Back to Intelligence

OtterCookie, NWHStealer, and ClickFix: Multi-Vector Infostealer Surge — OTX Pulse Analysis

SA
Security Arsenal Team
April 15, 2026
5 min read

Date: 2026-04-16 Source: AlienVault OTX TLP: White

Threat Summary

Recent OTX pulses indicate a coordinated surge in infostealing operations leveraging diverse attack vectors including software supply chain compromise (npm), social engineering (ClickFix), and malicious browser extensions. Threat actors range from state-sponsored groups (FAMOUS CHOLLIMA) to independent cybercriminals (alh1mik). The collective objective is the theft of credentials, cryptocurrency wallet seeds, and active session tokens (OAuth2) to facilitate financial fraud and persistent access. Notably, the "ClickFix" technique is gaining traction to force-install malicious Chrome extensions, bypassing user consent via enterprise policies.

Threat Actor / Malware Profile

Malware / ActorVectorBehavior & C2
FAMOUS CHOLLIMA (OtterCookie, BeaverTail)Supply Chain: Malicious npm packages (e.g., big.js clones) pulled during "contagious interview" dev tests.Payload: Steals credentials, establishes SSH backdoors.
C2: Uses Vercel infrastructure to blend with legitimate traffic.
NWHStealerSocial Engineering: Fake VPN sites (ProtonVPN), gaming mods, hardware utilities.Payload: Harvests browser data, passwords, crypto wallets.
C2: Direct HTTP/HTTPS to hardcoded typosquat domains.
alh1mik (notnullOSX)Social Engineering: ClickFix techniques, malicious DMGs targeting macOS.Payload: Go-written modular stealer targeting >$10k crypto wallets.
ClickFix Campaigns (Brazilian Banking)Policy Abuse: Force-installs Chrome extensions via Cloud Management tokens.Payload: Banking trojan/stealer masquerading as Banco Central do Brasil tool.
C2: Unauthenticated HTTP endpoints (port 3000).
Chrome ExtensionsWeb Store: 108 malicious extensions with shared C2.Payload: Google Identity theft (OAuth2), Telegram session hijacking.
C2: cloudapi[.]stream.

IOC Analysis

  • IP Addresses: A high concentration of indicators in the 144.126.x.x and 144.172.x.x ranges (likely VPS/Hosting providers). These include C2 servers for the Brazilian ClickFix campaign and the North Korean npm operation.
  • Domains: Typosquatting is prevalent (e.g., get-proton-vpn.com). The domain cloudapi.stream serves as a shared C2 for over 100 malicious extensions, indicating a Malware-as-a-Service (MaaS) model.
  • File Hashes: Multiple SHA256 hashes provided for Windows (NWHStealer) and macOS (notnullOSX) payloads. These should be immediately blocked in EDR solutions.
  • Operationalization:
    • SOC: Blocklist IPs/Domains. Hunt for file hashes.
    • Network: Sinkhole DNS requests to cloudapi.stream and typosquatted VPN domains.
    • Identity: Revoke OAuth tokens for users who may have installed compromised extensions.

Detection Engineering

YAML
---
title: Potential Malicious NPM Package Execution (OtterCookie)
id: 8b0f6c22-5a7a-4e2b-9c1d-3a5e7f8b9a0e
status: experimental
description: Detects execution of suspicious Node.js processes often associated with malicious npm packages like OtterCookie spawning system shells or obfuscated scripts.
references:
    - https://otx.alienvault.com/pulse/6425a7b1c9b8a001
author: Security Arsenal
date: 2026/04/16
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\node.exe'
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\wscript.exe'
    condition: selection
falsepositives:
    - Legitimate development scripts spawning shells
level: high
---
title: Force-Installed Chrome Extension via Policy (ClickFix)
id: 9d1e7a33-6b8c-5f3c-0d2e-4b6f8g0c1d2e
status: experimental
description: Detects registry modifications that force-install Chrome extensions, a technique used by the ClickFix Brazilian banking campaign.
references:
    - https://otx.alienvault.com/pulse/6425a7b1c9b8a005
author: Security Arsenal
date: 2026/04/16
tags:
    - attack.persistence
    - attack.t1547.001
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains: 'SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist'
    condition: selection
falsepositives:
    - Authorized IT administration deploying legitimate extensions
level: medium
---
title: Infostealer C2 Network Traffic
id: 0e2f8b44-7c9d-6a1e-1f3c-5d7g9h0i2j4k
status: experimental
description: Detects DNS queries or network connections to known C2 infrastructure associated with OtterCookie, NWHStealer, and Chrome Extension campaigns.
references:
    - https://otx.alienvault.com/pulse/6425a7b1c9b8a001
author: Security Arsenal
date: 2026/04/16
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: dns_query
    product: windows
detection:
    selection:
        QueryName|contains:
            - 'cloudapi.stream'
            - 'get-proton-vpn.com'
            - 'newworld-helloworld.icu'
            - 'xpie348.online'
    condition: selection
falsepositives:
    - Unknown
level: critical


kql
// Hunt for suspicious process chains related to Node.js or npm (OtterCookie)
DeviceProcessEvents
| where Timestamp > ago(1d)
| where (InitiatingProcessFileName has "node.exe" or InitiatingProcessFileName has "npm.cmd")
  and (FileName in~ ("powershell.exe", "cmd.exe", "bash.exe") or ProcessCommandLine has "base64" or ProcessCommandLine has "Invoke-Expression")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine, FileName

// Hunt for network connections to known C2 domains/IPs
DeviceNetworkEvents
| where Timestamp > ago(1d)
| where RemoteUrl has_any ("cloudapi.stream", "get-proton-vpn.com", "xpie348.online", "coockie.pro")
   or RemoteIP in ("144.172.110.228", "144.126.135.238", "83.217.209.88")
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName


powershell
# IOC Hunt Script: Checks for Chrome Force-Install Policies and Suspicious File Locations
Write-Host "Checking for Chrome Extension Force-Install Policies..." -ForegroundColor Yellow
$regPath = "HKLM:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist"
if (Test-Path $regPath) {
    Get-Item $regPath | Select-Object -ExpandProperty Property | ForEach-Object {
        Write-Host "Found Force-Install Extension ID: $_" -ForegroundColor Red
    }
} else {
    Write-Host "No force-install policies found in HKLM." -ForegroundColor Green
}

Write-Host "`nChecking for suspicious NWHStealer/OtterCookie file artifacts..." -ForegroundColor Yellow
$suspiciousPaths = @(
    "$env:TEMP\node_modules",
    "$env:APPDATA\npm",
    "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Extensions"
)
foreach ($path in $suspiciousPaths) {
    if (Test-Path $path) {
        Write-Host "Path exists: $path (Manual review recommended)" -ForegroundColor Cyan
    }
}

Response Priorities

  • Immediate:
    • Block all IOCs (IPs and Domains) at the firewall and proxy.
    • Isolate machines with positive hits on the provided file hashes.
    • Audit Windows Registry for ExtensionInstallForcelist and remove unauthorized entries.
  • 24 Hours:
    • Reset passwords and revoke session tokens for users identified as potential victims of credential theft.
    • Conduct a sweep for the specific Chrome Extension IDs linked to cloudapi.stream.
  • 1 Week:
    • Implement software composition analysis (SCA) for npm packages to detect supply chain attacks.
    • Transition to an "Allowlist" model for browser extensions in the enterprise.
    • Harden build pipelines to prevent contagious interview compromises.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsottercookienwhstealerclickfixnotnullosxsupply-chain

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action