostealers), coffeesaloon.online, livewallpapers.online (OkoBot).
    • Action: SOC teams should immediately block these domains at the perimeter and inspect logs for any historical DNS resolution or HTTP connections to these endpoints.
  • File Hashes (SHA256 & MD5):

    • Includes hashes for LummaC2, Vidar, and the pepesoft.exe downloader.
    • Action: Load these into EDR detection rules. Perform historical hunts for these specific hashes on endpoints to identify potential dormant infections.
  • CVEs:

    • Multiple 2026 CVEs (e.g., CVE-2026-42271) related to LLM jailbreaking.
    • Action: Vulnerability management teams should prioritize patching AI platforms and monitoring for exploitation attempts.

Detection Engineering

YAML
---
title: Potential OkoBot PowerShell Persistence
description: Detects PowerShell execution creating scheduled tasks, a tactic used by OkoBot's TookPS component for persistence.
status: experimental
date: 2026/07/15
author: Security Arsenal
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4688
        NewProcessName|endswith: '\powershell.exe'
        CommandLine|contains:
            - 'Register-ScheduledTask'
            - 'New-ScheduledTaskTrigger'
    condition: selection
falsepositives:
    - System administration scripts
level: high
---
title: SEO Poisoning Infostealer Download Pattern
description: Detects processes downloading executables from known file-sharing platforms often used in SEO poisoning campaigns (Mediafire, Mega).
status: experimental
date: 2026/07/15
author: Security Arsenal
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4688
        NewProcessName|endswith:
            - '\mshta.exe'
            - '\powershell.exe'
            - '\cmd.exe'
        CommandLine|contains:
            - 'mediafire.com'
            - 'mega.nz'
    condition: selection
falsepositives:
    - Legitimate user downloads
level: medium
---
title: NuGet Malicious Package Execution
description: Detects execution of unsigned binaries or scripts from NuGet package folders, characteristic of the pepe/pepesoft campaign.
status: experimental
date: 2026/07/15
author: Security Arsenal
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4688
        NewProcessName|contains: '\.nuget\packages\'
    filter:
        Signed: 'false'
    condition: selection and filter
falsepositives:
    - Development builds of internal tools
level: high


kql
// Hunt for connections to known OkoBot and Infostealer C2 domains
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in (
    'apdhlhs3.xyz', 'bduwih8.pro', 'coffeesaloon.online', 
    'livewallpapers.online', '2baserec2.guru', 'kbeautyreviews.com'
)
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP
| extend IoCType = "C2 Domain"


powershell
# IOC Hunt Script: OkoBot & Infostealer Artifacts
# Checks for presence of specific file hashes and suspicious registry keys

$TargetHashes = @(
    "d15248555e7a2d9c279d219e6587a74fca9c25720194512a2e4b0757f7a63219", # Lumma/Vidar
    "d5385526f2f3e52c7d96087611c6cd4e479bf61828400efdb3ca09406d981609", # Pepesoft
    "b07d451ee65a1580f20a784c8f0e7a46" # OkoBot Component
)

Write-Host "[+] Scanning for malicious file hashes..." -ForegroundColor Cyan

# Scan C:\ drive (adjust scope as necessary)
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { -not $_.PSIsContainer } | 
    ForEach-Object {
        $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($TargetHashes -contains $hash) {
            Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
        }
    }

# Check for OkoBot/Rilide persistence (Scheduled Tasks)
Write-Host "[+] Checking for suspicious Scheduled Tasks..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object { $_.Actions.Execute -like "*powershell*" -and $_.Actions.Arguments -like "*http*" } | 
    Format-List TaskName, Actions

Response Priorities

Immediate

  • Block IOCs: Immediately block all listed domains and file hashes at the firewall, proxy, and EDR levels.
  • Hunt for Artifacts: Execute the provided PowerShell script across endpoints to identify active OkoBot or Infostealer infections.

24 Hours

  • Identity Audit: Given the prevalence of credential theft (O-UNC-038, Infostealers), conduct an audit of recent sign-ins for HR and privileged accounts, specifically looking for impossible travel anomalies or new device registrations.
  • SaaS Investigation: Review Google Workspace/Azure AD logs for access to the phishing domains or suspicious OAuth grants.

1 Week

  • Architecture Hardening: Implement strict allow-listing for NuGet repositories within the development environment to prevent supply chain poisoning.
  • User Awareness: Roll out targeted security awareness training regarding "recruitment phishing" and the dangers of downloading cracked software (SEO poisoning).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealeroko-boto-unc-038supply-chainphishing

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.