OtterCookie, Vidar Stealer, and The Gentlemen RaaS: Multi-Vector Credential Theft Campaign Analysis

Threat Summary

Recent OTX pulse data reveals a coordinated surge in credential theft operations specifically targeting the technology sector. Multiple threat actors are employing sophisticated techniques including supply chain attacks, social engineering, and multi-stage loaders to compromise environments and steal sensitive credentials.

North Korean threat actor FAMOUS CHOLLIMA is actively deploying OtterCookie infostealer through malicious npm packages using a two-layer distribution strategy with benign wrappers that pull malicious dependencies. Meanwhile, The Gentlemen RaaS group has suffered a significant data breach exposing nine administrator accounts, revealing their initial access methods through Fortinet and Cisco edge appliances using NTLM relay attacks.

Separately, attackers are leveraging the Claude Code leak as a social engineering lure to distribute Vidar Stealer and GhostSocks via trojanized GitHub repositories. Another campaign has been observed using EtherRAT and TukTuk malware frameworks that ultimately deliver The Gentlemen ransomware, with dynamic C2 configuration updates hidden in the Ethereum blockchain.

Collectively, these campaigns demonstrate sophisticated supply chain attacks, opportunistic social engineering exploitation, and multi-stage loaders designed to establish persistence, steal credentials, and enable lateral movement within targeted environments.

Threat Actor / Malware Profile

FAMOUS CHOLLIMA (North Korea)

Distribution: Malicious npm packages using benign wrappers (e.g., big.js clones) that pull malicious dependencies containing the actual payload
Malware Families: OtterCookie, BeaverTail, InvisibleFerret, Koalemos
Payload Behavior: Credential theft, SSH backdoor deployment, data exfiltration
C2 Communication: Vercel infrastructure for command and control
Persistence: Koalemos framework for maintaining access
Anti-analysis: Heavily obfuscated JavaScript packages
MITRE ATT&CK: Supply Chain Compromise (T1195), Code Signing (T1056.001)

The Gentlemen RaaS

Distribution: Initial access via Fortinet and Cisco edge appliances exploiting CVE-2024-55591 and CVE-2025-32433
Malware Families: SystemBC, The Gentlemen
Payload Behavior: NTLM relay attacks, credential theft, cryptocurrency mining, data leakage
C2 Communication: Rocket database backend (recently exposed in leak)
Persistence: NTLM relay credentials for maintaining access
Anti-analysis: Part of established RaaS ecosystem with division of labor
MITRE ATT&CK: Initial Access (T1190), Credential Access (T1110)

Vidar Stealer

Distribution: Trojanized GitHub repositories exploiting Claude Code leak, MicrosoftToolkit.exe masquerading
Associated Malware: GhostSocks, Arkei
Payload Behavior: Information stealing, credential theft, browser data extraction
C2 Communication: Encrypted HTTP/HTTPS channels
Persistence: Scheduled tasks or registry modifications
Anti-analysis: Multi-stage loaders, process termination attempts, file extension masquerading (.dot to .bat)
MITRE ATT&CK: Defense Evasion (T1027), Execution (T1204)

EtherRAT & TukTuk

Distribution: Malicious MSI installer disguised as Sysinternals tool
Associated Malware: The Gentlemen ransomware, Mimikatz, NetExec, Rclone
Payload Behavior: Dynamic C2 updates via Ethereum blockchain (EtherHiding), Kerberoasting, credential dumping
C2 Communication: Blockchain-based configuration updates
Persistence: DLL sideloading with legitimate applications like Greenshot
Anti-analysis: Legitimate application abuse for evasion
MITRE ATT&CK: Persistence (T1547), Credential Access (T1003)

IOC Analysis

The OTX pulses contain multiple indicator types that require different operational approaches:

File Hashes: MD5, SHA1, and SHA256 hashes for malware samples including:

Vidar Stealer variants (MD5: 77c73bd5e7625b7f691bc00a1b561a0f, d8256fbc62e85dae85eb8d4b49613774)
EtherRAT components (MD5: 73ce2438d4ed475e03727b7b000d2794, 77fbe265fd65c7f7b6d323fb6de6a4fd)

CVEs: Multiple vulnerabilities being actively exploited:

CVE-2024-55591 (Fortinet)
CVE-2025-32433 (Cisco)
CVE-2025-33073 (Additional Cisco)
CVE-2025-55182 (Related to EtherRAT deployment)

URLs/IPs: C2 infrastructure indicators:

147.45.197.92:443
94.228.161.88:443
rti.cargomanbd.com
g8way.io
witch-skins-lip-coal.trycloudflare.com
gz.technicalprorj.xyz

Operational Guidance for SOC Teams:

Block all malicious URLs/IPs at perimeter and endpoint levels immediately
Deploy file hash signatures to EDR solutions for automatic quarantine
Prioritize patching for identified CVEs, especially on edge appliances
Configure DNS monitoring for suspicious hostname resolution attempts
Implement YARA rules based on malware behavior patterns
Set up SIEM alerts for process creation matching known malware patterns

Recommended Tooling:

VirusTotal for hash reputation checks
Cisco Talos Intelligence for IP/domain reputation
AlienVault OTX for community-driven threat data
CrowdStrike Falcon for endpoint detection
Splunk or Microsoft Sentinel for log analysis
MISP for threat intelligence sharing

Detection Engineering

Sigma Rules

YAML

---
title: Malicious NPM Package Installation
id: 8a7b2c1d-3e4f-5a6b-7c8d-9e0f1a2b3c4d
description: Detects installation of known malicious npm packages associated with OtterCookie infostealer campaign
status: experimental
author: Security Arsenal
date: 2026/05/15
references:
    - https://panther.com/blog/tracking-an-ottercookie-infostealer-campaign-across-npm
tags:
    - attack.initial_access
    - attack.t1195
logsource:
    product: linux
    service: auditd
detection:
    selection:
        process|contains: 'npm'
        cmdline|contains:
            - 'ottercookie'
            - 'beavertail'
            - 'invisibleferret'
            - 'koalemos'
    condition: selection
falsepositives:
    - Legitimate npm package installations with similar names
level: high
---
title: Vidar Stealer Execution Pattern
id: 9b8c3d2e-4f5a-6b7c-8d9e-0f1a2b3c4d5e
description: Detects execution patterns associated with Vidar Stealer and related loaders
status: experimental
author: Security Arsenal
date: 2026/05/15
references:
    - https://www.zscaler.com/blogs/security-research/anthropic-claude-code-leak
    - https://www.levelblue.com/blogs/spiderlabs-blog/unmasking-a-multi-stage-loader-autoit-abuse-leading-to-vidar-stealer-command-and-control-communication
tags:
    - attack.execution
    - attack.t1204
logsource:
    product: windows
    service: security
detection:
    selection1:
        EventID: 4688
        NewProcessName|contains:
            - 'MicrosoftToolkit.exe'
            - 'AutoIt3.exe'
    selection2:
        EventID: 4688
        CommandLine|contains:
            - '.dot'
            - '.bat'
    selection3:
        EventID: 4688
        ParentProcessName|endswith: '\explorer.exe'
        NewProcessName|contains:
            - 'AutoIt3.exe'
    condition: 1 of selection*
falsepositives:
    - Legitimate use of Microsoft Toolkit or AutoIt scripts
level: high
---
title: The Gentlemen RaaS Initial Access
id: a0c9e4d3-5f6b-7c8d-9e0f-1a2b3c4d5e6f
description: Detects potential exploitation of Fortinet and Cisco vulnerabilities associated with The Gentlemen RaaS
status: experimental
author: Security Arsenal
date: 2026/05/15
references:
    - https://research.checkpoint.com/2026/thus-spoke-the-gentlemen/
tags:
    - attack.initial_access
    - attack.t1190
logsource:
    product: firewall
detection:
    selection:
        cve:
            - 'CVE-2024-55591'
            - 'CVE-2025-32433'
            - 'CVE-2025-33073'
    condition: selection
falsepositives:
    - Legitimate vulnerability scanning or testing
level: critical

KQL Hunt Query (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for Vidar Stealer and related infostealer activity
let maliciousProcesses = dynamic(["MicrosoftToolkit.exe", "AutoIt3.exe", "wscript.exe", "powershell.exe"]);
let suspiciousIPs = dynamic(["147.45.197.92", "94.228.161.88"]);
let suspiciousHostnames = dynamic(["rti.cargomanbd.com", "gz.technicalprorj.xyz", "g8way.io"]);
let suspiciousFileHashes = dynamic([
    "77c73bd5e7625b7f691bc00a1b561a0f", "d8256fbc62e85dae85eb8d4b49613774", 
    "7ac9278876c83c9b597fae68acb6fbf9", "73ce2438d4ed475e03727b7b000d2794",
    "77fbe265fd65c7f7b6d323fb6de6a4fd", "b188fbc6ff5557767e73e4c883a553a3"
]);

// Check for process execution related to Vidar Stealer
DeviceProcessEvents
| where FileName in~ maliciousProcesses 
    or ProcessCommandLine has ".dot" 
    or ProcessCommandLine has ".bat"
    or SHA256 in~ suspiciousFileHashes
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, SHA256
| order by Timestamp desc

// Union with network activity
| union (
    DeviceNetworkEvents
    | where RemoteIP in~ suspiciousIPs
        or RemoteUrl has_any (suspiciousHostnames)
    | project Timestamp, DeviceName, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessFileName
    | order by Timestamp desc
)

PowerShell IOC Hunt Script

PowerShell

# Vidar Stealer and Infostealer IOC Hunt Script
# Version: 1.0
# Date: 2026-05-15
# Author: Security Arsenal

param(
    [switch]$Verbose,
    [switch]$ScanNetwork
)

# Malicious file hashes from OTX pulses
$maliciousHashes = @(
    "77c73bd5e7625b7f691bc00a1b561a0f", "d8256fbc62e85dae85eb8d4b49613774",
    "7ac9278876c83c9b597fae68acb6fbf9", "73ce2438d4ed475e03727b7b000d2794",
    "77fbe265fd65c7f7b6d323fb6de6a4fd", "b188fbc6ff5557767e73e4c883a553a3",
    "b2d51212744f404714fd909e87254d98", "c92cf9a1af5b1fe25cdcb8771ce52be4"
)

# Suspicious process names
$suspiciousProcesses = @(
    "MicrosoftToolkit.exe", "AutoIt3.exe"
)

# Suspicious hostnames and IPs
$suspiciousHosts = @(
    "rti.cargomanbd.com", "gz.technicalprorj.xyz", "g8way.io", 
    "witch-skins-lip-coal.trycloudflare.com", "147.45.197.92", "94.228.161.88"
)

# Registry keys to check
$registryPaths = @(
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce",
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
)

Write-Host "Starting IOC Hunt for Infostealer Campaigns..." -ForegroundColor Cyan

# Check for suspicious processes
Write-Host "`nChecking for suspicious processes..." -ForegroundColor Yellow
$foundProcesses = Get-Process | Where-Object { $suspiciousProcesses -contains $_.ProcessName }
if ($foundProcesses) {
    Write-Host "ALERT: Found suspicious processes running!" -ForegroundColor Red
    $foundProcesses | Format-Table Id, ProcessName, Path -AutoSize
} else {
    Write-Host "No suspicious processes found." -ForegroundColor Green
}

# Check for files with malicious hashes
Write-Host "`nScanning for files with known malicious hashes..." -ForegroundColor Yellow
$fileScanPaths = @("$env:USERPROFILE\Downloads", "$env:TEMP", "$env:APPDATA")
$foundFiles = @()

foreach ($path in $fileScanPaths) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            if ($_.Extension -match '\.(exe|dll|bat|ps1|js|vbs)') {
                try {
                    $hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash.ToLower()
                    if ($maliciousHashes -contains $hash) {
                        $foundFiles += $_
                        if ($Verbose) {
                            Write-Host "Found malicious file: $($_.FullName)" -ForegroundColor Red
                        }
                    }
                } catch {
                    # File inaccessible or in use
                }
            }
        }
    }
}

if ($foundFiles.Count -gt 0) {
    Write-Host "ALERT: Found files matching known malicious hashes!" -ForegroundColor Red
    $foundFiles | Format-Table FullName, Length, LastWriteTime -AutoSize
} else {
    Write-Host "No files matching known malicious hashes found." -ForegroundColor Green
}

# Check for suspicious network connections
if ($ScanNetwork) {
    Write-Host "`nChecking for network connections to suspicious hosts..." -ForegroundColor Yellow
    $activeConnections = Get-NetTCPConnection -ErrorAction SilentlyContinue | Where-Object { $_.State -eq 'Established' }
    
    foreach ($connection in $activeConnections) {
        try {
            $remoteAddress = [System.Net.DNS]::GetHostEntry($connection.RemoteAddress).HostName
            foreach ($host in $suspiciousHosts) {
                if ($remoteAddress -like "*$host*") {
                    Write-Host "ALERT: Found connection to suspicious host: $remoteAddress" -ForegroundColor Red
                    Write-Host "Local Address: $($connection.LocalAddress):$($connection.LocalPort)" -ForegroundColor Yellow
                    Write-Host "Remote Address: $($connection.RemoteAddress):$($connection.RemotePort)" -ForegroundColor Yellow
                }
            }
        } catch {
            # DNS resolution failed
        }
    }
}

# Check registry persistence mechanisms
Write-Host "`nChecking registry for suspicious persistence mechanisms..." -ForegroundColor Yellow
foreach ($path in $registryPaths) {
    if (Test-Path $path) {
        Get-Item -Path $path -ErrorAction SilentlyContinue | ForEach-Object {
            $properties = Get-ItemProperty -Path $_.PSPath -ErrorAction SilentlyContinue
            foreach ($property in $properties.PSObject.Properties) {
                if ($property.Name -notlike "PS*") {
                    $value = $property.Value
                    foreach ($proc in $suspiciousProcesses) {
                        if ($value -like "*$proc*") {
                            Write-Host "ALERT: Found suspicious registry entry!" -ForegroundColor Red
                            Write-Host "Path: $path" -ForegroundColor Yellow
                            Write-Host "Key: $($property.Name)" -ForegroundColor Yellow
                            Write-Host "Value: $value" -ForegroundColor Yellow
                        }
                    }
                }
            }
        }
    }
}

Write-Host "`nIOC Hunt completed." -ForegroundColor Cyan

Response Priorities

Immediate (within 4 hours)

Block all identified malicious IPs and domains at perimeter and endpoint levels
Deploy Sigma rules to SIEM for immediate detection of suspicious process executions
Scan endpoints for file hashes associated with Vidar Stealer and related malware
Apply security patches for CVE-2024-55591, CVE-2025-32433, CVE-2025-33073, and CVE-2025-55182
Disable npm package installations from public repositories in development environments
Hunt for connections to g8way.io, witch-skins-lip-coal.trycloudflare.com, and other suspicious hostnames
Isolate any systems with confirmed malware indicators

24 Hours

Verify identities of users with elevated privileges using identity governance tools
Reset credentials for all accounts with access to npm repositories and development systems
Audit GitHub repositories for unauthorized access or cloned repositories
Review recent Git commits for suspicious code or unauthorized changes
Check for any unauthorized Azure DevOps or CI/CD pipeline modifications
Investigate all recent successful logins from external IP addresses
Review and revoke potentially compromised API keys and tokens
Enable enhanced logging on edge appliances for retrospective analysis

1 Week

Implement npm package signing verification in CI/CD pipelines
Deploy application allowlisting for development tools and package managers
Establish GitHub repository integrity monitoring
Review and update firewall rules for edge appliances
Implement multi-factor authentication for all development and administrative accounts
Conduct security awareness training focused on social engineering and supply chain attacks
Establish regular reviews of third-party package dependencies
Implement YARA rules for known malware families across endpoints
Create incident response playbooks specific to supply chain attacks
Establish continuous monitoring for blockchain-based C2 communication patterns

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub