Back to Intelligence

OTX Pulse Analysis: TroyDen Lure Factory, NuGet Supply Chain, and Mr_Rot13 cPanel Attacks — Enterprise Detection Pack

SA
Security Arsenal Team
May 12, 2026
6 min read

Analysis of recent OTX pulses reveals a convergence of sophisticated delivery mechanisms targeting both developer ecosystems and critical server infrastructure. A notable trend is the weaponization of legitimate software repositories—specifically GitHub and NuGet—to distribute infostealers like Lumma, Redline, and Vidar.

The TroyDen threat actor is actively employing an "AI-Assisted Lure Factory," using biological terminology to masquerade malicious GitHub repositories as legitimate developer tools. Simultaneously, a supply chain attack on NuGet is targeting .NET developers with packages impersonating Chinese UI libraries to deliver Quantum and AgentRacoon.

On the server-side, the elusive Mr_Rot13 group is exploiting a critical cPanel vulnerability (CVE-2026-41940) to deploy SSH backdoors and the Filemanager RAT. Lastly, the EtherRat and TukTuk campaign demonstrates advanced C2 capabilities using Ethereum blockchain transactions (EtherHiding) and Cloudflare tunnels to pivot towards "The Gentlemen" ransomware.

Collectively, these campaigns aim at credential harvesting (browser, crypto, SSH) to facilitate initial access and lateral movement for ransomware deployment.

Threat Actor / Malware Profile

TroyDen (Lure Factory)

  • Malware: LuaJIT, Redline, LummaStealer
  • Distribution: GitHub repositories with AI-generated biological names (e.g., obscure taxonomy). Packages often use a two-component design with Prometheus obfuscator.
  • Target: Developers, Gamers, Roblox players, Crypto users.

Supply Chain Actor (NuGet)

  • Malware: Lumma, Quantum, AgentRacoon, ArrowRAT
  • Distribution: Typosquatting Chinese .NET UI libraries via NuGet (account: bmrxntfj). Uses .NET Reactor for obfuscation and version rotation.
  • Behavior: Steals browser credentials, crypto wallets, SSH keys.

Mr_Rot13

  • Malware: Filemanager RAT, Cpanel-Python
  • Distribution: Exploitation of CVE-2026-41940 in cPanel & WHM.
  • Persistence: SSH key injection, PHP webshells, malicious JavaScript injection.
  • Target: Government and Defense sectors in Southeast Asia and globally.

EtherRat / TukTuk

  • Malware: EtherRAT, TukTuk, The Gentlemen Ransomware
  • Distribution: Malicious MSI installers disguised as Sysinternals tools; DLL sideloading.
  • C2: Uses EtherHiding (Ethereum blockchain) for config and Cloudflare tunnels (trycloudflare.com).

Vidar Stealer

  • Malware: Vidar, Arkei
  • Distribution: AutoIT-based multi-stage loader via "hack tools" like MicrosoftToolkit.exe.
  • Behavior: File masquerading (.dot to .bat), security process termination.

IOC Analysis

The provided IOCs span multiple infrastructure layers:

  • IPv4 Addresses: Multiple C2 servers associated with the TroyDen infrastructure (e.g., 89.169.12.241, 213.176.73.80). SOC teams should block these immediately at the perimeter.
  • Domains: Include C2 domains for the NuGet campaign (dns-providersa2.com) and the Mr_Rot13 group (wrned.com, wpsock.com). The EtherRat campaign utilizes dynamic DNS via Cloudflare tunnels (witch-skins-lip-coal.trycloudflare.com).
  • File Hashes: A mix of MD5, SHA1, and SHA256 hashes associated with loaders (AutoIT, MSI), obfuscated .NET payloads, and Go-based backdoors.
  • CVEs: CVE-2026-41940 (cPanel) and CVE-2025-55182 (used in TukTuk reconnaissance).

Operational Guidance:

  1. Network: Block all listed IPs and Domains. Monitor for outbound connections to trycloudflare.com endpoints from non-browser processes.
  2. Endpoint: Scan for the specific file hashes provided. Monitor for execution of luajit.exe, autoit3.exe, and unsigned MSI packages.
  3. Vulnerability Management: Prioritize patching cPanel instances against CVE-2026-41940.

Detection Engineering

YAML
title: Potential Malicious NuGet Supply Chain Execution
id: c9f89b21-7a3b-4c9d-9e1f-1234567890ab
description: Detects suspicious child processes spawned by NuGet or development tools, indicative of malicious package execution such as the Quantum or AgentRacoon campaigns.
status: experimental
date: 2026/05/12
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66012a12b45f78
tags:
    - attack.supply_chain
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            - '\nuget.exe'
            - '\msbuild.exe'
            - '\devenv.exe'
    selection_child:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\csc.exe'
    condition: selection_parent and selection_child
falsepositives:
    - Legitimate build scripts invoking command line tools
level: high
---
title: Suspicious AutoIt Loader Leading to Vidar Stealer
id: a1b2c3d4-5678-90ef-ghij-klmnopqrstuv
description: Detects AutoIt execution chains often associated with Vidar/Arkei stealers, specifically looking for MicrosoftToolkit or similar crack tools spawning shells.
status: experimental
date: 2026/05/12
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66012a12b45f80
tags:
    - attack.defense_evasion
    - attack.t1204
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\autoit3.exe'
    selection_cmd:
        CommandLine|contains:
            - '.bat'
            - '.cmd'
    selection_parent:
        ParentImage|contains:
            - 'MicrosoftToolkit'
            - 'KMSpico'
    selection_suspicious_child:
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
    condition: 1 of selection*
falsepositives:
    - Legitimate AutoIt scripts used by IT admins
level: medium
---
title: Suspicious Cloudflare Tunnel C2 Activity
id: e5f6g7h8-9012-34ij-klmn-opqrstuvwxy
description: Detects processes establishing network connections to suspicious Cloudflare tunnel domains often used by EtherRat and TukTuk for C2 communication.
status: experimental
date: 2026/05/12
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66012a12b45f78
tags:
    - attack.command_and_control
    - attack.t1071
logsource:
    category: network_connection
    product: windows
detection:
    selection_domains:
        DestinationHostname|endswith:
            - '.trycloudflare.com'
            - 'g8way.io'
    selection_process:
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\mshta.exe'
            - '\wscript.exe'
    condition: selection_domains and selection_process
falsepositives:
    - Legitimate developer usage of Cloudflare tunnels
level: high


kql
// Hunt for connections to known C2 domains and IPs from OTX Pulses
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in (
    "dns-providersa2.com",
    "g8way.io",
    "git.justdotrip.com",
    "wrned.com",
    "wpsock.com"
    )
    or RemoteIP in (
    "89.169.12.241",
    "213.176.73.80",
    "213.176.73.130",
    "217.119.129.121",
    "94.156.154.6"
    )
| summarize count(), Timestamp=arg_max(Timestamp, *) by DeviceName, RemoteUrl, RemoteIP, InitiatingProcessFileName
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, InitiatingProcessFileName, InitiatingProcessCommandLine


powershell
# IOC Hunt Script for Malicious File Hashes
$targetHashes = @(
    "efb675de4b3af3dac3c9cae91075fd7cc2f4f98e",
    "019e6c2cf58386039133981f3377b085fbd70c98ae8613c7c6a4f10a9f2d9824",
    "34e2d63b5db7e24c808711c2ca0c0a42afde97a0086d7d81609110c002d18d7c",
    "596c453c9dbb7240f1ce05cc025496524ce7c538c23a9b2171174bf32b5691a1",
    "73ce2438d4ed475e03727b7b000d2794", # MD5 for EtherRat MSI
    "02a5990b11293236e01f174f5999df20"  # MD5 for Mr_Rot13 Payload
)

$pathsToScan = @("C:\Users\", "C:\ProgramData\", "C:\Windows\Temp")

Write-Host "Starting IOC Hunt for Infostealer Hashes..." -ForegroundColor Cyan

foreach ($path in $pathsToScan) {
    if (Test-Path $path) {
        Write-Host "Scanning $path..." -ForegroundColor Yellow
        Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $fileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($targetHashes -contains $fileHash) {
                Write-Host "[!] MATCH FOUND: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}
Write-Host "Hunt Complete." -ForegroundColor Green


# Response Priorities

*   **Immediate:** Block all identified IPv4 addresses and domains at the firewall and proxy. Terminate any processes matching the malicious file hashes (MD5/SHA256).
*   **24h:** Conduct an audit of developer workstations for the presence of the identified NuGet packages (`bmrxntfj` account) and suspicious GitHub clones. If credential theft is confirmed (Vidar/Lumma), force a password reset for affected accounts and invalidate session tokens.
*   **1 Week:** Patch cPanel servers against CVE-2026-41940. Implement strict allow-listing for NuGet package sources and GitHub repository access. Review EDR alerts for AutoIT and LuaJIT execution context.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialslumma-stealervidar-stealernuget-supply-chainetherratmr_rot13

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action