Back to Intelligence

Remus Infostealer, PCPJack Cloud Worm & NuGet Supply Chain: Enterprise Credential Theft Analysis

SA
Security Arsenal Team
May 9, 2026
5 min read

Threat Summary

Recent OTX pulses indicate a surge in multi-vector credential theft campaigns targeting developer ecosystems, cloud infrastructure, and specific regional sectors. The primary attack vectors include a typosquatting supply chain attack on NuGet repositories distributing Lumma, Quantum, and AgentRacoon; a cloud-native worm (PCPJack) actively evicting rival malware while harvesting cloud and developer credentials; and the emergence of Remus, a 64-bit variant of the Lumma Stealer leveraging blockchain-based C2. Concurrently, APT activity (Operation GriefLure) is leveraging spear-phishing to infiltrate military telecom and healthcare sectors in Southeast Asia, while a PAN-OS zero-day (CVE-2026-1281) is being exploited to establish tunnels for likely credential exfiltration.

Threat Actor / Malware Profile

Remus (Lumma Stealer 64-bit)

  • Distribution: Delivered via exploit kits and fake software updates; evolving from Steam/Telegram dead drops to EtherHiding.
  • Behavior: 64-bit infostealer targeting browser credentials, cryptocurrency wallets, and 2FA extensions. Uses application-bound encryption bypasses.
  • C2: Blockchain-based DNS resolution (EtherHiding) and traditional domains (e.g., forestoaker.com).
  • Anti-Analysis: Enhanced anti-debugging checks and 64-bit compatibility to evade older sandbox environments.

PCPJack (Cloud Worm)

  • Distribution: Exploits vulnerabilities in Kubernetes and Docker environments (CVE-2025-29927, CVE-2025-9501).
  • Behavior: Self-propagating worm that removes TeamPCP artifacts and steals credentials from cloud metadata, ~/.aws/credentials, and browser stores.
  • Persistence: Establishes persistence within compromised containers and cloud instances.

NuGet Supply Chain Attack

  • Distribution: Malicious packages impersonating Chinese UI libraries (bmrxntfj account).
  • Payload: .NET Reactor-protected binaries deploying Lumma/Quantum.
  • Behavior: Executes upon build/restore process in CI/CD pipelines, exfiltrating keys and tokens to dns-providersa2.com.

IOC Analysis

The indicators provided cover a broad spectrum of the attack lifecycle:

  • Domains/URLs: Multiple C2 domains including dns-providersa2.com (NuGet C2), forestoaker.com (Remus), and lastpass-login-help.com (PCPJack). These should be blocked immediately at the DNS layer.
  • File Hashes (SHA256): Critical hashes for the malicious NuGet payloads (e.g., 019e6c2c...) and the PCPJack worm binary (e41c635e...). These are high-fidelity indicators for EDR correlation.
  • CVEs: Identification of exploited vulnerabilities (PAN-OS CVE-2026-1281, Cloud CVEs) is crucial for vulnerability management prioritization.

SOC teams should operationalize these by feeding SHA256 hashes into EDR alerting and adding domains to RPZ/Blocklists. The file hashes associated with the NuGet attack are particularly useful for scanning developer build artifacts.

Detection Engineering

Sigma Rules

YAML
title: Suspicious Connection To Infostealer C2 Domains
description: Detects network connections to known C2 domains associated with Remus, Lumma, and PCPJack campaigns based on OTX Pulse data.
status: stable
date: 2026/05/10
author: Security Arsenal Research
references:
    - https://otx.alienvault.com/pulse/66000000...
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
product: windows
detection:
    selection:
        initiated|true: true
        destination|contains:
            - 'forestoaker.com'
            - 'krondez.com'
            - 'baxe.pics'
            - 'dns-providersa2.com'
            - 'lastpass-login-help.com'
            - 'teampcp'
    condition: selection
falsepositives:
    - Unknown
level: critical
---
title: Malicious NuGet Package Execution
description: Detects execution of processes with file hashes matching the malicious NuGet packages identified in OTX Pulses.
status: stable
date: 2026/05/10
author: Security Arsenal Research
references:
    - https://otx.alienvault.com/pulse/66000000...
tags:
    - attack.initial_access
    - attack.t1195.001
logsource:
    category: process_creation
product: windows
detection:
    selection:
        sha256|contains:
            - '019e6c2cf58386039133981f3377b085fbd70c98ae8613c7c6a4f10a9f2d9824'
            - '34e2d63b5db7e24c808711c2ca0c0a42afde97a0086d7d81609110c002d18d7c'
            - '596c453c9dbb7240f1ce05cc025496524ce7c538c23a9b2171174bf32b5691a1'
            - 'e41c635e4c3514e266d143d544ad1abde5db3dcfe6cccdf9bb7a218003f8ab6a'
            - 'b037fa1dd769891b538d9ca26131890c93e3458eec96c5354bdebe50d04a5b3d'
    condition: selection
falsepositives:
    - None (Legitimate software will not match these hashes)
level: critical
---
title: Potential PAN-OS Exploitation via Suspicious User-Agent
description: Detects potential exploitation attempts or post-exploitation traffic associated with PAN-OS zero-day activity observed in the wild.
status: experimental
date: 2026/05/10
author: Security Arsenal Research
references:
    - https://otx.alienvault.com/pulse/66000000...
tags:
    - attack.exploitation
    - attack.t1190
logsource:
    category: proxy
product: null
detection:
    selection:
        c-useragent|contains:
            - 'python-requests/'
            - 'curl/'
        dest_port|equals: 443
        sc-status|contains:
            - '200'
            - '404'
    filter_mainstream:
        dest_host|contains:
            - 'google.com'
            - 'microsoft.com'
            - 'apple.com'
    condition: selection and not filter_mainstream
falsepositives:
    - Legitimate administrative scripts
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for C2 connections and file hashes from OTX Pulses
let MaliciousDomains = dynamic(['forestoaker.com', 'dns-providersa2.com', 'lastpass-login-help.com', 'krondez.com', 'vinte.online']);
let MaliciousHashes = dynamic(['019e6c2cf58386039133981f3377b085fbd70c98ae8613c7c6a4f10a9f2d9824', 'e41c635e4c3514e266d143d544ad1abde5db3dcfe6cccdf9bb7a218003f8ab6a', 'b037fa1dd769891b538d9ca26131890c93e3458eec96c5354bdebe50d04a5b3d']);
// Network Connections
DeviceNetworkEvents
| where RemoteUrl in (MaliciousDomains) or RemoteUrl hasAny (MaliciousDomains)
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| union (
    // File Creation/Process Execution
    DeviceProcessEvents
    | where SHA256 in (MaliciousHashes)
    | project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, SHA256
)

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    Scans local NuGet cache and common temp directories for malicious file hashes associated with recent OTX pulses.
#>

$MaliciousHashes = @(
    '019e6c2cf58386039133981f3377b085fbd70c98ae8613c7c6a4f10a9f2d9824',
    '34e2d63b5db7e24c808711c2ca0c0a42afde97a0086d7d81609110c002d18d7c',
    '596c453c9dbb7240f1ce05cc025496524ce7c538c23a9b2171174bf32b5691a1',
    'e41c635e4c3514e266d143d544ad1abde5db3dcfe6cccdf9bb7a218003f8ab6a',
    'b037fa1dd769891b538d9ca26131890c93e3458eec96c5354bdebe50d04a5b3d',
    '197f11a7b0003aa7da58a3302cfa2a96a670de91d39ddebc7a51ac1d9404a7e6',
    '6c6cbed6aad96564ed87094785be07a1'
)

$SearchPaths = @(
    "$env:USERPROFILE\.nuget\packages",
    "$env:LOCALAPPDATA\Temp",
    "C:\Windows\Temp"
)

Write-Host "Starting scan for OTX Pulse Indicators..." -ForegroundColor Cyan

foreach ($path in $SearchPaths) {
    if (Test-Path $path) {
        Write-Host "Scanning $path..." -ForegroundColor Yellow
        Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($MaliciousHashes -contains $hash) {
                Write-Host "[MALICIOUS] Found: $($_.FullName)" -ForegroundColor Red
            }
        }
    } else {
        Write-Host "Path not found: $path" -ForegroundColor Gray
    }
}
Write-Host "Scan complete." -ForegroundColor Cyan

Response Priorities

Immediate (0-24h)

  1. Block IOCs: Immediately block all domains and IPs listed in the IOC Analysis at the firewall and proxy level.
  2. Hunt Compromise: Run the PowerShell script and KQL queries to identify any presence of the malicious NuGet packages or PCPJack binaries on endpoints.
  3. Patching: Prioritize patching for the PAN-OS vulnerability (CVE-2026-1281) and specific Cloud CVEs (CVE-2025-29927) on exposed infrastructure.

24-48h

  1. Credential Reset: If any indicators are found on developer workstations or cloud instances, force a reset of all cloud access keys (AWS/Azure/GCP), SSH keys, and browser-saved credentials.
  2. Supply Chain Audit: Audit NuGet package usage in CI/CD pipelines to ensure no typosquatted packages (bmrxntfj account) are present.

1 Week

  1. Architecture Hardening: Implement strict allow-listing for NuGet feeds. Enhance segmentation for cloud control planes to limit worm propagation (PCPJack).
  2. Review: Investigate logs for the PAN-OS zero-day indicators to ensure no lateral movement occurred via the established ReverseSocks5 tunnels.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialslumma-stealerpcpjacksupply-chain-attackapt-grieflurenuget-malware

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action