The latest OTX pulses for 2026-04-19 reveal a multifaceted threat landscape dominated by aggressive credential harvesting and ransomware-as-a-service (RaaS). Key developments include:

The Gentlemen RaaS Operations: A sophisticated ransomware group actively exploiting FortiOS vulnerabilities (CVE-2025-32463, CVE-2024-37085) for initial access, employing defense evasion, and deploying payloads like LockBit 5.0 and Medusa.
Supply Chain Compromise (Runningcrab): A stealthy campaign targeting the defense and tech sectors in China/Hong Kong, utilizing Infostealer.Speagle to hijack Cobra DocGuard software for data exfiltration.
Cross-Platform Infostealers:
- NWHStealer: Spreading via fake VPN sites (Proton VPN impersonation) and gaming mods to harvest browser data and crypto wallets.
- notnullOSX: A Go-based macOS stealer by actor alh1mik specifically targeting high-value crypto wallets (> $10k) via ClickFix social engineering.
Emerging Exploits: Weaponization of CVE-2026-39987 (marimo) to deploy NKAbuse blockchain botnets via HuggingFace.

The common objective across these campaigns is monetary theft via credential compromise followed by data exfiltration or ransomware extortion.

Threat Actor / Malware Profile

The Gentlemen (RaaS)

Type: Ransomware-as-a-Service / Big Game Hunting.
Distribution: Exploitation of public-facing applications (FortiOS/FortiProxy), specifically CVE-2025-32463 and CVE-2024-37085.
Payload: Babuk, LockBit 5.0, Medusa, Vasa Locker.
Behavior: Data exfiltration prior to encryption; maintains a database of compromised devices for re-entry; utilizes advanced defense evasion.

Infostealer.Speagle (Runningcrab)

Type: Supply Chain Infostealer.
Distribution: Hijacked updates/communications from legitimate Cobra DocGuard security software.
Behavior: Collects sensitive system info and exfiltrates it to a compromised C2 server masquerading as the legitimate DocGuard diagnostics endpoint (CDGClientDiagnostics?flag=syn_user_policy).

NWHStealer

Type: Windows Infostealer.
Distribution: SEO poisoning and typosquatting (fake Proton VPN sites), compromised GitHub/GitLab repositories, and gaming mods.
Behavior: Harvests browser data, saved passwords, and cryptocurrency wallet extensions.

notnullOSX (alh1mik)

Type: macOS Infostealer.
Distribution: Malicious DMG files, "ClickFix" social engineering (fake browser updates).
Behavior: Specifically targets macOS users with >$10k in crypto; modular Go-based architecture;

IOC Analysis

FileHash-SHA256: Over 20 unique hashes provided across the pulses. SOC teams should load these into EDR quarantine lists immediately. High-value targets include the notnullOSX samples (e.g., 070402c2c531aa3a87b9ccd080532a51d17b01d982b205fc4487246d58de8913).
CVEs: Critical focus on CVE-2025-32463, CVE-2024-37085 (The Gentlemen), and CVE-2026-39987 (marimo/HuggingFace). Vulnerability scanners must be updated to flag these specific IDs.
Domains/URLs:
- Fake Infrastructure: get-proton-vpn.com, vpn-proton-setup.com (NWHStealer).
- Supply Chain C2: http://222.222.254.165:8090/CDGServer3/CDGClientDiagnostics... (Speagle).
- macOS C2: coockie.pro (notnullOSX).
Operationalization: Block the listed domains and IPs (e.g., 83.217.209.88, 111.90.145.139) at the perimeter. Use SIEM correlations to flag outbound connections to the non-standard ports (8090, 8091) used by Speagle.

Detection Engineering

Sigma Rules

YAML

title: Potential Infostealer.Speagle C2 Communication
id: 1a2b3c4d-5e6f-7890-1234-567890abcdef
description: Detects network connections to known Cobra DocGuard infrastructure hijacked by Infostealer.Speagle or the specific URL pattern used for exfiltration.
status: experimental
date: 2026/04/19
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6123456789abcdef
tags:
    - attack.exfiltration
    - attack.credential_access
logsource:
    category: proxy
detection:
    selection:
      c-uri|contains: 'CDGClientDiagnostics'
      c-uri|contains: 'flag=syn_user_policy'
    filter:
      c-host|endswith: '.cobradocguard.com' # Fallback if internal domain structure is different
    condition: selection and not filter
falsepositives:
    - Legitimate Cobra DocGuard diagnostics (verify internal IPs)
level: critical
---
title: Suspicious macOS DMG Execution (notnullOSX Indicator)
id: b4c5d6e7-f8a9-1011-1213-141516171819
description: Detects execution of applications from mounted DMG images or temporary directories often associated with macOS stealers like notnullOSX.
status: experimental
date: 2026/04/19
author: Security Arsenal
tags:
    - attack.execution
    - attack.initial_access
logsource:
  product: macos
  category: process_creation
detection:
  selection:
    ParentImage|endswith:
      - '/Disk Utility.app/Contents/MacOS/Disk Utility'
      - '/Installer.app/Contents/MacOS/Installer'
    Image|endswith:
      - '.app/Contents/MacOS/'
  filter_legit:
    Image|contains:
      - '/Applications/'
  condition: selection and not filter_legit
falsepositives:
  - Legitimate software installation
level: high
---
title: Fake Proton VPN Site Access (NWHStealer)
id: c0d1e2f3-4a5b-6c7d-8e9f-0a1b2c3d4e5f
description: Detects DNS queries or HTTP connections to known fake VPN domains associated with NWHStealer distribution.
status: experimental
date: 2026/04/19
author: Security Arsenal
tags:
    - attack.initial_access
    - attack.social_engineering
logsource:
  category: dns
detection:
  selection:
    query|contains:
      - 'get-proton-vpn.com'
      - 'vpn-proton-setup.com'
  condition: selection
falsepositives:
  - None
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for NWHStealer and Speagle Network Indicators
let IOCs_Domains = dynamic(['get-proton-vpn.com', 'vpn-proton-setup.com', 'newworld-helloworld.icu', 'coockie.pro']);
let IOCs_IPs = dynamic(['222.222.254.165', '60.30.147.18', '83.217.209.88', '111.90.145.139']);
let IOCs_SHA256 = dynamic(['3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235', 
                           '03298f85eaf8880222cf8a83b8ed75d90712c34a8a5299a60f47927ad044b43b', 
                           '2494709b8a2646640b08b1d5d75b6bfb3167540ed4acdb55ded050f6df9c53b3']);
// Check Network Connections
DeviceNetworkEvents
| where RemoteUrl in IOCs_Domains or RemoteIP in IOCs_IPs
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| summarize Count=count() by DeviceName, RemoteUrl
| order by Count desc;
// Check File Hashes
DeviceFileEvents
| where SHA256 in IOCs_SHA256
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName
| order by Timestamp desc

PowerShell Hunt Script

PowerShell

# Hunt for NWHStealer and Speagle Artifacts
# Requires Admin privileges for registry checks

Write-Host "Starting Hunt for Infostealer Artifacts..." -ForegroundColor Cyan

# 1. Check for Suspicious File Hashes in common temp/download paths
$TargetHashes = @(
    "3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235",
    "03298f85eaf8880222cf8a83b8ed75d90712c34a8a5299a60f47927ad044b43b",
    "2494709b8a2646640b08b1d5d75b6bfb3167540ed4acdb55ded050f6df9c53b3",
    "e97cb6cbcf2583fe4d8dcabd70d3f67f6cc977fc9a8cbb42f8a2284efe24a1e3"
)

$PathsToScan = @("C:\Users\*\Downloads\", "C:\ProgramData\", "C:\Temp\", "C:\Windows\Temp\")

foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Write-Host "Scanning $Path..." -ForegroundColor Yellow
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | 
        Where-Object { $_.Length -gt 0kb -and $_.Length -lt 50mb } | 
        ForEach-Object {
            $hash = Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue
            if ($TargetHashes -contains $hash.Hash) {
                Write-Host "[MALICIOUS] Match found: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

# 2. Check for Speagle related persistence (Hypothetical Registry Run Key based on Infostealer TTPs)
$RegPaths = @("HKLM:\Software\Microsoft\Windows\CurrentVersion\Run", "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run")
$SuspiciousNames = @("DocGuard", "CobraClient", "ProtonVPN", "VPNSetup")

foreach ($RegPath in $RegPaths) {
    if (Test-Path $RegPath) {
        Get-ItemProperty -Path $RegPath -ErrorAction SilentlyContinue | 
        Get-Member -MemberType NoteProperty | 
        Where-Object { $SuspiciousNames -match $_.Name } | 
        ForEach-Object {
            $val = Get-ItemProperty -Path $RegPath | Select-Object -ExpandProperty $_.Name
            Write-Host "[SUSPICIOUS] Registry Run Key: $($_.Name) -> $val" -ForegroundColor Yellow
        }
    }
}

Write-Host "Hunt Complete." -ForegroundColor Green


---

# Response Priorities

*   **Immediate (0-4h)**:
    *   Block all listed domains (IOCs) and IPs at the firewall/proxy level.
    *   Quarantine endpoints matching the provided SHA256 hashes.
    *   Isolate devices showing signs of **Speagle** C2 communication (port 8090/8091 traffic to non-internal IPs).

*   **24 Hours**:
    *   **Credential Reset**: Force password resets for users on affected machines, specifically targeting credentials stored in browsers (NWHStealer/notnullOSX targets).
    *   Verify the integrity of **Cobra DocGuard** installations; check for unauthorized modifications or strange outbound connections.
    *   Patch **FortiOS** gateways against CVE-2025-32463 and CVE-2024-37085 immediately.

*   **1 Week**:
    *   **Architecture Hardening**: Review segmentation for FortiOS devices and HuggingFace/marimo server access.
    *   Implement application whitelisting to prevent execution of unsigned DMGs/ISOs (mitigates macOS and Windows droppers).
    *   Conduct a supply chain audit for all third-party security software similar to Cobra DocGuard.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

The Gentlemen RaaS, Speagle Supply Chain & notnullOSX: OTX Pulse Analysis