Recent OTX pulses indicate a converged threat landscape focused on credential theft and initial access via diverse vectors. A primary concern is the emergence of the OkoBot framework, which targets cryptocurrency wallets through a sophisticated infection chain involving TookPS PowerShell scripts and malicious browser extensions like Rilide. Concurrently, traditional infostealers (LummaC2, Vidar, ACRStealer) are seeing a resurgence, distributed primarily via SEO poisoning campaigns masquerading as cracked software on cloud storage platforms (Mediafire, Mega).
On the enterprise front, O-UNC-038 is actively conducting a recruitment-themed phishing campaign (Operation Fake KickOff), abusing SaaS platforms to bypass MFA and harvest corporate credentials. Meanwhile, a NuGet supply chain attack is distributing malicious "game cheat" tools (pepesoft.exe) that deploy surveillance payloads using DNS-over-HTTPS for evasion.
Threat Actor / Malware Profile
OkoBot Framework
- Malware Families: TookPS, TeviRAT, Rilide, SeedHunter, OkoSpyware, HDUtil.
- Distribution: ClickFix attacks, fake software repositories on GitHub.
- Behavior: Deploys an automated SSH bot for C2 persistence. Utilizes browser extension injectors to install Rilide for cryptocurrency theft.
- Persistence: Scheduled tasks executed via PowerShell; SSH tunneling for covert communication.
Infostealer Families (LummaC2, Vidar, Remus)
- Actors: Unknown, utilizing widespread SEO poisoning.
- Distribution: High volume distribution via illegal software downloads (cracks/keygens) hosted on Mediafire and Mega.
- Payload: EXE files (84.5%) and DLL side-loading (15.5%).
- Objective: Theft of browser credentials, cookies, and cryptocurrency wallet data.
O-UNC-038 (Operation Fake KickOff)
- Targeted Industries: HR, Aerospace, Finance, Healthcare, Technology.
- Technique: Phishing emails impersonating legitimate recruitment firms (Robert Half, Aquent). Abuses SaaS platforms (Google Workspace) and "Browser-in-the-Browser" techniques for Adversary-in-the-Middle (AITM) attacks to bypass MFA.
NuGet Supply Chain (Pepesoft)
- Vector: Malicious NuGet packages posing as game cheats (Albion Online, GTA5RP).
- Evasion: Uses DNS-over-HTTPS (DoH) to bypass network controls and fetches second-stage PyInstaller payloads.
IOC Analysis
The intelligence dump provides a mix of infrastructure and file-based indicators essential for detection:
-
Domains (Phishing & C2):
- Phishing:
fifahr-careers.com,adidas-hiring.com(O-UNC-038). - C2/Infrastructure:
apdhlhs3.xyz,bduwih8.pro(Infostealers),coffeesaloon.online,livewallpapers.online(OkoBot). - Action: SOC teams should immediately block these domains at the perimeter and inspect logs for any historical DNS resolution or HTTP connections to these endpoints.
- Phishing:
-
File Hashes (SHA256 & MD5):
- Includes hashes for LummaC2, Vidar, and the pepesoft.exe downloader.
- Action: Load these into EDR detection rules. Perform historical hunts for these specific hashes on endpoints to identify potential dormant infections.
-
CVEs:
- Multiple 2026 CVEs (e.g., CVE-2026-42271) related to LLM jailbreaking.
- Action: Vulnerability management teams should prioritize patching AI platforms and monitoring for exploitation attempts.
Detection Engineering
---
title: Potential OkoBot PowerShell Persistence
description: Detects PowerShell execution creating scheduled tasks, a tactic used by OkoBot's TookPS component for persistence.
status: experimental
date: 2026/07/15
author: Security Arsenal
logsource:
product: windows
service: security
detection:
selection:
EventID: 4688
NewProcessName|endswith: '\powershell.exe'
CommandLine|contains:
- 'Register-ScheduledTask'
- 'New-ScheduledTaskTrigger'
condition: selection
falsepositives:
- System administration scripts
level: high
---
title: SEO Poisoning Infostealer Download Pattern
description: Detects processes downloading executables from known file-sharing platforms often used in SEO poisoning campaigns (Mediafire, Mega).
status: experimental
date: 2026/07/15
author: Security Arsenal
logsource:
product: windows
service: security
detection:
selection:
EventID: 4688
NewProcessName|endswith:
- '\mshta.exe'
- '\powershell.exe'
- '\cmd.exe'
CommandLine|contains:
- 'mediafire.com'
- 'mega.nz'
condition: selection
falsepositives:
- Legitimate user downloads
level: medium
---
title: NuGet Malicious Package Execution
description: Detects execution of unsigned binaries or scripts from NuGet package folders, characteristic of the pepe/pepesoft campaign.
status: experimental
date: 2026/07/15
author: Security Arsenal
logsource:
product: windows
service: security
detection:
selection:
EventID: 4688
NewProcessName|contains: '\.nuget\packages\'
filter:
Signed: 'false'
condition: selection and filter
falsepositives:
- Development builds of internal tools
level: high
kql
// Hunt for connections to known OkoBot and Infostealer C2 domains
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in (
'apdhlhs3.xyz', 'bduwih8.pro', 'coffeesaloon.online',
'livewallpapers.online', '2baserec2.guru', 'kbeautyreviews.com'
)
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP
| extend IoCType = "C2 Domain"
powershell
# IOC Hunt Script: OkoBot & Infostealer Artifacts
# Checks for presence of specific file hashes and suspicious registry keys
$TargetHashes = @(
"d15248555e7a2d9c279d219e6587a74fca9c25720194512a2e4b0757f7a63219", # Lumma/Vidar
"d5385526f2f3e52c7d96087611c6cd4e479bf61828400efdb3ca09406d981609", # Pepesoft
"b07d451ee65a1580f20a784c8f0e7a46" # OkoBot Component
)
Write-Host "[+] Scanning for malicious file hashes..." -ForegroundColor Cyan
# Scan C:\ drive (adjust scope as necessary)
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue |
Where-Object { -not $_.PSIsContainer } |
ForEach-Object {
$hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
if ($TargetHashes -contains $hash) {
Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
}
}
# Check for OkoBot/Rilide persistence (Scheduled Tasks)
Write-Host "[+] Checking for suspicious Scheduled Tasks..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object { $_.Actions.Execute -like "*powershell*" -and $_.Actions.Arguments -like "*http*" } |
Format-List TaskName, Actions
Response Priorities
Immediate
- Block IOCs: Immediately block all listed domains and file hashes at the firewall, proxy, and EDR levels.
- Hunt for Artifacts: Execute the provided PowerShell script across endpoints to identify active OkoBot or Infostealer infections.
24 Hours
- Identity Audit: Given the prevalence of credential theft (O-UNC-038, Infostealers), conduct an audit of recent sign-ins for HR and privileged accounts, specifically looking for impossible travel anomalies or new device registrations.
- SaaS Investigation: Review Google Workspace/Azure AD logs for access to the phishing domains or suspicious OAuth grants.
1 Week
- Architecture Hardening: Implement strict allow-listing for NuGet repositories within the development environment to prevent supply chain poisoning.
- User Awareness: Roll out targeted security awareness training regarding "recruitment phishing" and the dangers of downloading cracked software (SEO poisoning).
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.