Back to Intelligence

Shai-Hulud NPM Worm, The Gentlemen RaaS, & ClickFix Polymorphism: OTX Pulse Analysis

SA
Security Arsenal Team
June 20, 2026
5 min read

Threat Summary

Recent OTX pulses reveal a convergence of high-impact threats targeting supply chains, endpoints, and user credentials. Threat actors are leveraging "Copycat" techniques to propagate the Shai-Hulud worm via malicious npm packages, while the The Gentlemen RaaS operation utilizes sophisticated defense evasion (log clearing, disabling Defender) to deploy ransomware. Concurrently, the ClickFix campaign has evolved into a polymorphic threat using fake CAPTCHAs to deliver DeerStealer and Vidar via fileless PowerShell execution. The collective objective spans credential theft, cryptocurrency hijacking, and operational disruption via ransomware.

Threat Actor / Malware Profile

Shai-Hulud (Copycat Variant)

  • Type: Worm / Infostealer / DDoS Botnet
  • Distribution: Malicious npm packages (chalk-tempalte, @deadcode09284814/axios-util, axois-utils).
  • Behavior: Exfiltrates credentials and cryptocurrency keys while enrolling the host in DDoS activities.
  • C2 Communication: Connects to hardcoded hostnames ending in .lhr.life.

The Gentlemen

  • Type: Ransomware-as-a-Service (RaaS) (Qilin/Babylocker variant)
  • Affiliation: Trojan:Win32/MpTamperBulkExcl.H
  • Persistence: Uses Scheduled Tasks and PowerShell scripts.
  • Evasion: Clears Security, System, and Application Event Logs (wevtutil cl) and disables Microsoft Defender Real-time protection.
  • Exploitation: Targets vulnerabilities such as CVE-2024-55591.

ClickFix (DeerStealer / Vidar)

  • Type: Social Engineering / Infostealer Loader
  • Distribution: Fake browser CAPTCHA pages.
  • Execution: PowerShell commands using XOR encryption and Base64 obfuscation (fileless).
  • Payload: Delivers DeerStealer or Vidar to steal sensitive data.

IOC Analysis

  • Network Infrastructure: The pulses reveal multiple C2 and delivery hostnames. SOC teams should immediately block the listed domains (e.g., lhr.life, pickleballmastery.com, itechhardware.com) at the proxy and DNS layer.
  • File Artifacts: A specific SHA256 hash (f918535f974591ef031bd0f30a8171e3da27a6754e6426a8ba095f83195661c8) is associated with The Gentlemen payload. EDR solutions should be configured to quarantine files matching this hash.
  • Vulnerability: CVE-2024-55591 is actively exploited in the wild for initial access and privilege escalation.

Detection Engineering

Sigma Rules

YAML
title: Potential Shai-Hulud NPM Malicious Package Installation
id: 4c1a8c9d-5e6f-4a3d-8b2c-1d4e5f6a7b8c
description: Detects installation of known malicious npm packages associated with the Shai-Hulud copycat worm.
status: experimental
date: 2026/06/21
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6670e6c9f0b4b02e6a0b4c9c
tags:
    - attack.initial_access
    - attack.t1195.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\npm.cmd'
        CommandLine|contains:
            - 'chalk-tempalte'
            - '@deadcode09284814/axios-util'
            - 'axois-utils'
            - 'color-style-utils'
    condition: selection
falsepositives:
    - Legitimate developer usage (unlikely due to specific naming)
level: high
---
title: The Gentlemen RaaS Event Log Clearing
date: 2026/06/21
id: 3b2a1d0e-9f8e-7c6d-5a4b-3c2d1e0f9a8b
description: Detects attempts to clear Windows Event Logs, a TTP observed in The Gentlemen ransomware incidents.
status: experimental
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6671a1b9f0b4b02e6a0b4d0e
tags:
    - attack.defense_evasion
    - attack.t1070.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_tool:
        Image|endswith:
            - '\wevtutil.exe'
            - '\powershell.exe'
    selection_clear:
        CommandLine|contains:
            - 'cl Security'
            - 'cl System'
            - 'cl Application'
            - 'Clear-EventLog'
    condition: all of selection_*
falsepositives:
    - Administrative maintenance scripts
level: high
---
title: ClickFix Browser Spawned PowerShell
date: 2026/06/21
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects browser processes spawning PowerShell, common in ClickFix fake CAPTCHA campaigns.
status: experimental
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6671a1b9f0b4b02e6a0b4d0f
tags:
    - attack.execution
    - attack.t1059.001
    - attack.t1204.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            - '\chrome.exe'
            - '\msedge.exe'
            - '\firefox.exe'
    selection_child:
        Image|endswith: '\powershell.exe'
        CommandLine|contains:
            - 'FromBase64String'
            - 'XOR'
            - 'IEX'
    condition: all of selection_*
falsepositives:
    - Legitimate automation tools
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Shai-Hulud C2 connections and malicious domains
DeviceNetworkEvents
| where RemoteUrl in (
    "87e0bbc636999b.lhr.life", 
    "edcf8b03c84634.lhr.life",
    "www.fidestrento.com",
    "kiitec.ac.tz",
    "aqarco.com",
    "game-corp.net",
    "pickleballmastery.com",
    "itechhardware.com",
    "shadesking.com",
    "mlm-dra.com"
)
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP
;
// Hunt for The Gentlemen ransomware file hash
DeviceFileEvents
| where SHA256 == "f918535f974591ef031bd0f30a8171e3da27a6754e6426a8ba095f83195661c8"
| project Timestamp, DeviceName, FileName, FolderPath, SHA256
;
// Hunt for Log Clearing Activity (The Gentlemen)
DeviceProcessEvents
| where FileName in ("wevtutil.exe", "powershell.exe")
| where ProcessCommandLine has_any ("cl ", "Clear-EventLog") and ProcessCommandLine has_any ("Security", "System", "Application")
| project Timestamp, DeviceName, FileName, ProcessCommandLine

PowerShell Hunt Script

PowerShell
# IOC Hunt Script for Shai-Hulud, The Gentlemen, and ClickFix artifacts

Write-Host "Starting Threat Hunt..." -ForegroundColor Cyan

# 1. Check for The Gentlemen Malicious File Hash
$MaliciousHash = "f918535f974591ef031bd0f30a8171e3da27a6754e6426a8ba095f83195661c8"
Write-Host "Checking for malicious hash $MaliciousHash..." -ForegroundColor Yellow
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { $_.Length -gt 0 } | 
    ForEach-Object { 
        $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($hash -eq $MaliciousHash) { 
            Write-Host "MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red 
        }
    }

# 2. Check for Suspicious NPM Packages (Shai-Hulud)
$BadPackages = @("chalk-tempalte", "@deadcode09284814/axios-util", "axois-utils", "color-style-utils")
Write-Host "Checking for malicious NPM packages..." -ForegroundColor Yellow
$NpmPaths = @("$env:APPDATA\npm", "$env:USERPROFILE\node_modules", "$env:ProgramFiles\nodejs")
foreach ($path in $NpmPaths) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -Recurse -Directory -ErrorAction SilentlyContinue | 
            Where-Object { $BadPackages -contains $_.Name } | 
            ForEach-Object { Write-Host "SUSPICIOUS PACKAGE FOUND: $($_.FullName)" -ForegroundColor Red }
    }
}

# 3. Check for Scheduled Tasks associated with The Gentlemen (Generic Detection)
Write-Host "Checking for Suspicious Scheduled Tasks..." -ForegroundColor Yellow
Get-ScheduledTask | Where-Object { 
    $_.Actions.Execute -like "*powershell*" -and 
    ($_.Actions.Arguments -like "*IEX*" -or $_.Actions.Arguments -like "*DownloadString*")
} | ForEach-Object { Write-Host "SUSPICIOUS TASK FOUND: $($_.TaskName) - Action: $($_.Actions.Execute)" -ForegroundColor Red }

Write-Host "Hunt Complete." -ForegroundColor Green

Response Priorities

  • Immediate: Block all listed domains and hostnames at the network edge. Initiate a hunt for the SHA256 hash f918535f... across all endpoints. Patch systems vulnerable to CVE-2024-55591.
  • 24h: Audit developer environments for the presence of the malicious npm packages listed in the Shai-Hulud section. If infostealers are suspected, force reset of credentials for sensitive accounts accessed from infected machines.
  • 1 week: Implement strict Software Bill of Materials (SBOM) validation for build pipelines. Enhance browser security policies to restrict unauthorized PowerShell execution from browser processes.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwareshai-huludthe-gentlemenclickfixransomwaresupply-chain

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action