Back to Intelligence

Operation GriefLure & Lumma Remus: Supply Chain, Cloud Worms, and Credential Theft — OTX Pulse Analysis

SA
Security Arsenal Team
May 8, 2026
6 min read

Recent OTX pulse data reveals a converged threat landscape where credential theft is the primary objective across multiple vectors. A sophisticated supply chain attack targeting .NET developers (via malicious NuGet packages) is deploying the Lumma Stealer family, while a new 64-bit variant of Lumma, dubbed "Remus," has emerged utilizing blockchain-based C2 (EtherHiding). Simultaneously, the PCPJack cloud worm is actively propagating across exposed infrastructure, evicting the TeamPCP threat actor to hijack credentials from Kubernetes and Docker environments. This activity parallels targeted APT operations (GriefLure) leveraging spear-phishing to compromise military and healthcare sectors, and the active exploitation of a PAN-OS zero-day (CVE-2023-33538) to establish tunneling footholds.

Threat Actor / Malware Profile

  • Lumma Stealer (Remus Variant): A 64-bit infostealer evolving after Lumma takedowns. It employs EtherHiding to retrieve C2 endpoints from blockchain transactions, bypassing traditional domain blocks. It targets browser credentials, cryptocurrency wallets, and 2FA sessions.
  • PCPJack: A cloud-focused credential worm that exploits vulnerabilities in containerized environments. It systematically removes TeamPCP artifacts before deploying the Sliver C2 framework to harvest cloud provider keys and developer credentials.
  • NuGet Supply Chain (Typosquatting): Malicious packages impersonating Chinese UI libraries (bmrxntfj). They use .NET Reactor for obfuscation and deliver payloads including Quantum, AgentRacoon, and ArrowRAT to steal SSH keys and browser data.
  • Operation GriefLure: An APT campaign using weaponized legal documents to target Viettel (Vietnam) and St. Luke's (Philippines). Uses living-off-the-land (LotL) binaries for initial access and persistence.
  • CL-STA-1132: The actor exploiting the PAN-OS zero-day. Utilizes buffer overflows in the GlobalProtect portal to inject shellcode, deploying EarthWorm and ReverseSocks5 for tunneling.

IOC Analysis

The indicators provided span domains, file hashes, and CVEs. The domains dns-providersa2.com and lastpass-login-help.com represent C2 and credential-harvesting infrastructure. File hashes (SHA256) associated with the NuGet packages and Remus binary should be blocklisted on endpoints.

  • Domains/IPs: High-fidelity IOCs for network blocking (e.g., forestoaker.com, 149.104.66.84). SOC teams should feed these into Firewall/EDR blocklists immediately.
  • File Hashes: Specific binaries (e.g., b037fa1dd769891b538d9ca26131890c93e3458eec96c5354bdebe50d04a5b3d) indicate active compromise.
  • CVEs: Critical for vulnerability scanning (PAN-OS CVE-2023-33538, multiple CVEs associated with PCPJack cloud exploitation).

Detection Engineering

YAML
title: Suspicious NuGet Package Execution via MSBuild
description: Detects execution of potentially typosquatted NuGet packages impersonating Chinese UI libraries as observed in OTX Pulse.
status: stable
date: 2026/05/08
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/660f1c1c8f1f1c1c1c1c1c1c
tags:
    - attack.t1195.001
    - attack.initial_access
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4688
        NewProcessName|endswith:
            - '\msbuild.exe'
            - '\csc.exe'
            - '\vbc.exe'
    filter_legit:
        ParentProcessName|contains:
            - '\Microsoft Visual Studio'
            - '\JetBrains'
            - '\MSBuild\'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate developer builds outside of standard IDEs
level: high
---
title: Lumma Remus Stealer Blockchain C2 Pattern
description: Detects suspicious process activity associated with Lumma Remus 64-bit variant and EtherHiding C2 patterns.
status: experimental
date: 2026/05/08
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/660f1c1c8f1f1c1c1c1c1c1c
tags:
    - attack.s0013
    - attack.c2
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\regsvr32.exe'
            - '\rundll32.exe'
    selection_cli:
        CommandLine|contains:
            - 'ethereum'
            - 'etherhiding'
            - 'blockchain'
    selection_path:
        CurrentDirectory|contains:
            - '\AppData\Roaming\Microsoft\Windows\'
            - '\AppData\Local\Temp\'
    condition: all of selection_*
falsepositives:
    - Rare legitimate blockchain utilities
level: critical
---
title: PCPJack Cloud Worm Sliver C2 Detection
description: Detects command line arguments characteristic of Sliver C2 implant used by PCPJack in cloud environments.
status: experimental
date: 2026/05/08
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/660f1c1c8f1f1c1c1c1c1c1c
tags:
    - attack.t1059.004
    - attack.command_and_control
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        CommandLine|contains:
            - 'wget http* -O /tmp/'
            - 'curl -s http* | bash'
            - 'chmod +x /tmp/.* && /tmp/.*'
        Image|endswith:
            - '/bash'
            - '/sh'
            - '/wget'
            - '/curl'
    context:
        CommandLine|contains:
            - 'teampcp'
            - 'pcpjack'
    condition: selection or context
falsepositives:
    - Legitimate admin scripts
level: high


kql
// Hunt for Indicators of Compromise (IOCs) related to PCPJack and Lumma
let IOCs = dynamic([
    "dns-providersa2.com", "forestoaker.com", "krondez.com", "baxe.pics",
    "149.104.66.84", "lastpass-login-help.com", "www.whatsappcenter.com"
]);
// Network Connections to known C2 or Phishing domains
DeviceNetworkEvents
| where RemoteUrl in~ (IOCs) or RemoteIP in~ (IOCs)
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| extend ThreatContext = "Network IOC Detected"
union (
    // Process creation with specific file hashes
    DeviceProcessEvents
    | where SHA256 in~ ("019e6c2cf58386039133981f3377b085fbd70c98ae8613c7c6a4f10a9f2d9824", 
                          "b037fa1dd769891b538d9ca26131890c93e3458eec96c5354bdebe50d04a5b3d",
                          "e41c635e4c3514e266d143d544ad1abde5db3dcfe6cccdf9bb7a218003f8ab6a")
    | project Timestamp, DeviceName, FileName, SHA256, ProcessCommandLine, FolderPath
    | extend ThreatContext = "Malicious File Hash Executed"
)


powershell
# PowerShell Hunt Script: PCPJack and NuGet Malware Artifacts
# Requires Admin Privileges

$MaliciousHashes = @(
    "019e6c2cf58386039133981f3377b085fbd70c98ae8613c7c6a4f10a9f2d9824",
    "34e2d63b5db7e24c808711c2ca0c0a42afde97a0086d7d81609110c002d18d7c",
    "596c453c9dbb7240f1ce05cc025496524ce7c538c23a9b2171174bf32b5691a1",
    "b037fa1dd769891b538d9ca26131890c93e3458eec96c5354bdebe50d04a5b3d",
    "e41c635e4c3514e266d143d544ad1abde5db3dcfe6cccdf9bb7a218003f8ab6a"
)

Write-Host "[+] Hunting for malicious file hashes..." -ForegroundColor Cyan

# Scan common paths for infostealers and cloud worms
$PathsToScan = @(
    "$env:USERPROFILE\AppData\Roaming",
    "$env:USERPROFILE\AppData\Local\Temp",
    "C:\ProgramData",
    "C:\Windows\Temp"
)

foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | 
        Where-Object { $_.Length -gt 0kb -and $_.Length -lt 5mb } | 
        ForEach-Object {
            $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($MaliciousHashes -contains $hash) {
                Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

# Check for NuGet compromise signs (Suspicious package folders)
$NugetPath = "$env:USERPROFILE\.nuget\packages"
if (Test-Path $NugetPath) {
    Write-Host "[+] Checking NuGet packages for suspicious typosquats (bmrxntfj)..." -ForegroundColor Cyan
    $SuspiciousPackages = Get-ChildItem -Path $NugetPath -Directory -ErrorAction SilentlyContinue | 
                          Where-Object { $_.Name -like "*bmrx*" -or $_.Name -like "*teampcp*" }
    
    if ($SuspiciousPackages) {
        Write-Host "[!] POTENTIAL SUPPLY CHAIN COMPROMISE DETECTED IN NUGET:" -ForegroundColor Red
        $SuspiciousPackages | ForEach-Object { Write-Host "    - $($_.FullName)" }
    }
}

Response Priorities

  • Immediate:
    • Block all domains and IPs listed in the IOC Analysis at the perimeter firewall and proxy.
    • Scan build environments and developer workstations for the specific NuGet package hashes (019e6c2c..., 34e2d63b...). Remove the packages immediately.
    • Patch PAN-OS firewalls for CVE-2023-33538 and associated CVEs (CVE-2025-55182, CVE-2026-1281) to prevent EarthWorm tunneling.
  • 24h:
    • Force reset of cloud credentials (AWS/Azure/GCP) and SSH keys if infrastructure was potentially exposed to PCPJack or TeamPCP activity.
    • Identify users who may have interacted with "legal document" phishing lures (GriefLure) and rotate their credentials.
  • 1 Week:
    • Implement code signing verification for internal NuGet repositories.
    • Harden Kubernetes/Docker configurations to prevent worm propagation (restrict pod-to-pod communication).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialslumma-stealernuget-supply-chainpcphackapt-grieflurecloud-credentials

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action