Recent OTX pulses indicate a surge in high-impact intrusion campaigns targeting diverse attack vectors, including open-source supply chains, critical enterprise software, and endpoint social engineering.
- Supply Chain (Shai-Hulud Copycat): A new worm variant is propagating via typosquatted NPM packages (
chalk-tempalte,axios-util). These packages function as infostealers and DDoS bots, targeting developer environments. - Zero-Day Exploitation (UNC6240/ShinyHunters): The threat actor UNC6240 is actively exploiting CVE-2026-35273, a critical RCE vulnerability in Oracle PeopleSoft, prior to the availability of a patch. This campaign targets the Education Sector with the goal of data extortion.
- Social Engineering (Potemkin/RMMProject): A "ClickFix" campaign is delivering a custom loader (Potemkin) via malicious HTA files disguised as browser updates. This loader deploys the RMMProject RAT, utilizing a Deterministic Domain Generation Algorithm (DGA) for C2.
Collectively, these pulses highlight adversaries leveraging initial access vectors that bypass traditional perimeter defenses—trusting malicious packages, exploiting unpatched legacy apps, and tricking users via fake error messages.
Threat Actor / Malware Profile
Shai-Hulud Copycat
- Type: Worm / Infostealer
- Distribution: Typosquatting of popular NPM libraries.
- Behavior: Upon installation, the malware reaches out to C2 hostnames (
.lhr.life) for tasking. It exfiltrates cryptocurrency wallet keys and credentials while enlisting the host in a DDoS botnet.
UNC6240 (ShinyHunters)
- Type: Ransomware-Adjacent / Extortion Group
- Malware: MeshCentral (Legitimate RMM tool abused for C2).
- Distribution: Exploitation of CVE-2026-35273 in Oracle PeopleSoft Environment Management.
- Behavior: Remote Code Execution (RCE) allows the actor to drop webshells and establish persistence using MeshCentral, facilitating lateral movement and data exfiltration for extortion.
Potemkin & RMMProject
- Type: Custom Loader & RAT
- Distribution: ClickFix (Fake Browser Error -> HTA file).
- Behavior: The HTA file silently executes
msiexecto install Potemkin. Potemkin uses a deterministic DGA to resolve C2 domains and decrypts the next stage payload (RMMProject), a Lua-scriptable RAT capable of stealing Chrome App-Bound encryption keys and credentials.
IOC Analysis
The provided indicators of compromise (IOCs) span multiple infrastructure types, requiring a layered defense approach:
- Network Infrastructure (Domains/IPs): The pulses reveal specific C2 infrastructure including
azurenetfiles.net(ShinyHunters),lhr.lifehostnames (Shai-Hulud), and DGA-generated domains likeresumeacceptable.com(Potemkin). These should be blocked at the perimeter and DNS layers. - File Hashes: SHA256 and MD5 hashes are provided for the MeshCentral agent and the Potemkin MSI installer (
inst24.msi). These are critical for EDR detection and retrospective hunting. - URLs: Specific URLs hosting payloads (e.g.,
/agent.ashx,/inst24.msi) indicate the distribution mechanism. SOC teams should inspect proxy logs for GET requests to these paths.
Operational Note: The Potemkin loader utilizes a DGA. While the listed domains are current, future iterations will generate new domains. Focus detection on the behavior (MSI download via HTA) rather than solely on blocking static domains.
Detection Engineering
Sigma Rules
YAML
---
title: Potential NPM Typosquatting Malware Execution
id: 8c7a3b2d-1a9e-4f3c-9b5e-6d4f7e8a9b0c
description: Detects execution of suspicious processes spawned by Node.js or NPM, indicative of malware like Shai-Hulud running in dev environments.
status: experimental
date: 2026/06/18
tags:
- attack.execution
- attack.t1204
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\node.exe'
- '\npm.cmd'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\wscript.exe'
- '\cscript.exe'
condition: selection
falsepositives:
- Legitimate build scripts running shell commands
level: high
---
title: ClickFix Infection Chain HTA to MSI
id: 1d2e3f4a-5b6c-7d8e-9f0a-1b2c3d4e5f6a
description: Detects the characteristic infection chain of Potemkin Loader where mshta.exe executes an HTA file that subsequently triggers msiexec.exe.
status: experimental
date: 2026/06/18
tags:
- attack.initial_access
- attack.t1191
- attack.t1204.002
logsource:
category: process_creation
product: windows
detection:
root:
Image|endswith: '\mshta.exe'
CommandLine|contains: '.hta'
child:
Image|endswith: '\msiexec.exe'
filter_main_generic:
ParentImage|contains: '\\'
timeframe: 30s
condition: root | by ProcessId and not 1 of filter_*
level: critical
---
title: ShinyHunters MeshCentral Webshell Activity
id: 2f3e4a5b-6c7d-8e9f-0a1b-2c3d4e5f6a7b
description: Detects potential webshell or exploitation activity associated with CVE-2026-35273 on Oracle PeopleSoft, specifically looking for processes associated with MeshCentral agent.
status: experimental
date: 2026/06/18
tags:
- attack.persistence
- attack.t1505.003
- cve.2026.35273
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains: 'MeshAgent'
Image|endswith: '.exe'
ParentImage|endswith:
- '\w3wp.exe'
- '\java.exe'
condition: selection
falsepositives:
- Legitimate administration of MeshCentral
level: high
KQL (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for Potemkin ClickFix Network Connections
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("eutialyson.com", "distritovagas.com", "resumeacceptable.com")
or InitiatingProcessCommandLine has_any ("inst24.msi", "hte.hta")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
// Hunt for ShinyHunters C2 Activity
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl contains "azurenetfiles.net" or RemoteIP == "176.120.22.24"
| extend FileHashInfo = parse_(AdditionalFields)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, InitiatingProcessFileName, FileHashInfo.SHA1, FileHashInfo.SHA256, FileHashInfo.MD5
// Hunt for Malicious NPM Process Spawns
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName has_any ("node.exe", "npm.cmd")
| where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, FileName, CommandLine
PowerShell Hunt Script
PowerShell
<#
.SYNOPSIS
IOC Hunt for Shai-Hulud, Potemkin, and ShinyHunters Activity.
.DESCRIPTION
Checks hosts file for malicious domains and scans for specific file hashes.
#>
$MaliciousDomains = @(
"87e0bbc636999b.lhr.life",
"edcf8b03c84634.lhr.life",
"azurenetfiles.net",
"resumeacceptable.com",
"sonra.eutialyson.com",
"cl.distritovagas.com"
)
$MaliciousHashes = @(
"c7e9332731b06644fc73e0046a2a89eaa59b09f54250e9bd622467187351711f",
"ebcf977806f68af3147e0b78b55f6aed",
"cc19e502e4201cc974c753b96429027925224f53",
"2ab684d93c1553fad87041b4dea97188a97e78589deee2a7bacff905564f3a35",
"79f7b67ce8b390703f3e1c2b90fce0ce84134782a7dedcccc1edac197ee9e089b"
)
Write-Host "[*] Checking Hosts file for malicious domains..." -ForegroundColor Cyan
$HostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
if (Test-Path $HostsPath) {
$HostsContent = Get-Content $HostsPath
foreach ($domain in $MaliciousDomains) {
if ($HostsContent -match $domain) {
Write-Host "[!] ALERT: Found domain $domain in hosts file." -ForegroundColor Red
}
}
}
Write-Host "[*] Scanning for malicious file hashes (This may take time)..." -ForegroundColor Cyan
$DrivesToScan = @("C:\")
foreach ($drive in $DrivesToScan) {
if (Test-Path $drive) {
Get-ChildItem -Path $drive -Recurse -ErrorAction SilentlyContinue |
Get-FileHash -Algorithm SHA256 -ErrorAction SilentlyContinue |
Where-Object { $MaliciousHashes -contains $_.Hash } |
ForEach-Object {
Write-Host "[!] ALERT: Malicious file found: $($_.Path) | Hash: $($_.Hash)" -ForegroundColor Red
}
}
}
Write-Host "[*] Checking processes connecting to Malicious IPs..." -ForegroundColor Cyan
$MaliciousIPs = @("176.120.22.24", "77.110.122.58")
Get-NetTCPConnection -ErrorAction SilentlyContinue |
Where-Object { $MaliciousIPs -contains $_.RemoteAddress } |
ForEach-Object {
$Process = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
Write-Host "[!] ALERT: Process connected to malicious IP: $($Process.ProcessName) (PID: $($_.OwningProcess)) to $($_.RemoteAddress):$($_.RemotePort)" -ForegroundColor Red
}
# Response Priorities
Immediate (0-24h)
- Block IOCs: Immediately block all listed domains and IPs on firewalls, proxies, and Secure Web Gateways (SWG).
- Scan for Artifacts: Run the provided PowerShell script across endpoints to identify compromised hosts.
- Isolate Victims: Isolate any devices with confirmed hits on MeshCentral hashes or Potemkin URLs.
24h-48h
- Credential Reset: Force a password reset for accounts used on compromised developer machines (Shai-Hulud) and education sector admin accounts (UNC6240).
- Investigate Oracle PeopleSoft: If in the Education sector, scan logs for exploitation of CVE-2026-35273 (May 27 - June 9 timeframe).
- NPM Audit: Audit build pipelines for the presence of the typosquatted packages (
chalk-tempalte,@deadcode09284814/axios-util, etc.).
1 Week+
- Patch Management: Apply the Oracle patch for CVE-2026-35273 immediately upon release.
- Software Restriction: Implement application control policies (AppLocker) to block
mshta.exefrom executing HTA files from the internet. - Supply Chain Security: Integrate Software Composition Analysis (SCA) tools into the CI/CD pipeline to detect typosquatting and malicious packages automatically.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-malwareshai-huludshinyhunterspotemkin-loaderclickfixsupply-chain-attack
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.