Recent intelligence pulses indicate a coordinated surge in supply chain attacks targeting the technology sector, specifically developers and software supply chain infrastructure.
The TroyDen threat actor is actively distributing LuaJIT-based infostealers (LummaStealer, Redline) via over 300 malicious GitHub repositories. These repositories utilize AI-generated names based on obscure biological taxonomy to deceive developers and gamers. Simultaneously, North Korean threat actors FAMOUS CHOLLIMA are conducting a campaign across the npm registry, delivering the OtterCookie infostealer via obfuscated packages that employ a "contagious interview" technique, cloning legitimate libraries to pull malicious dependencies.
In parallel, the Interlock Ransomware Group is exploiting a critical zero-day vulnerability (CVE-2026-20131) in Cisco Firepower Management Center (FMC), alongside leveraging older CVEs (CVE-2021-30952, CVE-2023-41974) to deploy GHOSTSABER and PlasmaLoader payloads. The collective objective is credential theft, initial access to enterprise environments, and subsequent ransomware deployment.
Threat Actor / Malware Profile
TroyDen (Lure Factory)
- Malware Families: LuaJIT, Redline, LummaStealer.
- Distribution Method: GitHub repositories hosting malicious packages. Uses AI-generated lure names (biological/medical terms) to appear legitimate.
- Payload Behavior: Two-component payload design. Uses Prometheus obfuscator to evade analysis. Targets crypto wallets, browser credentials, and session data.
- C2 Communication: Connects to hard-coded IPv4 infrastructure (see IOCs) for data exfiltration.
FAMOUS CHOLLIMA (OtterCookie Campaign)
- Malware Families: OtterCookie, BeaverTail, InvisibleFerret, Koalemos.
- Distribution Method: Typosquatting and dependency confusion on npm. Uses benign wrapper packages that clone legitimate libraries (e.g., big.js) to pull malicious dependencies.
- Payload Behavior: The malicious payload establishes an SSH backdoor (InvisibleFerret) and steals credentials (OtterCookie). Utilizes Vercel infrastructure for C2.
- Persistence: Scheduled tasks and SSH key manipulation.
Interlock Ransomware Group
- Malware Families: GHOSTKNIFE, GHOSTSABER, GHOSTBLADE, PlasmaLoader, PLASMAGRID.
- Distribution Method: Exploitation of vulnerabilities, primarily Cisco FMC Zero-Day (CVE-2026-20131).
- Payload Behavior: Custom loaders (PlasmaLoader) used to deploy ransomware and move laterally.
- Anti-Analysis: Heavy obfuscation and use of diverse CVEs to bypass signature-based detection.
IOC Analysis
The provided intelligence includes specific network indicators and CVE references that require immediate attention:
- IPv4 Addresses (TroyDen C2): A block of 8 IP addresses associated with the LuaJIT infostealer campaign. SOC teams should treat any outbound connection to these IPs as critical alerts.
- CVEs (Interlock & Landscape): A mix of critical new vulnerabilities (2026) and older, actively exploited ones (2021, 2023, 2025).
Operational Guidance:
- SOC Automation: Ingest the listed IPv4 addresses into firewall blocklists and EDR telemetry rules immediately.
- Vulnerability Management: Prioritize patching for CVE-2026-20131 (Cisco FMC) and CVE-2025-53521.
- Tooling: Use SIEM correlations to detect npm processes spawning PowerShell or CMD, indicative of the OtterCookie attack chain.
Detection Engineering
Sigma Rules
YAML
---
title: Potential TroyDen C2 Infrastructure Connection
id: 8d8f9a1b-2c3d-4e5f-8g9h-0i1j2k3l4m5n
status: experimental
description: Detects outbound network connections to known TroyDen C2 infrastructure associated with LuaJIT infostealers.
references:
- https://otx.alienvault.com/
author: Security Arsenal
date: 2026/05/14
tags:
- attack.command_and_control
- attack.t1071
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationIp|contains:
- '89.169.12.241'
- '213.176.73.80'
- '213.176.73.130'
- '217.119.129.121'
- '217.119.129.76'
- '94.156.154.6'
- '213.176.73.159'
- '217.119.129.118'
condition: selection
falsepositives:
- Unknown
level: critical
---
title: Suspicious NPM Package Child Process (OtterCookie)
id: a1b2c3d4-e5f6-7890-g1h2-i3j4k5l6m7n8
status: experimental
description: Detects npm or node.exe spawning a shell (powershell/cmd/bash), a common pattern in the OtterCookie npm campaign.
references:
- https://otx.alienvault.com/
author: Security Arsenal
date: 2026/05/14
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\npm.exe'
- '\node.exe'
selection_child:
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\pwsh.exe'
condition: all of selection_*
falsepositives:
- Legitimate developer build scripts
level: high
---
title: LuaJIT Interpreter Executing Suspicious Scripts
id: f1e2d3c4-b5a6-9876-5f4e-3d2c1b0a9f8e
status: experimental
description: Detects execution of LuaJIT (luajit.exe) often used by TroyDen to run obfuscated infostealer payloads.
references:
- https://otx.alienvault.com/
author: Security Arsenal
date: 2026/05/14
tags:
- attack.execution
- attack.t1059.006
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\luajit.exe'
CommandLine|contains: '.lua'
condition: selection
falsepositives:
- Legitimate use of LuaJIT by developers or games
level: medium
KQL (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for connections to TroyDen C2 Infrastructure
DeviceNetworkEvents
| where RemoteIP in ("89.169.12.241", "213.176.73.80", "213.176.73.130", "217.119.129.121", "217.119.129.76", "94.156.154.6", "213.176.73.159", "217.119.129.118")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemoteUrl, InitiatingProcessCommandLine
// Hunt for OtterCookie NPM behavior (npm spawning powershell)
DeviceProcessEvents
| where InitiatingProcessFileName in ("npm.exe", "node.exe")
| where FileName in ("powershell.exe", "cmd.exe", "pwsh.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine, FolderPath
PowerShell
PowerShell
# IOC Hunt Script for TroyDen Network Activity
$C2_IPs = @(
"89.169.12.241",
"213.176.73.80",
"213.176.73.130",
"217.119.129.121",
"217.119.129.76",
"94.156.154.6",
"213.176.73.159",
"217.119.129.118"
)
Write-Host "Checking for active network connections to TroyDen C2 IPs..." -ForegroundColor Yellow
$connections = Get-NetTCPConnection -State Established, Listen -ErrorAction SilentlyContinue
foreach ($ip in $C2_IPs) {
$matches = $connections | Where-Object { $_.RemoteAddress -eq $ip }
if ($matches) {
Write-Host "[ALERT] Connection found to C2 IP: $ip" -ForegroundColor Red
$matches | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, State, OwningProcess | Format-Table
}
}
Write-Host "Checking for LuaJIT processes..." -ForegroundColor Yellow
$luajit = Get-Process -Name "luajit" -ErrorAction SilentlyContinue
if ($luajit) {
Write-Host "[ALERT] LuaJIT process detected!" -ForegroundColor Red
$luajit | Select-Object Id, ProcessName, Path, StartTime | Format-Table
}
# Response Priorities
* **Immediate**: Block all identified TroyDen C2 IPv4 addresses at the perimeter firewall. Investigate any active network sessions to these IPs. Quarantine systems identified running `luajit.exe` outside of known development environments.
* **24h**: Conduct a credential audit for developers who may have interacted with suspicious GitHub repositories or npm packages. Reset API keys and SSH keys linked to compromised accounts due to OtterCookie/InvisibleFerret activity.
* **1 week**: Implement software composition analysis (SCA) controls for npm and GitHub package ingestion. Apply the Cisco FMC patch for CVE-2026-20131 and review logs for exploitation attempts of the listed CVEs.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-aptsupply-chain-attackinfostealertroydenottercookieinterlock-ransomware
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.