Back to Intelligence

StrikeShark Campaign & macOS.Gaslight Backdoor: OTX Pulse Analysis — Multi-Vector Threat Briefing

SA
Security Arsenal Team
June 24, 2026
5 min read

Threat Summary

Recent OTX pulses indicate a coordinated surge in high-sophistication threat activity targeting government, technology, and software development sectors. The primary threats include the StrikeShark campaign, which leverages unpatched internet-facing applications (Microsoft Exchange, SharePoint, Openfire) to deliver a custom SharkLoader and Cobalt Strike Beacon; macOS.Gaslight, a DPRK-aligned Rust-based backdoor utilizing Telegram C2 and LLM-evasion prompt injection; and a PostCSS typosquatting supply chain attack delivering a Windows RAT via malicious npm packages. These campaigns collectively focus on initial access via exploitation and supply chain compromise, followed by credential theft, lateral movement, and establishment of persistent C2 channels.

Threat Actor / Malware Profile

StrikeShark Campaign

  • Malware Families: SharkLoader, Cobalt Strike Beacon, FScan, Searchall, Pillager, SharpGPOAbuse.
  • Distribution: Exploitation of internet-facing services (Exchange, SharePoint, Openfire) targeting CVE-2021-26855, CVE-2021-36260, and others. Also uses malicious software droppers.
  • Behavior: SharkLoader acts as a dropper for Cobalt Strike. The chain includes network scanning (FScan) and lateral movement via GPO abuse (SharpGPOAbuse).
  • Persistence: Established via Cobalt Beacon service registration and GPO modifications.

macOS.Gaslight (DPRK-aligned)

  • Malware Families: macOS.Gaslight, BONZAI, AIRPIPE.
  • Distribution: Unknown initial vector, likely social engineering or compromise.
  • Behavior: Rust-based backdoor featuring a 3.5KB prompt-injection payload designed to feed fabricated system messages to LLMs, disrupting automated malware analysis.
  • C2 Communication: Uses Telegram Bot API with AES-GCM encrypted payloads over certificate-pinned TLS. Includes self-redaction to hide bot tokens.

PostCSS Masquerading (Supply Chain)

  • Malware Families: Windows RAT (Python/Nuitka compiled).
  • Distribution: Typosquatting of the legitimate postcss-selector-parser npm package (published by 'abdrizak').
  • Behavior: Encoded JavaScript drops PowerShell scripts, which download a multi-stage RAT. Focuses on credential theft and establishing persistence.

IOC Analysis

The provided indicators span multiple categories requiring different operational responses:

  • CVE Identifiers (StrikeShark): Multiple CVEs (e.g., CVE-2021-26855, CVE-2021-36260) are listed. SOC teams must prioritize vulnerability scanning against these specific CVEs on internet-facing assets.
  • Domain (StrikeShark): connect-microsoft.com is a C2 or phishing domain. This should be immediately blocked on DNS proxies and firewalls.
  • File Hashes (Gaslight & PostCSS RAT): A significant list of SHA1, SHA256, and MD5 hashes are provided. These must be uploaded to EDR solutions for scanning and used in retro-hunts.

Detection Engineering

Sigma Rules

YAML
title: SharpGPOAbuse Execution - StrikeShark Lateral Movement
date: 2026/06/24
author: Security Arsenal
description: Detects execution of SharpGPOAbuse, a tool observed in the StrikeShark campaign for lateral movement and persistence.
status: stable
references:
    - https://otx.alienvault.com/pulse/67567a2e82f864855f585821
tags:
    - attack.privilege_escalation
    - attack.t1484.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\SharpGPOAbuse.exe'
            - '\SharpGPOAbuse.dll'
    condition: selection
falsepositives:
    - Authorized administrative activity
level: high

---

title: macOS Telegram Bot API Connection - Gaslight C2
date: 2026/06/24
author: Security Arsenal
description: Detects processes connecting to Telegram Bot API (api.telegram.org), which is used as C2 by the macOS.Gaslight backdoor.
status: stable
references:
    - https://otx.alienvault.com/pulse/67567a2e82f864855f585821
tags:
    - attack.command_and_control
    - attack.t1102.001
logsource:
    category: network_connection
    product: macos
detection:
    selection:
        DestinationHostname|contains: 'api.telegram.org'
    filter_legit_browsers:
        Image|contains:
            - 'Safari.app'
            - 'Chrome.app'
            - 'Firefox.app'
    condition: selection and not filter_legit_browsers
falsepositives:
    - Legitimate Telegram clients (non-standard)
level: high

---

title: PowerShell Downloading High Risk File Hash - PostCSS RAT
date: 2026/06/23
author: Security Arsenal
description: Detects PowerShell processes downloading files matching the MD5 hashes associated with the PostCSS typosquatting RAT.
status: stable
references:
    - https://otx.alienvault.com/pulse/67567a2e82f864855f585821
tags:
    - attack.initial_access
    - attack.t1195.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_pwsh:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
    selection_hash:
        Hashes|contains:
            - 'MD5=208166120775a11cb6680139ea0f3372'
            - 'MD5=4c1bdb2b045debf5b25e5be540ef99f0'
            - 'MD5=c2875e2f45e5f1dfa04463de53b3fa5a'
            - 'MD5=c5207f87b9103634b4db6f120eb6172a'
            - 'MD5=f189c338a5f2bc3cce06cee37c0b7522'
    condition: all of selection_*
falsepositives:
    - Unknown
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for StrikeShark C2 Domain and Gaslight Hashes
// 1. Network Connections to known C2
DeviceNetworkEvents
| where RemoteUrl has "connect-microsoft.com" or RemoteUrl has "api.telegram.org"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
;
// 2. File Hash Hunt for PostCSS RAT and Gaslight
DeviceFileEvents
| where SHA1 in ("5555494492fc075f441637fb9d894913dde3a2ea", "2890d90edfc08fb4cfafe0d5fa2a9fb6800dedf5", "71c6cd37ddc0e5899174c72eefee8b224fd1f4bb") 
   or MD5 in ("208166120775a11cb6680139ea0f3372", "4c1bdb2b045debf5b25e5be540ef99f0")
| project Timestamp, DeviceName, FolderPath, SHA1, MD5, InitiatingProcessAccountName
;
// 3. Process Creation for StrikeShark Tools
DeviceProcessEvents
| where ProcessVersionInfoOriginalFileName in ("fscan.exe", "SharpGPOAbuse.exe") or FileName has "SharkLoader"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    Hunt script for StrikeShark and PostCSS RAT indicators.
.DESCRIPTION
    Scans the file system for specific MD5 hashes associated with the PostCSS RAT 
    and checks DNS cache for the StrikeShark domain.
#>

# Hashes from PostCSS Pulse
$TargetMD5s = @(
    "208166120775a11cb6680139ea0f3372",
    "4c1bdb2b045debf5b25e5be540ef99f0",
    "c2875e2f45e5f1dfa04463de53b3fa5a",
    "c5207f87b9103634b4db6f120eb6172a",
    "f189c338a5f2bc3cce06cee37c0b7522"
)

# StrikeShark Domain
$MaliciousDomain = "connect-microsoft.com"

Write-Host "[+] Hunting for PostCSS RAT File Hashes..." -ForegroundColor Cyan
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
    ForEach-Object {
        $hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
        if ($TargetMD5s -contains $hash) {
            Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName) (MD5: $hash)" -ForegroundColor Red
        }
    }

Write-Host "[+] Checking DNS Cache for $MaliciousDomain..." -ForegroundColor Cyan
$DnsCache = Get-DnsClientCache -ErrorAction SilentlyContinue
if ($DnsCache.Entry -contains $MaliciousDomain) {
    Write-Host "[!] MALICIOUS DOMAIN RESOLUTION FOUND IN DNS CACHE: $MaliciousDomain" -ForegroundColor Red
}
else {
    Write-Host "[-] No malicious domain entries found in DNS cache." -ForegroundColor Green
}

Response Priorities

  • Immediate: Block the domain connect-microsoft.com and all IOCs at the perimeter. Initiate a hunt for the specific MD5 hashes associated with the PostCSS RAT on all developer workstations and build servers.
  • 24 Hours: Verify identity sessions for accounts active on machines where IOC detections occurred. Due to the credential-stealing nature of Cobalt Strike and the RAT, assume credentials are compromised and rotate them.
  • 1 Week: Conduct a review of all npm packages used in software development pipelines for typosquatting. Patch internet-facing Exchange, SharePoint, and Openfire servers against the CVEs listed in the StrikeShark pulse. Restrict PowerShell execution policies on endpoints where possible.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwarestrikesharkmacos-gaslightsupply-chain-attackcobalt-strikenpm-typosquat

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action