Back to Intelligence

Shai-Hulud npm Worm, Cloud Atlas APT, & Gentlemen RaaS: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
June 21, 2026
6 min read

Recent OTX pulses highlight a convergence of high-risk threat activities spanning software supply chain compromises, state-sponsored espionage, and financially motivated ransomware. Threat actors are actively exploiting the npm ecosystem to distribute the Shai-Hulud copycat worm and infostealers via packages like chalk-tempalte. Simultaneously, the Cloud Atlas (Inception Framework) APT group is targeting government entities in Russia and Belarus with phishing campaigns delivering multi-stage RATs (VBCloud, ValleyRAT). In the criminal sector, The Gentlemen RaaS operation continues to impact Transportation and Construction sectors, utilizing defense evasion techniques like event log clearing and exploiting CVE-2024-55591 to deploy ransomware.

Threat Actor / Malware Profile

Shai-Hulud Copycat (Supply Chain)

  • Distribution Method: Malicious npm packages (chalk-tempalte, @deadcode09284814/axios-util, axois-utils, color-style-utils) mimicking popular libraries.
  • Payload Behavior: Functions as a worm and infostealer. Capabilities include credential theft, cryptocurrency theft, and DDoS botnet participation.
  • C2 Communication: Connects to C2 infrastructure hosted on lhr.life subdomains.

Cloud Atlas (Inception Framework)

  • Distribution Method: Spear-phishing emails containing malicious ZIP archives with embedded LNK shortcuts.
  • Payload Behavior: Deploys a suite of backdoors including PowerCloud, VBCloud, and ValleyRAT. Used for file theft, network reconnaissance (PowerShower), and establishing persistence via ReverseSocks.
  • Anti-Analysis: Uses obfuscated PowerShell and diverse malware families to avoid detection.

The Gentlemen (RaaS)

  • Distribution Method: Ransomware-as-a-Service operations leveraging initial access brokers or exposed vulnerabilities (e.g., CVE-2024-55591).
  • Persistence Mechanism: Utilizes Scheduled Tasks and PowerShell commands.
  • Defense Evasion: Aggressively clears Security, System, and Application Event Logs. Disables Microsoft Defender.

IOC Analysis

The provided indicators span multiple vectors requiring immediate triage:

  • Hostnames/Domains: (e.g., 87e0bbc636999b.lhr.life, allgoodsdirect.com.au) Used for C2 communication and payload delivery. SOC teams should block these at the firewall and proxy level.
  • File Hashes (MD5/SHA256): (e.g., 0320dd389fdbab25d46792bd2817675e, f918535f974591ef031bd0f30a8171e3...) Specific to malware samples. Use EDR telemetry to hunt for these hashes on endpoints.
  • CVEs: (CVE-2018-0802, CVE-2025-55182, CVE-2024-55591) Indicates exploit usage. Prioritize patching for CVE-2024-55591 and investigate logs for exploitation attempts of the cited vulnerabilities.

Detection Engineering

YAML
title: Potential Shai-Hulud NPM Malware Execution
id: 99d4c2a8-b3f1-4b5a-9c5d-8e7a1f2b3c4d
description: Detects execution of child processes by npm/node following the installation of known suspicious package names or network connections to suspicious C2s associated with Shai-Hulud.
status: experimental
date: 2026/06/21
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6671a2e51a3232
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            - '\node.exe'
            - '\npm.cmd'
    selection_suspicious_pkg:
        CommandLine|contains:
            - 'chalk-tempalte'
            - 'axios-util'
            - 'color-style-utils'
    selection_network:
        DestinationHostname|endswith:
            - '.lhr.life'
    condition: 1 of selection_*
falsepositives:
    - Legitimate developer activity testing packages
level: high
---
title: Gentlemen Ransomware Defense Evasion - Event Log Clearing
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
description: Detects attempts to clear Security, System, or Application event logs, a tactic observed in The Gentlemen ransomware incidents.
status: experimental
date: 2026/06/21
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6674b8f51a3232
tags:
    - attack.defense_evasion
    - attack.t1070.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_wevtutil:
        Image|endswith: '\wevtutil.exe'
        CommandLine|contains: 'cl'
    selection_powershell:
        Image|endswith: '\powershell.exe'
        CommandLine|contains:
            - 'Clear-EventLog'
            - 'Remove-EventLog'
    condition: 1 of selection_*
falsepositives:
    - System administration scripts
level: critical
---
title: Cloud Atlas Phishing LNK Execution
id: e5f6g7h8-9012-34ij-56kl-789012345678
description: Detects execution of LNK files that spawn PowerShell or cmd, typical of Cloud Atlas phishing vectors using ZIP archives.
status: experimental
date: 2026/06/21
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6671a2e51a3235
tags:
    - attack.initial_access
    - attack.t1204.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_lnk:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        ParentImage|endswith: '\explorer.exe'
    selection_context:
        CommandLine|contains:
            - '.lnk'
            - '/c'
    condition: all of selection_*
falsepositives:
    - Legitimate shortcut usage
level: high


kql
// Hunt for Shai-Hulud related network connections and process activity
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has "lhr.life" or RemoteUrl has "allgoodsdirect.com.au"
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP
| extend IOCHit = "Shai-Hulud / Cloud Atlas Domain"
;
// Hunt for Gentlemen Ransomware File Hashes
DeviceFileEvents
| where Timestamp > ago(30d)
| where SHA256 in ("f918535f974591ef031bd0f30a8171e3da27a6754e6426a8ba095f83195661c8") or MD5 in ("0320dd389fdbab25d46792bd2817675e", "0577db70844e88b32b954906e2f20798")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, MD5
| extend IOCHit = "Malware File Hash"
;
// Hunt for Event Log Clearing (Gentlemen)
SecurityEvent
| where Timestamp > ago(7d)
| where EventID == 1102 or EventID == 104
| project Timestamp, Computer, Activity, Account
| extend IOCHit = "Event Log Cleared"


powershell
# PowerShell Hunt Script for Gentlemen Persistence and Shai-Hulud traces

# Check for Suspicious NPM Packages
Write-Host "Checking for suspicious npm packages..."
$suspiciousPackages = @("chalk-tempalte", "@deadcode09284814/axios-util", "axois-utils", "color-style-utils")
$npmPath = "$env:APPDATA\npm" # Common user npm path

if (Test-Path $npmPath) {
    Get-ChildItem -Path $npmPath -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
        if ($_.BaseName -in $suspiciousPackages) {
            Write-Host "[ALERT] Suspicious package found: $($_.FullName)" -ForegroundColor Red
        }
    }
}

# Check for Scheduled Tasks used by The Gentlemen
Write-Host "Checking for suspicious Scheduled Tasks..."
Get-ScheduledTask | Where-Object {
    $_.Actions.Execute -like "*powershell*" -or 
    $_.Actions.Execute -like "*cmd*"
} | ForEach-Object {
    $taskInfo = $_.Actions.Execute + " " + $_.Actions.Arguments
    if ($taskInfo -match "-encoded" -or $taskInfo -match "Invoke-") {
        Write-Host "[SUSPICIOUS] Task: $($_.TaskName) | Action: $taskInfo" -ForegroundColor Yellow
    }
}

# Check for recent Event Log clear operations
Write-Host "Checking Security Event Log for ID 1102 (Log Clear)..."
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=1102} -MaxEvents 10 -ErrorAction SilentlyContinue | ForEach-Object {
    Write-Host "[ALERT] Event Log cleared at: $($_.TimeCreated) by: $($_.Message)" -ForegroundColor Red
}


# Response Priorities

*   **Immediate**:
    *   Block all listed domains and hostnames (`lhr.life`, `allgoodsdirect.com.au`) at network perimeter.
    *   Initiate hunts for the provided SHA256 and MD5 file hashes across all endpoints.
    *   Investigate any systems triggering the "Event Log Cleared" detection rule.
*   **24 Hours**:
    *   Audit npm repositories for the presence of `chalk-tempalte` and other listed malicious packages.
    *   If credential theft is suspected (Shai-Hulud), force password resets for developer accounts and service accounts used on compromised nodes.
    *   Patch systems against CVE-2024-55591.
*   **1 Week**:
    *   Implement strict allow-listing for npm packages and software supply chain security checks (e.g., using software composition analysis tools).
    *   Conduct a review of user permissions and scheduled tasks to identify potential persistence mechanisms.
    *   Enhance email filtering to block ZIP archives containing LNK files (Cloud Atlas vector).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwareshai-huludcloud-atlasgentlemen-ransomwaresupply-chain-attackapt

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action