Recent OTX pulses indicate a sophisticated convergence of ransomware operations and wide-scale credential harvesting. The Hive0163 (Interlock) and Rhysida threat clusters are actively leveraging a complex ecosystem of malware, including NodeSnake, InterlockRAT, and SystemBC, often delivered via trojanized installers exploiting known vulnerabilities (e.g., CVE-2023-36036).
Parallel to state-aligned activity, commodity infostealers like Gremlin, Lumma, and Vidar are evolving their delivery mechanisms. Notably, cybercriminals are compromising the Steam Workshop supply chain to distribute malware via malicious "Wallpaper Engine" assets. These campaigns target credentials across gaming platforms (Steam), corporate networks, and cloud storage, likely fueling initial access brokering for ransomware affiliates.
Threat Actor / Malware Profile
Adversaries: Hive0163 (Interlock), Rhysida, UAT-8616
- Hive0163 / Rhysida: These groups utilize a "malware-as-a-service" approach, employing loaders like MintLoader and JunkFiction to deploy payloads such as InterlockRAT and Sliver. Their objective is persistent access leading to data exfiltration and ransomware deployment.
- UAT-8616: A sophisticated cluster exploiting edge infrastructure (Cisco SD-WAN) to deploy webshells (Godzilla, Behinder) and cryptominers (XMRig).
Malware Families
- Gremlin Stealer: Uses advanced obfuscation, including commercial packing and instruction virtualization, to hide payloads in resource files. It targets browser data, crypto wallets, and messenger tokens.
- Lumma / Vidar: Distributed primarily through Steam Workshop wallpapers. Once executed, they steal session cookies, passwords, and 2FA tokens.
- NodeSnake: A custom malware attributed to Hive0163, designed for stealthy persistence and C2 communication.
IOC Analysis
- Network Infrastructure: The IP
185.196.9.234and domainleadslaw.comare confirmed C2 nodes associated with the Interlock/Rhysida ecosystem. These should be blocked immediately at the firewall and proxy level. - File Hashes: A significant volume of SHA256 hashes (e.g.,
333903c7d22a27098e45fc64b77a264aa220605cfbd3e329c200d7e4b42c881c) correlate to packed executables for Gremlin, DarkComet, and Vidar. These are high-fidelity indicators for EDR correlation. - CVEs: Active exploitation is observed against CVE-2026-20182 (Cisco SD-WAN) and CVE-2023-36036.
- URLs: Malicious Dropbox and Google Drive links (e.g.,
.../Synaptics.rar) serve as droppers for the Steam campaign.
Detection Engineering
YAML
---
title: Suspicious Child Process of Wallpaper Engine
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
description: Detects Wallpaper Engine (Steam) spawning suspicious archive utilities or script interpreters, indicative of malware distribution via Steam Workshop.
status: experimental
date: 2026/06/16
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/66a1b2c3d4e5f
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\wallpaper32.exe'
filter_legit:
Image|endswith:
- '\rundll32.exe'
- '\explorer.exe'
- '\wallpaper32.exe'
condition: selection and not filter_legit
falsepositives:
- Legitimate user interaction with wallpaper scripts (rare)
level: high
tags:
- attack.initial_access
- attack.t1190
---
title: Interlock/Rhysida C2 Network Activity
id: b2c3d4e5-6789-01ab-cdef-234567890abc
description: Detects network connections to known Interlock/Rhysida infrastructure observed in OTX pulses.
status: experimental
date: 2026/06/16
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/66a1b2c3d4e5f
logsource:
category: network_connection
product: windows
detection:
selection_ip:
DestinationIp:
- '185.196.9.234'
selection_domain:
DestinationDomain|contains:
- 'leadslaw.com'
condition: 1 of selection_*
falsepositives:
- Unknown
level: critical
tags:
- attack.command_and_control
- attack.t1071
---
title: Cisco SD-WAN Webshell Upload Indicators
id: c3d4e5f6-7890-12ab-cdef-345678901bcd
description: Detects potential webshell upload or exploitation patterns associated with CVE-2026-20182 on Cisco SD-WAN infrastructure.
status: experimental
date: 2026/06/16
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/66a1b2c3d4e5f
logsource:
category: web
detection:
selection_uri:
cs-uri-query|contains:
- 'vpncomponent'
- 'sslvpn'
selection_methods:
cs-method:
- 'POST'
- 'PUT'
selection_ext:
cs-uri-stem|endswith:
- '.jsp'
- '.php'
condition: selection_uri and selection_methods and selection_ext
falsepositives:
- Administrative management activities
level: high
tags:
- attack.initial_access
- attack.t1190
- cve.2026.20182
kql
// Hunt for connections to known malicious infrastructure
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIP in ("185.196.9.234")
or RemoteUrl contains "leadslaw.com"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemoteUrl
// Hunt for file hashes associated with Gremlin and Vidar
DeviceFileEvents
| where Timestamp > ago(7d)
| where SHA256 in (
"333903c7d22a27098e45fc64b77a264aa220605cfbd3e329c200d7e4b42c881c",
"1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5",
"fc586cad94e5a10dd5be6a6ae6096bd02dfbfd094365bec87e788ed0798d6f67"
)
| project Timestamp, DeviceName, FolderPath, SHA256, InitiatingProcessAccountName
powershell
# IOC Hunt Script for Steam Wallpaper Droppers
# Searches User Profiles for specific RAR archives and suspicious executable hashes
$MaliciousHashes = @(
"333903c7d22a27098e45fc64b77a264aa220605cfbd3e329c200d7e4b42c881c",
"1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5",
"fc586cad94e5a10dd5be6a6ae6096bd02dfbfd094365bec87e788ed0798d6f67"
)
Write-Host "[+] Scanning for Steam Workshop Droppers and Malicious Binaries..."
# Check for Wallpaper Engine directories (common install path)
$SteamPaths = @("${env:ProgramFiles(x86)}\Steam", "$env:LOCALAPPDATA\Steam")
foreach ($Path in $SteamPaths) {
if (Test-Path $Path) {
Write-Host "[!] Found Steam installation at: $Path"
# Scan for .rar files in workshop or download directories
Get-ChildItem -Path $Path -Filter *.rar -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
Write-Host "[WARNING] Suspicious RAR found: $($_.FullName)"
}
}
}
# Scan User Profiles for specific hashes
Get-ChildItem -Path "C:\Users" -Recurse -ErrorAction SilentlyContinue | Get-FileHash -Algorithm SHA256 -ErrorAction SilentlyContinue | Where-Object {
$MaliciousHashes -contains $_.Hash
} | ForEach-Object {
Write-Host "[CRITICAL] Malicious file detected: $($_.Path) | Hash: $($_.Hash)"
}
Response Priorities
-
Immediate:
- Block IP
185.196.9.234and domainleadslaw.comon all perimeter firewalls and proxies. - Quarantine endpoints matching the provided file hashes.
- Identify and block access to
steamcommunity.com/workshopif Steam is not business-critical, or restrict execution of binaries downloaded from this source.
- Block IP
-
24h:
- Initiate credential resets and MFA re-enrollment for accounts identified on endpoints infected with Lumma, Vidar, or Gremlin.
- Review logs for successful VPN or SSO logins originating from IPs associated with UAT-8616 or the Interlock cluster.
-
1 week:
- Patch Cisco Catalyst SD-WAN Manager to address CVE-2026-20182.
- Implement application allow-listing to prevent the execution of unsigned binaries often used by these loaders (e.g., JunkFiction).
- Conduct a review of software supply chain policies regarding third-party installers and community plugins.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-credentialsrhysidagremlin-stealerlummavidarcredential-theft
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.