Back to Intelligence

Remus Infostealer, PCPJack Cloud Worm & PAN-OS Exploits: Multi-Vector Credential Theft Campaign Analysis

SA
Security Arsenal Team
May 8, 2026
6 min read

OTX Pulse data from 2026-05-08 reveals a convergence of high-risk credential theft campaigns spanning software supply chains, cloud infrastructure, and network perimeters. The threat landscape is dominated by the resurgence of Lumma Stealer (now as the 64-bit "Remus" variant), the emergence of the PCPJack cloud worm targeting Kubernetes clusters, and active exploitation of a critical PAN-OS zero-day (CVE-2023-33538) for unauthenticated RCE.

Collectively, these campaigns indicate a shift toward aggressive harvesting of developer secrets (via NuGet typosquatting), cloud access tokens (via container worms), and privileged firewall credentials (via perimeter exploits). The actors behind these operations are utilizing advanced evasion techniques such as EtherHiding, .NET Reactor obfuscation, and living-off-the-land (LotL) binaries to bypass traditional defenses.

Threat Actor / Malware Profile

Remus (Lumma Stealer 64-bit Variant)

  • Origin: Emerged following the takedown of the original Lumma Stealer operation.
  • Distribution: Switched from Steam/Telegram dead drops to EtherHiding (using blockchain BNB Smart Contract transactions for C2).
  • Capabilities: Steals browser credentials, cryptocurrency wallets, and 2FA sessions. Bypasses Application-Bound Encryption (ABE).
  • Anti-Analysis: Extensive anti-debugging checks and 64-bit architecture compatibility.

PCPJack Cloud Worm

  • Target: Exposed Kubernetes and Docker infrastructure.
  • Behavior: Propagates as a worm, evicting artifacts from the TeamPCP threat actor while harvesting credentials from cloud platforms, developer tools, and financial apps.
  • Payload: Utilizes Sliver C2 framework for command and control.

Malicious NuGet Supply Chain

  • Vector: Typosquatting legitimate Chinese UI libraries (e.g., impersonating libraries under bmrxntfj).
  • Mechanism: Grafts .NET Reactor-protected payloads onto decompiled legitimate code.
  • Payloads: Delivers Lumma, Quantum, AgentRacoon, and ArrowRAT.

Operation GriefLure

  • Vector: Spear-phishing with weaponized legal documents.
  • Targets: Viettel Group (Vietnam Military Telecom) and St. Luke's Medical Center (Philippines).
  • Technique: Uses custom loaders (sfsvc.exe) and DLL side-loading (360.dll).

IOC Analysis

The provided indicators span multiple infection vectors:

  1. Domains & URLs: A mix of C2 infrastructure (e.g., dns-providersa2.com, forestoaker.com), phishing sites (whatsappcenter.com, lastpass-login-help.com), and blockchain-related resolvers for EtherHiding.
  2. File Hashes (SHA256/MD5): Identification of malicious NuGet packages, Remus binaries, and PCPJack components. These should be integrated into EDR blocklists immediately.
  3. CVEs: Critical vulnerabilities including CVE-2023-33538 (PAN-OS), CVE-2025-29927, and CVE-2026-1357. These are not IOCs in the traditional sense but are critical for vulnerability management prioritization.

Operational Guidance: SOC teams should import the SHA256 hashes into EDR solutions for immediate isolation. Domains should be blocked at the proxy/DNS level. The CVEs require immediate patching of PAN-OS firewalls and container orchestration platforms.

Detection Engineering

Sigma Rules

YAML
title: Potential Malicious NuGet Package Execution
id: 6c1b3f2a-8e4c-4b2f-9a1d-1e5f6a7b8c9d
description: Detects execution of processes from potentially malicious NuGet package paths or known suspicious file paths associated with typosquatting campaigns.
status: experimental
date: 2026/05/09
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6c1b3f2a/
tags:
    - attack.supply_chain
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|contains: '\.nuget\packages\'
        Image|contains:
            - 'bmrxntfj'
    condition: selection
falsepositives:
    - Legitimate NuGet package usage
level: high
---
title: PCPJack Cloud Worm and Sliver C2 Activity
id: 7d2c4g3b-9f5d-5c3e-0b2e-2f6a7b8c9d0e
description: Detects network connections or process execution indicative of PCPJack worm activity or Sliver C2 framework usage in cloud environments.
status: experimental
date: 2026/05/09
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/7d2c4g3b/
tags:
    - attack.credential_access
    - attack.command_and_control
logsource:
    category: network_connection
    product: linux
detection:
    selection_sliver:
        DestinationPort:
            - 8888
            - 8080
        Image|endswith:
            - 'sliver'
            - 'client'
    selection_pcjack:
        DestinationHostname|contains:
            - 'lastpass-login-help.com'
            - 'git.justdotrip.com'
    condition: 1 of selection*
falsepositives:
    - Legitimate developer tools
level: critical
---
title: Remus Lumma Stealer Process Injection
id: 8e3d5h4c-0g6e-6d4f-1c3f-3g7b8c9d0e1f
description: Detects suspicious behavior associated with Remus (Lumma 64-bit) including unauthorized browser data access or known C2 domain connections.
status: experimental
date: 2026/05/09
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/8e3d5h4c/
tags:
    - attack.credential_access
    - attack.defense_evasion
logsource:
    category: network_connection
    product: windows
detection:
    selection_c2:
        DestinationHostname|contains:
            - 'forestoaker.com'
            - 'krondez.com'
            - 'baxe.pics'
            - 'remnane.biz'
    selection_suspicious_path:
        Image|contains: '\AppData\Local\Temp'
        DestinationPort: 443
    condition: 1 of selection*
falsepositives:
    - Standard web browsing
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for malicious domains and file hashes associated with Remus, PCPJack, and NuGet attacks
let MaliciousDomains = dynamic(["dns-providersa2.com", "forestoaker.com", "krondez.com", "baxe.pics", "vinte.online", "coox.live", "remnane.biz", "parky.pics", "lastpass-login-help.com", "git.justdotrip.com", "www.whatsappcenter.com"]);
let MaliciousHashes = dynamic(["efb675de4b3af3dac3c9cae91075fd7cc2f4f98e", "019e6c2cf58386039133981f3377b085fbd70c98ae8613c7c6a4f10a9f2d9824", "34e2d63b5db7e24c808711c2ca0c0a42afde97a0086d7d81609110c002d18d7c", "596c453c9dbb7240f1ce05cc025496524ce7c538c23a9b2171174bf32b5691a1", "b037fa1dd769891b538d9ca26131890c93e3458eec96c5354bdebe50d04a5b3d", "e41c635e4c3514e266d143d544ad1abde5db3dcfe6cccdf9bb7a218003f8ab6a", "6c6cbed6aad96564ed87094785be07a1", "197f11a7b0003aa7da58a330c2fa2a96a670de91d39ddebc7a51ac1d9404a7e6"]);
// Network Connections to C2
DeviceNetworkEvents
| where RemoteUrl in (MaliciousDomains) or RemoteIP in ("149.104.66.84")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| union (
    // File Creation/Execution of known malicious hashes
    DeviceFileEvents
    | where SHA256 in (MaliciousHashes) or MD5 in ("6c6cbed6aad96564ed87094785be07a1", "b8e7288656eca9750a5490aa96d3594b")
    | project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName
)

PowerShell IOC Hunt Script

PowerShell
# IOC Hunt Script for Remus, PCPJack, and NuGet Supply Chain Malware
# Requires Admin Privileges

$MaliciousSHA256 = @(
    "019e6c2cf58386039133981f3377b085fbd70c98ae8613c7c6a4f10a9f2d9824",
    "34e2d63b5db7e24c808711c2ca0c0a42afde97a0086d7d81609110c002d18d7c",
    "596c453c9dbb7240f1ce05cc025496524ce7c538c23a9b2171174bf32b5691a1",
    "b037fa1dd769891b538d9ca26131890c93e3458eec96c5354bdebe50d04a5b3d",
    "e41c635e4c3514e266d143d544ad1abde5db3dcfe6cccdf9bb7a218003f8ab6a",
    "197f11a7b0003aa7da58a330c2fa2a96a670de91d39ddebc7a51ac1d9404a7e6",
    "35af2cf5494181920b8624c7b719d39590e2a5ff5eaa1a2fa1ba86b2b5aa9b43"
)

$MaliciousMD5 = @(
    "6c6cbed6aad96564ed87094785be07a1",
    "b8e7288656eca9750a5490aa96d3594b"
)

Write-Host "[!] Starting hunt for malicious files..." -ForegroundColor Cyan

# Search C: Drive for matching hashes
$Drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root

foreach ($Drive in $Drives) {
    Write-Host "Scanning $Drive..." -ForegroundColor Yellow
    try {
        Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $Hash = Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue
            if ($MaliciousSHA256 -contains $Hash.Hash) {
                Write-Host "[MALICIOUS] SHA256 Match Found: $($_.FullName)" -ForegroundColor Red
            }
            
            $HashMD5 = Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue
            if ($MaliciousMD5 -contains $HashMD5.Hash) {
                Write-Host "[MALICIOUS] MD5 Match Found: $($_.FullName)" -ForegroundColor Red
            }
        }
    } catch {
        # Ignore access errors
    }
}

# Check for suspicious NuGet packages path (User profile)
$NugetPath = "$env:USERPROFILE\.nuget\packages"
if (Test-Path $NugetPath) {
    Write-Host "[!] Checking NuGet packages for 'bmrxntfj' author..." -ForegroundColor Cyan
    $SuspiciousPackages = Get-ChildItem -Path $NugetPath -Recurse -Filter "*.nuspec" | Select-String -Pattern "bmrxntfj"
    if ($SuspiciousPackages) {
        Write-Host "[!] Suspicious NuGet package found from 'bmrxntfj': $($SuspiciousPackages.Path)" -ForegroundColor Red
    }
}

Write-Host "Hunt Complete." -ForegroundColor Green


# Response Priorities

*   **Immediate**:
    *   Block all domains and IPs listed in the IOC Analysis at the firewall/proxy level.
    *   Scan all endpoints for the SHA256 and MD5 hashes associated with Remus, PCPJack, and the malicious NuGet packages.
    *   Identify and isolate any devices communicating with `forestoaker.com`, `krondez.com`, or `dns-providersa2.com`.
    *   Apply the PAN-OS patch for CVE-2023-33538 immediately to prevent RCE.

*   **24 Hours**:
    *   Initiate credential resets for developer and cloud accounts if code repositories (NuGet) or cloud clusters (Kubernetes) are suspected to be compromised.
    *   Review firewall logs for signs of successful exploitation on PAN-OS devices (look for EarthWorm or ReverseSocks5 processes).
    *   Audit recent NuGet package installs for typosquatting indicators.

*   **1 Week**:
    *   Implement stricter supply chain security policies for internal NuGet repositories (code signing requirements).
    *   Harden Kubernetes clusters against PCPJack (restrict pod-to-pod communication, scan images for Sliver binaries).
    *   Update EDR signatures to detect the Remus 64-bit variant and its EtherHiding C2 mechanism.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialslumma-stealerpcpjackpan-os-rcesupply-chain-attackcredential-theft

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action