Back to Intelligence

Shai-Hulud Supply Chain Attack, Cloud Atlas APT Recon, and The Gentlemen RaaS Evasion: OTX Pulse Analysis

SA
Security Arsenal Team
June 21, 2026
6 min read

Excerpt: Critical threats: Shai-Hulud npm worm, Cloud Atlas phishing new payloads, and The Gentlemen ransomware clearing logs.

Threat Summary

Recent OTX pulses reveal a multifaceted threat landscape converging on supply chain compromise, persistent espionage, and aggressive ransomware operations. Intelligence indicates a Shai-Hulud copycat worm has infiltrated the npm ecosystem, specifically targeting developers with malicious packages (chalk-tempalte, axois-utils) designed for credential theft and DDoS capabilities. Concurrently, the Cloud Atlas (Inception Framework) APT group has intensified operations against Russian and Belarusian government entities, utilizing phishing archives delivering LNK payloads to deploy new tools like PowerCloud and PowerShower for data exfiltration and reconnaissance. Simultaneously, The Gentlemen RaaS operation has been observed deploying defense evasion techniques—specifically the clearing of Windows Event Logs and disabling Defender—to facilitate ransomware deployment linked to the Qilin family. Collectively, these campaigns highlight a trend toward obfuscation, supply chain exploitation, and anti-forensics.

Threat Actor / Malware Profile

Shai-Hulud Copycat (Supply Chain)

  • Distribution Method: Typosquatting and dependency confusion on the npm registry. Packages include chalk-tempalte, @deadcode09284814/axios-util, axois-utils, and color-style-utils.
  • Payload Behavior: Functions as an infostealer and cryptocurrency thief. It also exhibits DDoS-botnet capabilities, turning compromised development environments into attack nodes.
  • C2 Communication: Establishes connections to C2 infrastructure using suspicious hostnames ending in .lhr.life.
  • Persistence: Injects itself into the development build lifecycle; relies on developers executing the compromised package scripts.

Cloud Atlas / Inception Framework (APT)

  • Distribution Method: Spear-phishing emails containing malicious ZIP archives. Archives contain LNK shortcuts that trigger the payload execution chain.
  • Payload Behavior: A diverse toolset including VBCloud (file theft), PowerShower (network recon), PowerCloud (exfiltration), and NetSupport RAT. The use of ReverseSocks and PhantomHeart suggests a move toward stealthier lateral movement.
  • Persistence: Utilizes scheduled tasks and service creation; heavily relies on LNK hijacking for initial access.
  • Anti-Analysis: Employs obfuscated PowerShell and custom backdoors to evade standard EDR signatures.

The Gentlemen (RaaS)

  • Distribution Method: Likely initial access via vulnerable services (CVE-2024-55591 referenced) or credential stuffing, followed by manual deployment.
  • Payload Behavior: Ransomware linked to Qilin family. Aggressive post-compromise activity includes disabling Microsoft Defender and establishing SOCKS proxies for lateral movement.
  • Persistence: Uses Scheduled Tasks to maintain access and execute ransomware binaries.
  • Anti-Analysis: Notable for Defense Evasion via the systematic clearing of Security, System, and Application Event Logs using PowerShell and wevtutil to destroy forensic evidence.

IOC Analysis

The provided indicators span multiple categories, requiring a layered defensive approach:

  • Network Hostnames & Domains: Indicators such as 87e0bbc636999b.lhr.life (Shai-Hulud) and allgoodsdirect.com.au (Cloud Atlas) should be blocked at the DNS layer and firewalls. SOC teams should retrospectively query proxy logs for any connections to these domains.
  • File Hashes: Both MD5 (Cloud Atlas) and SHA256 (The Gentlemen) hashes are provided. These must be ingested into EDR solutions for immediate isolation of endpoints hosting these files.
  • CVEs: CVE-2024-55591 (The Gentlemen), CVE-2025-55182, and CVE-2025-68670 (Cloud Atlas) highlight specific vulnerabilities exploited for initial access or privilege escalation. Patching these is critical.
  • Operationalization: SOC teams should use SIEM correlation rules to match process execution of node.exe with the listed hostnames, and alert on wevtutil execution patterns seen in The Gentlemen incidents.

Detection Engineering

YAML
---
title: Potential Shai-Hulud NPM Malicious Package Installation
id: 91bca2d6-0a1f-4b2c-8e1d-3f5a6b7c8d9e
description: Detects the installation of known malicious npm packages associated with the Shai-Hulud copycat worm activity.
status: experimental
date: 2026/06/21
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/660000000000
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\npm.cmd'
        CommandLine|contains:
            - 'chalk-tempalte'
            - 'axois-utils'
            - 'color-style-utils'
            - '@deadcode09284814/axios-util'
    condition: selection
falsepositives:
    - Legitimate development work (unlikely given specific typosquatting names)
level: critical
tags:
    - attack.supply_chain
    - attack.initial_access
    - shai.hulud
---
title: The Gentlemen Ransomware Defense Evasion - Event Log Clearing
id: a2e3b4c5-6d7e-8f9a-0b1c-2d3e4f5a6b7c
description: Detects attempts to clear Windows Event Logs, a specific TTP observed in The Gentlemen ransomware incidents to hinder forensic analysis.
status: experimental
date: 2026/06/21
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/660000000002
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\wevtutil.exe'
            - '\powershell.exe'
    selection_cli:
        CommandLine|contains:
            - 'cl ' # wevtutil clear-log command
            - 'Clear-EventLog'
            - 'Remove-EventLog'
    selection_logs:
        CommandLine|contains:
            - 'Security'
            - 'System'
            - 'Application'
    condition: all of selection_*
falsepositives:
    - Administrative log management scripts
level: high
tags:
    - attack.defense_evasion
    - attack.t1070.001
    - the.gentlemen
---
title: Cloud Atlas Suspicious LNK Execution from Archive
id: b3c4d5e6-7f8a-9b0c-1d2e-3f4a5b6c7d8e
description: Detects the execution of LNK files originating from ZIP or RAR archives, a common vector for Cloud Atlas phishing campaigns delivering VBCloud and PowerShower.
status: experimental
date: 2026/06/21
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/660000000001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\explorer.exe'
        CommandLine|contains: '.lnk'
    filter:
        ParentImage|endswith:
            - '\explorer.exe'
    condition: selection and not filter
falsepositives:
    - Legitimate user opening shortcuts from downloads
level: medium
tags:
    - attack.initial_access
    - attack.t1566.001
    - cloud.atlas


kql
// Hunt for Cloud Atlas C2 Domains and Shai-Hulud Hostnames
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (
    "lhr.life",
    "allgoodsdirect.com.au",
    "istochnik.org",
    "onedrivesupport.net"
)
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP
| extend IOCCategory = iff(RemoteUrl contains "lhr", "Shai-Hulud", "Cloud_Atlas")


powershell
# Hunt Script: The Gentlemen Persistence & Shai-Hulud Artifacts
# Checks for Scheduled Tasks used by The Gentlemen and NPM package paths

Write-Host "[*] Checking for The Gentlemen Scheduled Tasks..."
Get-ScheduledTask | Where-Object {$_.Actions.Execute -like "*powershell*" -or $_.Actions.Execute -like "*cmd*"} | 
    Select-Object TaskName, TaskPath, State, Actions

Write-Host "[*] Checking for Shai-Hulud NPM package artifacts..."
$paths = @(
    "$env:APPDATA\npm\node_modules\chalk-tempalte",
    "$env:APPDATA\npm\node_modules\axois-utils",
    "$env:APPDATA\npm\node_modules\color-style-utils",
    "$env:USERPROFILE\node_modules\@deadcode09284814\axios-util"
)

foreach ($path in $paths) {
    if (Test-Path $path) {
        Write-Host "[!] FOUND: $path" -ForegroundColor Red
        Get-ChildItem -Path $path -Recurse -Force | Select-Object FullName, Length, LastWriteTime
    }
}

Write-Host "[*] Checking for Cloud Atlas related file hashes (MD5)..."
$known_hashes = @("0320dd389fdbab25d46792bd2817675e", "0577db70844e88b32b954906e2f20798")
$drives = Get-PSDrive -PSProvider FileSystem

foreach ($drive in $drives) {
    Get-ChildItem -Path $drive.Root -Recurse -ErrorAction SilentlyContinue | 
        Where-Object { !$_.PSIsContainer -and $known_hashes -contains $_.Hash } | 
        Select-Object FullName, LastWriteTime
}

Response Priorities

  • Immediate: Block all identified IOCs (*.lhr.life, allgoodsdirect.com.au, istochnik.org, onedrivesupport.net) at perimeter firewalls and proxies. Scan endpoints for the listed MD5 and SHA256 hashes. Investigate any wevtutil processes attempting to clear event logs immediately.
  • 24h: If Shai-Hulud indicators are found, initiate identity verification for developers, as this malware steals credentials. Review npm package usage logs for any installs of the typosquatted packages.
  • 1 week: Patch CVE-2024-55591 (The Gentlemen) and the Cloud Atlas associated CVEs (CVE-2025-55182, CVE-2025-68670). Harden the build pipeline to verify npm package integrity (e.g., using package-lock. integrity checks) to prevent supply chain re-infection.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwareshai-huludcloud-atlasthe-gentlemenransomwareapt

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action