Shai-Hulud npm Worm, SHub Reaper macOS Stealer, and Nexcorium IoT Botnet: OTX Pulse Analysis

Recent OTX pulses highlight a surge in multi-platform threat activity, spanning open-source supply chain compromises, sophisticated macOS credential harvesting, and IoT vulnerability exploitation. Adversaries are leveraging trusted ecosystems (npm), brand spoofing (Apple/Google), and unpatched infrastructure (TBK DVRs) to deliver diverse payloads ranging from the Shai-Hulud worm to SHub Reaper and Nexcorium botnets. Collectively, these campaigns focus on initial access via deception or vulnerability, followed by credential theft and infrastructure hijacking for DDoS operations.

Threat Actor / Malware Profile

Shai-Hulud (Copycat Worm)

Family: Worm, Infostealer, DDoS Botnet
Distribution: Malicious npm packages (chalk-tempalte, @deadcode09284814/axios-util, axois-utils, color-style-utils).
Behavior: Acts as a worm within the node ecosystem. Steals credentials and cryptocurrency data. Includes DDoS capabilities.
C2: Communicates with hardcoded IP addresses (e.g., 80.200.28.28) and specific hostnames utilizing the .lhr.life domain.

SHub Stealer / Reaper

Family: Infostealer, Backdoor
Actor: Unknown
Distribution: Fake installers for WeChat and Miro. utilizes social engineering to spoof Apple, Google, and Microsoft.
Behavior: Uses applescript:// URL schemes to bypass Terminal-based defenses. Performs extensive system fingerprinting and anti-analysis checks before deploying the payload (AMOS/Atomic variants).
Persistence: Established via persistence mechanisms typical of macOS stealers (launch agents, though specific paths require reverse engineering of the binary).
C2: Uses HTTP endpoints on domains like hebsbsbzjsjshduxbs.xyz for heartbeat and data exfiltration (/api/bot/heartbeat).

Nexcorium (Mirai Variant)

Family: IoT Botnet, DDoS
Actor: Nexus Team
Distribution: Exploits CVE-2024-3721 in TBK DVR devices. Also utilizes credential brute-force.
Behavior: Multi-architecture support (ARM, MIPS, x86-64). Uses OS command injection for delivery. Implements persistence via init configuration and star mechanisms.
C2: Custom HTTP headers used for attribution to Nexus Team.

IOC Analysis

The provided indicators span multiple layers of the network stack:

Network Infrastructure (IPv4/Hostname): Key for blocking C2 communication. Shai-Hulud relies on specific .lhr.life hostnames, while SHub Reaper uses dynamic DNS domains.
Domains/URLs: SHub Reaper utilizes specific API paths (/gate, /api/bot/heartbeat). These should be blocked at the proxy.
File Hashes (MD5/SHA1/SHA256): Critical for identifying malicious binaries on disk or in-memory. Nexcorium hashes are available for multiple architectures.
CVEs: CVE-2024-3721 is the primary vector for the Nexcorium botnet.

SOC teams should operationalize these IOCs by:

Loading hashes into EDR alerting logic.
Blocking domains and IPs at the firewall/proxy.
Using CVE-2024-3721 as a signature in IDS/IPS for TBK DVR exploitation attempts.

Detection Engineering

YAML

---
title: Potential Shai-Hulud NPM Package Execution
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
description: Detects execution of known malicious Shai-Hulud copycat npm packages or suspicious node processes connecting to C2 infrastructure.
status: experimental
date: 2026/05/21
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/664a7f3b1e4f8a4c8d9e0f1a
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\\node.exe'
            - '\\npm.cmd'
        CommandLine|contains:
            - 'chalk-tempalte'
            - '@deadcode09284814/axios-util'
            - 'axois-utils'
            - 'color-style-utils'
    selection_c2:
        DestinationIp:
            - '80.200.28.28'
        DestinationHostname|endswith:
            - '.lhr.life'
    condition: 1 of selection*
falsepositives:
    - Legitimate npm package usage (rare for these specific names)
level: critical
---
title: macOS SHub Reaper Applescript URL Scheme Execution
id: b2c3d4e5-6789-01ab-cdef-2345678901bc
description: Detects the use of applescript:// URL schemes, a technique used by SHub Reaper to bypass terminal defenses.
status: experimental
date: 2026/05/21
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/664a8f4c2e5f9b5d9e0f1b2c
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        CommandLine|contains: 'applescript://'
    condition: selection
falsepositives:
    - Legitimate automation scripts
level: high
---
title: Nexcorium Mirai Variant IoT Exploitation Attempt
id: c3d4e5f6-7890-12bc-def0-3456789012cd
description: Detects exploitation attempts of CVE-2024-3721 associated with the Nexcorium Mirai botnet targeting TBK DVR devices.
status: experimental
date: 2026/05/21
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/664a9f5d3f60ac6e9e0f2c3d
logsource:
    category: webserver
    product: apache
    service: http
detection:
    selection_uri:
        cs-uri-query|contains:
            - '/DVR/run'
            - 'CVE-2024-3721' # Often found in exploit checks
    selection_ua:
        cs-user-agent|contains:
            - 'Mirai'
            - 'Nexcorium'
    condition: 1 of selection*
falsepositives:
    - Vulnerability scanners
level: high


kql
// Hunt for SHub Reaper C2 Domains and Nexcorium C2 IPs
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in (
    'hebsbsbzjsjshduxbs.xyz',
    'mlroweb.com',
    'qq-0732gwh22.com'
    )
    or RemoteIP in ('80.200.28.28')
| extend DeviceCustom = pack_all()
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort, DeviceCustom

// Hunt for malicious file hashes on disk
DeviceFileEvents
| where Timestamp > ago(7d)
| where SHA256 in (
    '89dae116c77b0035277d39dfe01043624427c119ddee8883a3ba54a42a6ae400',
    '0b510f93f47590791626d2fa74ddd62ba6eb8a5a5bb7b8476c0ceffc7be94ebe'
    )
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName


bash
#!/bin/bash
# IOC Hunt Script for Shai-Hulud npm packages
# Check for existence of known malicious package names in node_modules

MALICIOUS_PACKAGES=(
    "chalk-tempalte"
    "@deadcode09284814/axios-util"
    "axois-utils"
    "color-style-utils"
)

echo "Scanning for Shai-Hulud malicious npm packages..."

# Define common node_modules locations (adjust as needed for your environment)
SEARCH_DIRS=("/home" "/usr/local/lib" "/opt")

for dir in "${SEARCH_DIRS[@]}"; do
    if [ -d "$dir" ]; then
        echo "Scanning $dir..."
        for pkg in "${MALICIOUS_PACKAGES[@]}"; do
            FOUND=$(find "$dir" -type d -name "$pkg" 2>/dev/null)
            if [ ! -z "$FOUND" ]; then
                echo "[ALERT] Found malicious package: $pkg"
                echo "Location: $FOUND"
            fi
        done
    fi
done

echo "Scan complete."

Response Priorities

Immediate:
- Block all identified IOCs (IPs, Domains) at perimeter firewalls and proxies.
- Scan developer workstations and build servers for the identified malicious npm packages.
- Identify macOS devices communicating with hebsbsbzjsjshduxbs.xyz.
24h:
- Initiate credential resets for any accounts potentially compromised by the SHub Reaper or Shai-Hulud infostealers (browser data, crypto wallets).
- Isolate infected IoT devices showing signs of Nexcorium infection.
1 week:
- Patch TBK DVR devices against CVE-2024-3721 or isolate them from the network.
- Implement supply chain security controls for npm usage (package-lock verification, private registries).
- Review and restrict the use of applescript:// URL schemes on macOS endpoints.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub