Recent OTX pulses indicate a convergence of high-volume credential theft operations and sophisticated access techniques. Adversaries are actively leveraging supply chain compromises—specifically via malicious NuGet packages impersonating Chinese UI libraries—to distribute updated infostealer families including Lumma, Quantum, and AgentRacoon. Concurrently, the emergence of PCPJack, a cloud worm targeting DevOps infrastructure, highlights a shift toward automated credential harvesting at scale. The identification of Remus, a 64-bit variant of Lumma utilizing EtherHiding for C2, demonstrates rapid adaptation to takedowns. These campaigns are complemented by targeted APT activity (Operation GriefLure) and the exploitation of a critical PAN-OS zero-day (CVE-2023-33538) to establish tunneling capabilities for lateral movement and data exfiltration.
Threat Actor / Malware Profile
- Lumma Stealer (Remus Variant): A newly identified 64-bit infostealer. It replaces traditional dead-drop resolvers with EtherHiding, using blockchain transaction data to fetch C2 endpoints. It employs aggressive anti-analysis checks and targets browser crypto-wallets and application-bound encryption data.
- NuGet Supply Chain Actors: Typosquatting legitimate .NET libraries (e.g., Chinese UI components). Payloads are obfuscated using .NET Reactor and grafted onto decompiled legitimate code. These packages deliver multi-family stealers (Lumma, Quantum, ArrowRAT) via
msbuildor NuGet restoration processes. - PCPJack: A cloud-propagating worm designed to evict the TeamPCP botnet. It harvests credentials from cloud platforms, containers (Kubernetes/Docker), and developer tools, exfiltrating them to attacker-controlled infrastructure.
- Operation GriefLure: An APT group utilizing spear-phishing with weaponized legal documents. They use living-off-the-land binaries (LOLBins) to deploy payloads (
sfsvc.exe,360.dll) targeting telco and healthcare sectors in SE Asia.
IOC Analysis
The provided indicators of compromise (IOCs) reveal a multi-vector approach:
- Domains (C2 & Phishing): A high volume of suspicious domains, particularly those ending in
.picsand.biz(e.g.,baxe.pics,remnane.biz), are associated with the Lumma Remus campaign. Typosquatted domains likelastpass-login-help.comindicate credential harvesting efforts targeting specific SaaS platforms. - File Hashes: Multiple SHA256 hashes correspond to the malicious NuGet package payloads and the Lumma/Remus binaries. These should be blocklisted immediately on endpoints.
- CVEs: The exploitation of CVE-2023-33538 (PAN-OS) provides unauthenticated RCE. While not a credential theft tool itself, it facilitates the deployment of tunneling tools (EarthWorm, ReverseSocks5) necessary for intercepting internal traffic and moving laterally to credential stores.
- IPs: The IP
149.104.66.84is linked to the PAN-OS exploitation cluster and should be blocked at the perimeter.
Detection Engineering
The following detection rules and scripts are designed to identify the specific behaviors and indicators detailed in the OTX pulses.
YAML
title: Potential Malicious NuGet Package Execution
id: 4a8b92c1-6b3f-4a1d-9e5f-1a2b3c4d5e6f
description: Detects execution processes initiated by msbuild or dotnet referencing paths associated with the malicious NuGet campaign or suspicious library names.
status: experimental
date: 2026/05/10
author: Security Arsenal
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\msbuild.exe'
- '\dotnet.exe'
- '\nuget.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\rundll32.exe'
filter_legit:
CommandLine|contains: 'Microsoft'
condition: selection and not filter_legit
falsepositives:
- Legitimate build processes spawning shells
level: high
tags:
- attack.supply_chain
- attack.execution
- attack.t1203
---
title: Lumma Remus / Infostealer C2 Traffic
id: 5b9c03d2-7c4e-5b2e-0f6g-2b3c4d5e6f7g
description: Detects network connections to known C2 domains associated with the Lumma Remus campaign and specific TLDs abused for EtherHiding.
status: experimental
date: 2026/05/10
author: Security Arsenal
logsource:
category: network_connection
product: windows
detection:
selection_domains:
DestinationHostname|contains:
- 'dns-providersa2.com'
- 'forestoaker.com'
- 'krondez.com'
- 'baxe.pics'
- 'vinte.online'
- 'coox.live'
- 'remnane.biz'
- 'parky.pics'
- 'lastpass-login-help.com'
- 'whatsappcenter.com'
selection_tlds:
DestinationHostname|endswith:
- '.pics'
- '.xyz'
condition: 1 of selection*
falsepositives:
- Rare legitimate traffic to these specific new TLDs
level: critical
tags:
- attack.c2
- attack.command_and_control
- attack.1071
---
title: Suspicious PowerShell Download String (GriefLure/Lumma)
id: 6c0d14e3-8d5f-6c3f-1g7h-3c4d5e6f7g8h
description: Detects PowerShell commands typical of stealer droppers, specifically those using DownloadString or web requests associated with the observed campaigns.
status: experimental
date: 2026/05/10
author: Security Arsenal
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\powershell.exe'
CommandLine|contains:
- 'DownloadString'
- 'IEX'
- 'Invoke-Expression'
condition: selection
level: medium
tags:
- attack.execution
- attack.t1059.001
kql
// Hunt for malicious file hashes and network connections
let MaliciousHashes = pack_hash256(
"efb675de4b3af3dac3c9cae91075fd7cc2f4f98e", "019e6c2cf58386039133981f3377b085fbd70c98ae8613c7c6a4f10a9f2d9824",
"34e2d63b5db7e24c808711c2ca0c0a42afde97a0086d7d81609110c002d18d7c", "596c453c9dbb7240f1ce05cc025496524ce7c538c23a9b2171174bf32b5691a1",
"b037fa1dd769891b538d9ca26131890c93e3458eec96c5354bdebe50d04a5b3d", "e41c635e4c3514e266d143d544ad1abde5db3dcfe6cccdf9bb7a218003f8ab6a",
"197f11a7b0003aa7da58a3302cfa2a96a670de91d39ddebc7a51ac1d9404a7e6", "35af2cf5494181920b8624c7b719d39590e2a5ff5eaa1a2fa1ba86b2b5aa9b43",
"61e9d76f07334843df561fe4bac449fb6fdaed5e5eb91480bded225f3d265c5f", "7f80add94ee8107a79c87a9b4ccbd33e39eccd1596748a5b88629dd6ac11b86d",
"91a15554ec9e49c00c5ca301f276bd79d346968651d54204743a08a3ca8a5067"
);
let MaliciousDomains = pack_array(
"dns-providersa2.com", "forestoaker.com", "krondez.com", "baxe.pics", "vinte.online",
"coox.live", "remnane.biz", "parky.pics", "lastpass-login-help.com", "whatsappcenter.com"
);
// 1. File Hash Hunt
DeviceProcessEvents
| where SHA256 in (MaliciousHashes)
| project Timestamp, DeviceName, FileName, ProcessCommandLine, SHA256, InitiatingProcessFileName;
// 2. Network Connection Hunt
DeviceNetworkEvents
| where RemoteUrl in (MaliciousDomains) or RemoteIP == "149.104.66.84"
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName;
// 3. Potential NuGet Suspicious Execution
DeviceProcessEvents
| where InitiatingProcessFileName in ("msbuild.exe", "dotnet.exe", "nuget.exe")
| where FileName in ("powershell.exe", "cmd.exe", "rundll32.exe")
| project Timestamp, DeviceName, InitiatingProcessCommandLine, ProcessCommandLine, SHA256
powershell
# IOC Hunter for NuGet/Lumma/GriefLure Artifacts
# Requires Administrator privileges
$MaliciousHashes = @(
"efb675de4b3af3dac3c9cae91075fd7cc2f4f98e",
"019e6c2cf58386039133981f3377b085fbd70c98ae8613c7c6a4f10a9f2d9824",
"34e2d63b5db7e24c808711c2ca0c0a42afde97a0086d7d81609110c002d18d7c",
"596c453c9dbb7240f1ce05cc025496524ce7c538c23a9b2171174bf32b5691a1",
"b037fa1dd769891b538d9ca26131890c93e3458eec96c5354bdebe50d04a5b3d",
"e41c635e4c3514e266d143d544ad1abde5db3dcfe6cccdf9bb7a218003f8ab6a",
"197f11a7b0003aa7da58a3302cfa2a96a670de91d39ddebc7a51ac1d9404a7e6",
"35af2cf5494181920b8624c7b719d39590e2a5ff5eaa1a2fa1ba86b2b5aa9b43",
"61e9d76f07334843df561fe4bac449fb6fdaed5e5eb91480bded225f3d265c5f",
"7f80add94ee8107a79c87a9b4ccbd33e39eccd1596748a5b88629dd6ac11b86d",
"91a15554ec9e49c00c5ca301f276bd79d346968651d54204743a08a3ca8a5067"
)
Write-Host "Scanning for Malicious Files (NuGet/Lumma/GriefLure)..." -ForegroundColor Cyan
# Get all processes and check hashes
$processes = Get-Process -IncludeUserName -ErrorAction SilentlyContinue
foreach ($proc in $processes) {
try {
$path = $proc.Path
if ($path -and (Test-Path $path)) {
$hash = (Get-FileHash -Path $path -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
if ($hash -in $MaliciousHashes) {
Write-Host "[ALERT] Malicious Process Running: $($proc.ProcessName) (PID: $($proc.Id)) Path: $path" -ForegroundColor Red
}
}
} catch {
# Ignore access errors
}
}
# Check hosts file for malicious domains
$hostsPath = "$env:windir\System32\drivers\etc\hosts"
$maliciousDomains = @("dns-providersa2.com", "forestoaker.com", "krondez.com", "whatsappcenter.com", "lastpass-login-help.com")
if (Test-Path $hostsPath) {
$hostsContent = Get-Content $hostsPath
foreach ($domain in $maliciousDomains) {
if ($hostsContent -match $domain) {
Write-Host "[ALERT] Malicious Domain found in hosts file: $domain" -ForegroundColor Red
}
}
}
Write-Host "Scan Complete." -ForegroundColor Green
Response Priorities
Immediate (0-6h):
- Block all listed IOCs at the firewall and proxy level.
- Hunt for the presence of the specific SHA256 hashes on endpoints.
- Identify any devices communicating with
149.104.66.84or the.pics/.bizC2 domains. - Patch PAN-OS firewalls against CVE-2023-33538 immediately if not already addressed.
24h:
- Conduct forensic analysis on systems that executed the suspicious NuGet packages.
- Force password resets for any credentials stored in browsers or cloud tools (AWS/Azure/GCP keys) on compromised machines.
- Review cloud logs for signs of PCPJack activity (unusual container creation or credential access).
1 Week:
- Implement strict allow-listing for NuGet package sources in build pipelines.
- Enhance monitoring for LOLBin usage and abnormal PowerShell activity.
- Review and harden external attack surfaces, specifically VPN and firewall configurations, to prevent similar zero-day exploitation.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-credentialslumma-stealernuget-supply-chainpcpjackapt-grieflurepan-os-rce
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.