Recent OTX pulses indicate a convergence of sophisticated credential theft and ransomware-as-a-service (RaaS) operations targeting enterprise and high-value individual assets. The intelligence highlights five distinct but thematically related campaigns active as of mid-April 2026.
The primary threats include:
- The Gentlemen RaaS: A sophisticated ransomware collective exploiting FortiOS vulnerabilities (CVE-2024-37085, CVE-2024-55591) for initial access, utilizing a database of compromised devices to deploy LockBit 5.0, Medusa, and Qilin.
- Runningcrab / Infostealer.Speagle: A supply chain attack hijacking "Cobra DocGuard" security software to exfiltrate sensitive data via compromised diagnostic servers, targeting Defense and Technology sectors in China and Hong Kong.
- notnullOSX: A macOS-exclusive stealer by actor "alh1mik" targeting crypto wallets exceeding $10,000, distributed via ClickFix social engineering.
- NWHStealer: A widespread Windows infostealer distributed via fake Proton VPN sites and gaming mods.
- CVE-2026-39987 Exploitation: Active weaponization of a critical marimo notebook RCE to deliver blockchain botnets (NKAbuse) via HuggingFace.
Collectively, these campaigns demonstrate a shift towards leveraging legitimate software infrastructure (supply chain, ML models) for stealthy data exfiltration and initial access.
Threat Actor / Malware Profile
The Gentlemen (RaaS)
- Distribution: Exploitation of public-facing applications, specifically FortiOS/FortiProxy vulnerabilities (CVE-2024-37085, CVE-2025-32463).
- Payload: Deploys multiple ransomware families including LockBit 5.0, Babuk, and Medusa.
- Behavior: Maintains a database of compromised devices; utilizes advanced defense evasion techniques.
Infostealer.Speagle (Runningcrab)
- Distribution: Supply chain compromise of Cobra DocGuard software.
- Behavior: Hijacks the software's update/diagnostic functionality to send collected sensitive info to attacker-controlled IPs (e.g., 222.222.254.165). Masks C2 traffic as legitimate software communications.
- Target: Defense and Technology sectors in China/Hong Kong.
notnullOSX (alh1mik)
- Distribution: Malicious DMG files and ClickFix social engineering (fake browser updates).
- Behavior: Modular Go-written stealer exclusively targeting macOS. Focuses on harvesting cryptocurrency wallets with high balances ($10k+).
- C2: Communicates with infrastructure such as
coockie.pro.
NWHStealer
- Distribution: Fake websites impersonating Proton VPN, GitHub, and gaming mods.
- Behavior: Steals browser data, saved passwords, and cryptocurrency wallet info.
NKAbuse / kagent
- Distribution: Exploitation of CVE-2026-39987 in marimo notebooks hosted on HuggingFace Spaces.
- Behavior: Uses the NKN blockchain for C2 communication, making traffic analysis difficult.
IOC Analysis
The provided IOCs span multiple categories requiring immediate operationalization:
- CVEs: Prioritize patching for CVE-2024-37085 (FortiOS) and CVE-2026-39987 (Marimo).
- Domains:
coockie.pro(notnullOSX C2)get-proton-vpn.com,vpn-proton-setup.com(NWHStealer)newworld-helloworld.icu
- IP Addresses:
83.217.209.88(notnullOSX)222.222.254.165,60.30.147.18(Speagle C2)111.90.145.139,185.225.17.176(Blockchain Botnet)
- File Hashes: Multiple MD5 and SHA256 hashes associated with PlugX variants, NWHStealer, and notnullOSX samples.
Operational Guidance: SOC teams should ingest these IOCs into EDR detection rules and firewall blocklists immediately. The Speagle campaign requires inspecting traffic from "Cobra DocGuard" hosts to non-corporate IPs on ports 8090/8091.
Detection Engineering
YAML
title: Potential Infostealer.Speagle C2 Communication via Cobra DocGuard
id: 8a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects network traffic to known Infostealer.Speagle C2 infrastructure associated with the Cobra DocGuard supply chain attack.
status: experimental
author: Security Arsenal
date: 2026/04/19
references:
- https://otx.alienvault.com/
tags:
- attack.command_and_control
- attack.exfiltration
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationIp|startswith:
- '222.222.254.'
- '60.30.147.'
DestinationPort:
- 8090
- 8091
condition: selection
falsepositives:
- Legitimate use of Cobra DocGuard (verify destination ownership)
level: high
---
title: Fake VPN Domain Detection - NWHStealer Campaign
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6e
description: Detects DNS requests or network connections to domains associated with NWHStealer distribution campaigns.
status: experimental
author: Security Arsenal
date: 2026/04/19
references:
- https://otx.alienvault.com/
tags:
- attack.initial_access
- attack.social_engineering
logsource:
category: dns_query
product: windows
detection:
selection:
QueryName|contains:
- 'get-proton-vpn.com'
- 'vpn-proton-setup.com'
- 'newworld-helloworld.icu'
condition: selection
falsepositives:
- Unknown
level: critical
---
title: macOS notnullOSX Stealer C2 Activity
id: 9b8c7d6e-5f4a-3b2c-1d0e-9f8a7b6c5d4e
description: Detects outbound connections to known notnullOSX stealer C2 domains targeting high-value crypto wallets.
status: experimental
author: Security Arsenal
date: 2026/04/19
references:
- https://otx.alienvault.com/
tags:
- attack.command_and_control
- attack.credential_access
logsource:
category: network_connection
product: macos
detection:
selection:
DestinationHostname|contains:
- 'coockie.pro'
condition: selection
falsepositives:
- Unknown
level: high
kql
// Hunt for network connections to known IOCs from the pulses
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (
"get-proton-vpn.com",
"vpn-proton-setup.com",
"newworld-helloworld.icu",
"coockie.pro",
"huggingface"
)
or RemoteIP in (
"83.217.209.88",
"222.222.254.165",
"60.30.147.18",
"111.90.145.139",
"185.225.17.176",
"38.147.173.172"
)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| extend IOCType = iff(RemoteIP in ("83.217.209.88", "222.222.254.165", "60.30.147.18"), "C2_IP", "Malicious_Domain")
bash
#!/bin/bash
# IOC Hunt Script for Linux/macOS environments
# Checks for active connections to known malicious IPs
MALICIOUS_IPS=(
"83.217.209.88"
"222.222.254.165"
"60.30.147.18"
"185.225.17.176"
)
echo "Checking active network connections for known IOCs..."
for ip in "${MALICIOUS_IPS[@]}"; do
# Using ss (modern replacement for netstat)
connections=$(ss -tuln | grep "$ip")
if [ -n "$connections" ]; then
echo "[ALERT] Found active connection to malicious IP: $ip"
echo "$connections"
fi
done
echo "Checking hosts file for suspicious domains..."
if grep -q -E "coockie\.pro|get-proton-vpn\.com" /etc/hosts; then
echo "[ALERT] Suspicious domain found in /etc/hosts"
grep -E "coockie\.pro|get-proton-vpn\.com" /etc/hosts
fi
# Response Priorities
* **Immediate**:
* Block all listed domains and IP addresses at the perimeter firewall and proxy.
* Scan endpoints for the file hashes provided (e.g., NWHStealer SHA256, Speagle hashes).
* Identify systems running "Cobra DocGuard" and isolate for forensic analysis.
* **24 Hours**:
* Force password resets for users who may have interacted with fake VPN sites or gaming mods.
* Investigate macOS devices with high-value crypto wallets for signs of notnullOSX (Check `coockie.pro` connections).
* Patch FortiOS devices against CVE-2024-37085 and CVE-2025-32463 immediately.
* **1 Week**:
* Review software supply chain security; verify integrity of development environments using marimo/HuggingFace.
* Implement stricter code signing policies for macOS (Block unsigned DMGs).
* Conduct a review of external-facing assets for exposure to the listed FortiOS CVEs.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-credentialsinfostealerransomware-as-a-servicesupply-chain-attackmacos-stealercredential-theft
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.