Supply Chain & Cloud Worms: Lumma Remus, PCPJack, and PAN-OS Zero-Day Analysis

Excerpt

Active credential theft via malicious NuGet packages, cloud worms, and PAN-OS zero-days. High urgency: Hunt for Lumma Remus and PCPJack now.

Threat Summary

Recent OTX Pulse data indicates a coordinated surge in credential theft and infostealing operations targeting software supply chains and cloud infrastructure. Key developments include the distribution of the Lumma Stealer (Remus variant) via typosquatted NuGet packages impersonating Chinese UI libraries. Simultaneously, the PCPJack cloud worm is actively exploiting exposed cloud environments to harvest credentials and evict the TeamPCP botnet. Additionally, a critical PAN-OS zero-day is being exploited by state-sponsored actors (CL-STA-1132) to achieve RCE, while Operation GriefLure utilizes spear phishing to target critical infrastructure in Vietnam and the Philippines. The collective objective appears to be mass harvesting of browser credentials, cryptocurrency wallets, and cloud access keys.

Threat Actor / Malware Profile

Lumma Stealer (Remus Variant)

Distribution: Malicious NuGet packages (e.g., typosquatting .NET libraries), Steam/Telegram dead drops.
Payload Behavior: 64-bit infostealer targeting browser credentials, crypto wallets, SSH keys.
C2 Communication: Uses "EtherHiding" (storing C2 addresses in blockchain transactions) and specific domain generation algorithms.
Persistence: Scheduled tasks or registry run keys established via the initial .NET payload.
Anti-Analysis: Application-bound encryption bypass, anti-VM checks, and .NET Reactor obfuscation.

PCPJack Cloud Worm

Distribution: Self-propagating worm targeting exposed Docker, Kubernetes, and cloud APIs.
Payload Behavior: Harvests credentials from cloud providers (AWS/Azure/GCP), developer tools, and financial apps. Removes TeamPCP artifacts.
C2 Communication: Exfiltration via attacker-controlled channels (observed domains include lastpass-login-help.com).
Persistence: Container implants and compromised cloud IAM roles.
Techniques: Living-off-the-land (LotL) using cloud CLIs and container orchestration tools.

CL-STA-1132 (PAN-OS Exploitation)

Distribution: Exploitation of CVE-2023-33538 and other buffer overflows in PAN-OS User-ID portal.
Payload Behavior: Executes arbitrary code with root privileges, deploys tunneling tools (EarthWorm, ReverseSocks5).
Objective: Establish covert persistence within network perimeters for lateral movement.

IOC Analysis

The provided pulses contain a mix of network and file-based indicators.

Domains & URLs: Multiple C2 domains such as dns-providersa2.com, forestoaker.com, and lastpass-login-help.com are used for payload staging and data exfiltration.
File Hashes: SHA256 hashes (e.g., 019e6c2cf58386039133981f3377b085fbd70c98ae8613c7c6a4f10a9f2d9824) correspond to obfuscated .NET payloads and infostealer binaries.
CVEs: Critical vulnerabilities including CVE-2025-29927 and CVE-2026-1357 indicate specific exploit vectors for cloud and firewall platforms.
Operationalization: SOC teams should immediately block listed domains at the perimeter. File hashes should be ingested into EDR alerting rules. CVE data should be cross-referenced with vulnerability scanners to identify unpatched PAN-OS or cloud instances.

Detection Engineering

YAML

---
title: Potential Malicious NuGet Package Execution
id: 463b2b3c-5d4e-4f8a-9a1b-2c3d4e5f6a7b
description: Detects execution of processes associated with malicious NuGet packages often used to distribute Lumma Stealer and other infostealers.
status: experimental
author: Security Arsenal
date: 2026/05/10
references:
    - https://otx.alienvault.com/pulse/672e4f3c7d6b8c9a
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\nuget.exe'
            - '\dotnet.exe'
            - '\MSBuild.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\rundll32.exe'
    filter_legit:
        CommandLine|contains:
            - 'nuget.exe restore'
            - 'dotnet build'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate developer build processes
level: high
---
title: Lumma Stealer Remus Browser Credential Theft
id: 8c7d6e5f-4a3b-2c1d-0e9f-8a7b6c5d4e3f
description: Detects suspicious access to browser credential files typically targeted by Lumma Stealer (Remus) and other infostealers.
status: experimental
author: Security Arsenal
date: 2026/05/10
references:
    - https://otx.alienvault.com/pulse/672e4f3c7d6b8c9b
tags:
    - attack.credential_access
    - attack.t1555.003
logsource:
    category: file_access
    product: windows
detection:
    selection_chrome:
        TargetFilename|contains: '\Google\Chrome\User Data\Default\'
        TargetFilename|endswith:
            - '\Cookies'
            - '\History'
            - '\Login Data'
            - '\Local State'
    selection_edge:
        TargetFilename|contains: '\Microsoft\Edge\User Data\Default\'
        TargetFilename|endswith:
            - '\Cookies'
            - '\History'
            - '\Login Data'
    selection_process:
        Image|notcontains:
            - '\chrome.exe'
            - '\msedge.exe'
            - '\brave.exe'
    condition: (selection_chrome or selection_edge) and selection_process
falsepositives:
    - Backup software accessing browser data
level: critical
---
title: PCPJack Cloud Worm Lateral Movement
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects suspicious Docker or Kubernetes execution patterns associated with PCPJack worm propagation and credential theft.
status: experimental
author: Security Arsenal
date: 2026/05/10
references:
    - https://otx.alienvault.com/pulse/672e4f3c7d6b8c9c
tags:
    - attack.execution
    - attack.t1611
logsource:
    category: process_creation
    product: linux
detection:
    selection_docker:
        Image|endswith: '/docker'
        CommandLine|contains:
            - 'exec'
            - 'run'
            - 'cp'
    selection_k8s:
        Image|endswith: '/kubectl'
        CommandLine|contains:
            - 'exec'
            - 'cp'
    selection_suspicious:
        CommandLine|contains:
            - '/bin/sh'
            - '/bin/bash'
            - 'curl'
            - 'wget'
    condition: (selection_docker or selection_k8s) and selection_suspicious
falsepositives:
    - Legitimate container administration
level: high


kql
// Hunt for indicators related to Lumma, PCPJack, and PAN-OS exploitation
// Check for connections to known malicious domains
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (
    "dns-providersa2.com",
    "forestoaker.com",
    "krondez.com",
    "lastpass-login-help.com",
    "www.whatsappcenter.com",
    "149.104.66.84"
)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| limit 100;
// Check for process execution of known malicious file hashes
DeviceProcessEvents
| where Timestamp > ago(7d)
| where SHA256 in_any (
    "019e6c2cf58386039133981f3377b085fbd70c98ae8613c7c6a4f10a9f2d9824",
    "b037fa1dd769891b538d9ca26131890c93e3458eec96c5354bdebe50d04a5b3d",
    "e41c635e4c3514e266d143d544ad1abde5db3dcfe6cccdf9bb7a218003f8ab6a"
)
| project Timestamp, DeviceName, FolderPath, SHA256, AccountName
| limit 100;


powershell
# IOC Hunt Script for Lumma Stealer and PCPJack Artifacts
# Requires Administrative Privileges

$MaliciousHashes = @(
    "019e6c2cf58386039133981f3377b085fbd70c98ae8613c7c6a4f10a9f2d9824",
    "b037fa1dd769891b538d9ca26131890c93e3458eec96c5354bdebe50d04a5b3d",
    "e41c635e4c3514e266d143d544ad1abde5db3dcfe6cccdf9bb7a218003f8ab6a",
    "197f11a7b0003aa7da58a3302cfa2a96a670de91d39ddebc7a51ac1d9404a7e6"
)

Write-Host "Scanning for malicious file hashes..." -ForegroundColor Yellow

$Drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root

foreach ($Drive in $Drives) {
    Write-Host "Scanning $Drive..." -ForegroundColor Cyan
    try {
        Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $FileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($MaliciousHashes -contains $FileHash) {
                Write-Host "MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
            }
        }
    } catch {
        # Ignore access denied errors
    }
}

Write-Host "Checking for suspicious NuGet cache directories..." -ForegroundColor Yellow
$NugetPath = "$env:USERPROFILE\.nuget\packages"
if (Test-Path $NugetPath) {
    Write-Host "Reviewing NuGet packages in $NugetPath..." -ForegroundColor Cyan
    # Look for packages matching the typosquatting pattern (bmrxntfj)
    Get-ChildItem -Path $NugetPath -Recurse -Filter "bmrxntfj*" -ErrorAction SilentlyContinue | ForEach-Object {
        Write-Host "SUSPICIOUS PACKAGE FOUND: $($_.FullName)" -ForegroundColor Red
    }
}

Response Priorities

Immediate

Block IOC Types: Implement network blocks for all listed domains (dns-providersa2.com, forestoaker.com, etc.) and IP addresses (149.104.66.84) on firewalls and proxies.
Hunt Execution Artifacts: Scan endpoints for the SHA256 file hashes provided in the Pulse data. Look for nuget.exe or dotnet.exe spawning suspicious child processes.

24h

Identity Verification: Given the prevalence of credential stealer (Lumma, PCPJack) and PAN-OS exploits, enforce password resets and MFA re-enrollment for privileged accounts, especially cloud admins and users with access to sensitive financial/telecom data.

1 Week

Architecture Hardening: Patch PAN-OS firewalls against CVE-2023-33538 and related vulnerabilities. Review NuGet package usage policies to prevent typosquatting. Audit cloud (Kubernetes/Docker) security posture to prevent PCPJack propagation.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub