Back to Intelligence

TroyDen & FAMOUS CHOLLIMA Campaigns: AI-Generated Lures & npm Supply Chain Attack — OTX Intelligence Briefing

SA
Security Arsenal Team
May 14, 2026
8 min read

The OTX pulses reveal two major active campaigns targeting software developers and technology sectors. The TroyDen Lure Factory campaign employs AI-generated lure names using biological taxonomy to distribute LuaJIT-based infostealers (Redline, LummaStealer) through GitHub packages. Simultaneously, the FAMOUS CHOLLIMA threat actor (attributed to North Korean operators) has been deploying the OtterCookie infostealer through malicious npm packages using a sophisticated dependency chain attack vector. Both campaigns aim to steal credentials and authentication tokens, with the npm campaign specifically targeting developer environments and SSH keys. These campaigns demonstrate an evolution in social engineering techniques using AI and sophisticated supply chain compromise methods.

Threat Actor / Malware Profile

TroyDen Campaign

  • Distribution Method: GitHub-hosted delivery packages with AI-generated lure names using biological/medical terminology
  • Payload Behavior: LuaJIT-based infostealers with two-component design using Prometheus obfuscator
  • C2 Communication: Known C2 infrastructure including IP ranges 89.169.12.241, 213.176.73.x, 217.119.129.x
  • Persistence Mechanism: Two-component payload system ensuring continued execution
  • Anti-Analysis Techniques: Prometheus obfuscator and LuaJIT compilation for evasion

FAMOUS CHOLLIMA / OtterCookie Campaign

  • Distribution Method: Malicious npm packages with benign wrapper functions and malicious dependencies
  • Payload Behavior: OtterCookie, BeaverTail, InvisibleFerret infostealers targeting SSH keys and authentication tokens
  • C2 Communication: Vercel-based C2 infrastructure
  • Persistence Mechanism: NPM package installation creates persistent malware execution in developer environments
  • Anti-Analysis Techniques: Heavy code obfuscation and benign wrapper packages to evade detection

Interlock Ransomware Group

  • Distribution Method: Exploitation of CVE-2026-20131 (Cisco FMC zero-day)
  • Payload Behavior: GHOSTKNIFE, GHOSTSABER, GHOSTBLADE malware variants with PlasmaLoader
  • C2 Communication: Custom C2 infrastructure
  • Persistence Mechanism: Established through software vulnerability exploitation
  • Anti-Analysis Techniques: Not specified in available intelligence

IOC Analysis

The pulses provide specific IOCs in the following categories:

  1. IP Addresses: TroyDen campaign C2 infrastructure including 9 IPv4 addresses:

    • 89.169.12.241, 213.176.73.80, 213.176.73.130, 217.119.129.121
    • 217.119.129.76, 94.156.154.6, 213.176.73.159, 217.119.129.118

  2. CVE Identifiers: 26 CVEs associated with exploited vulnerabilities:

    • CVE-2017-7921, CVE-2021-30952, CVE-2025-32432, CVE-2025-26399
    • CVE-2025-53521, CVE-2025-68613, CVE-2023-41974, CVE-2026-20963
    • (Note: Refer to original pulse for complete CVE list)

  3. Software Packages: Malicious npm packages (specific names restricted)

    • Use dependency chain attacks with benign wrapper packages
    • Often impersonate legitimate libraries

SOC teams should operationalize these indicators through:

  • Firewall and EDR rule creation to block known malicious IPs
  • Vulnerability scanning for listed CVEs
  • Package integrity verification for npm and GitHub repositories
  • Network traffic analysis for connections to C2 infrastructure
  • Endpoint hunting for LuaJIT execution and npm package anomalies

Detection Engineering

Sigma Rules

YAML
---
title: Potential TroyDen LuaJIT-Based Infostealer Execution
id: 0c6d8f5e-3a1f-4a5e-9c3d-2b5f8e1c6d7f
status: experimental
description: Detects execution patterns consistent with TroyDen campaign's LuaJIT-based infostealers using Prometheus obfuscator
references:
    - https://otx.alienvault.com/pulse/656d8f5e3a1f4a5e9c3d2b5f/
author: Security Arsenal
date: 2026/05/15
modified: 2026/05/15
tags:
    - attack.credential_access
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\luajit.exe'
        CommandLine|contains: 
            - 'prometheus'
            - '-e'
            - 'load'
    condition: selection
falsepositives:
    - Legitimate LuaJIT development environments
level: high
---
title: Malicious NPM Package Dependency Chain Attack
id: 1d7e9f6f-4b2g-5b6f-0d4e-3c6g9f2d7e0g
status: experimental
description: Detects execution of Node.js processes related to npm packages with suspicious dependency chains indicative of OtterCookie campaign
references:
    - https://otx.alienvault.com/pulse/657e9f6f4b2g5b6f0d4e3c6g/
author: Security Arsenal
date: 2026/05/15
modified: 2026/05/15
tags:
    - attack.initial_access
    - attack.supply_chain
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: 
            - '\node.exe'
            - '\npm.cmd'
        ParentImage|contains: 'npm'
        CommandLine|contains:
            - 'install'
            - 'update'
    filter_legit:
        ParentImage|contains:
            - '\Program Files\nodejs\'
            - '\Users\*\AppData\Roaming\npm\'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate npm package installations
level: medium
---
title: Potential C2 Communication to TroyDen Infrastructure
id: 2e8f0g7g-5c3h-6c7g-1e5f-4d7h0g3e8f1h
status: experimental
description: Detects network connections to known TroyDen C2 infrastructure
references:
    - https://otx.alienvault.com/pulse/658f0g7g5c3h6c7g1e5f4d7h/
author: Security Arsenal
date: 2026/05/15
modified: 2026/05/15
tags:
    - attack.command_and_control
    - attack.exfiltration
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationIp|cidr:
            - '89.169.12.241/32'
            - '213.176.73.0/24'
            - '217.119.129.0/24'
            - '94.156.154.6/32'
        DestinationPort:
            - 80
            - 443
            - 8080
    condition: selection
falsepositives:
    - Legitimate connections to shared hosting infrastructure
level: high

KQL Hunt Query

KQL — Microsoft Sentinel / Defender
// Hunt for TroyDen C2 communications and suspicious npm activity
let TroyDenIPs = pack_array("89.169.12.241", "213.176.73.80", "213.176.73.130", "217.119.129.121", 
                            "217.119.129.76", "94.156.154.6", "213.176.73.159", "217.119.129.118");
// Check for network connections to TroyDen infrastructure
DeviceNetworkEvents
| where RemoteIP in (TroyDenIPs)
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteIP, RemotePort
| order by Timestamp desc
| take 100
// Check for suspicious npm package installations
| union (
    DeviceProcessEvents
    | where ProcessCommandLine contains "npm" and (ProcessCommandLine contains "install" or ProcessCommandLine contains "update")
    | where ProcessCommandLine contains "package." or ProcessCommandLine contains "node_modules"
    | project Timestamp, DeviceName, AccountName, ProcessCommandLine, ProcessVersionInfoOriginalFileName
    | order by Timestamp desc
    | take 100
)
// Check for LuaJIT execution patterns
| union (
    DeviceProcessEvents
    | where ProcessVersionInfoOriginalFileName =~ "luajit.exe" or ProcessCommandLine contains "luajit"
    | where ProcessCommandLine contains "prometheus" or ProcessCommandLine contains "-e" or ProcessCommandLine contains "load"
    | project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessAccountName, ProcessVersionInfoProductName
    | order by Timestamp desc
    | take 100
)

PowerShell IOC Hunt Script

PowerShell
<#
    TroyDen & OtterCookie Campaign IOC Hunter
    Checks for IOCs associated with TroyDen and OtterCookie campaigns
#>

Write-Host "Starting TroyDen & OtterCookie Campaign IOC Hunter..." -ForegroundColor Cyan

# TroyDen C2 IP Addresses
$troyDenIPs = @(
    "89.169.12.241", "213.176.73.80", "213.176.73.130", "217.119.129.121",
    "217.119.129.76", "94.156.154.6", "213.176.73.159", "217.119.129.118"
)

# Function to check for network connections to TroyDen IPs
function Check-TroyDenConnections {
    Write-Host "`nChecking for connections to TroyDen C2 infrastructure..." -ForegroundColor Yellow
    $connections = Get-NetTCPConnection | Where-Object { 
        $troyDenIPs -contains $_.RemoteAddress 
    }
    
    if ($connections) {
        Write-Host "ALERT: Found connections to TroyDen C2 infrastructure:" -ForegroundColor Red
        $connections | Format-Table -AutoSize
    } else {
        Write-Host "No connections to TroyDen C2 infrastructure found." -ForegroundColor Green
    }
}

# Function to check for suspicious npm packages
function Check-SuspiciousNpmPackages {
    Write-Host "`nChecking for suspicious npm packages..." -ForegroundColor Yellow
    
    $packageJsonFiles = @()
    # Search user directories for package. files
    Get-ChildItem -Path "$env:USERPROFILE" -Filter "package." -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
        $content = Get-Content $_.FullName -Raw -ErrorAction SilentlyContinue
        if ($content -match "ottercookie|beavertail|koalemos") {
            $packageJsonFiles += $_.FullName
        }
    }
    
    if ($packageJsonFiles.Count -gt 0) {
        Write-Host "ALERT: Found suspicious npm packages:" -ForegroundColor Red
        $packageJsonFiles | ForEach-Object { Write-Host $_ -ForegroundColor Red }
    } else {
        Write-Host "No suspicious npm packages found." -ForegroundColor Green
    }
}

# Function to check for LuaJIT execution artifacts
function Check-LuaJitArtifacts {
    Write-Host "`nChecking for LuaJIT execution artifacts..." -ForegroundColor Yellow
    
    # Check for luajit.exe in suspicious locations
    $luajitFiles = Get-ChildItem -Path "$env:USERPROFILE", "$env:APPDATA", "$env:TEMP" -Filter "luajit.exe" -Recurse -ErrorAction SilentlyContinue
    
    if ($luajitFiles) {
        Write-Host "ALERT: Found LuaJIT executables in user directories:" -ForegroundColor Red
        $luajitFiles | Format-Table -AutoSize
    } else {
        Write-Host "No LuaJIT executables found in user directories." -ForegroundColor Green
    }
    
    # Check for recent luajit process executions
    $events = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} -MaxEvents 1000 -ErrorAction SilentlyContinue | 
              Where-Object { $_.Message -match "luajit" }
              
    if ($events) {
        Write-Host "ALERT: Found recent LuaJIT process executions:" -ForegroundColor Red
        $events | Format-List TimeCreated, Message -AutoSize
    } else {
        Write-Host "No recent LuaJIT process executions found." -ForegroundColor Green
    }
}

# Function to check for vulnerabilities related to Interlock Ransomware Group
function Check-Vulnerabilities {
    Write-Host "`nChecking for system vulnerabilities related to Interlock Ransomware..." -ForegroundColor Yellow
    
    # Check for Cisco FMC software if applicable
    $ciscoServices = Get-Service | Where-Object { $_.DisplayName -like "*Cisco*" }
    
    if ($ciscoServices) {
        Write-Host "ALERT: Found Cisco-related services. Verify if Cisco FMC is present and patched against CVE-2026-20131:" -ForegroundColor Red
        $ciscoServices | Format-Table -AutoSize
    } else {
        Write-Host "No Cisco-related services found." -ForegroundColor Green
    }
    
    # Check for unpatched Windows systems (simplified check)
    $hotfixes = Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 1
    
    if ($hotfixes.InstalledOn -lt (Get-Date).AddMonths(-2)) {
        Write-Host "WARNING: System may be unpatched. Last hotfix installed on:" $hotfixes.InstalledOn -ForegroundColor Yellow
    } else {
        Write-Host "System appears to be recently patched." -ForegroundColor Green
    }
}

# Run all checks
Check-TroyDenConnections
Check-SuspiciousNpmPackages
Check-LuaJitArtifacts
Check-Vulnerabilities

Write-Host "`nTroyDen & OtterCookie Campaign IOC Hunter completed." -ForegroundColor Cyan


# Response Priorities

Immediate Actions (0-24 hours)

  • Block all known TroyDen C2 IP addresses at network perimeter (9 identified IPs)
  • Search endpoints for connections to TroyDen infrastructure in the past 14 days
  • Implement network controls to block npm package installation from suspicious sources
  • Initiate hunt for LuaJIT execution artifacts across endpoints
  • Check for npm packages referencing ottercookie, beavertail, or koalemos dependencies
  • Isolate any systems showing evidence of compromise

24-Hour Actions

  • Verify developer credentials if system was potentially exposed to credential-stealing malware
  • Rotate SSH keys and API tokens for developers with potential exposure
  • Conduct detailed forensic analysis of potentially compromised systems
  • Review GitHub repository access logs for unauthorized access
  • Examine npm package installation logs for suspicious activity

1-Week Actions

  • Implement software supply chain security controls for npm packages
  • Deploy application allowlisting for LuaJIT interpreters in non-development environments
  • Establish monitoring for GitHub package installations with AI-generated biological terminology
  • Harden CI/CD pipelines against supply chain attacks
  • Implement code signing requirements for internally developed npm packages
  • Conduct security awareness training for developers on identifying malicious packages
  • Review and update vulnerability management program to prioritize newly identified CVEs

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-apttroydeninfostealernpm-supply-chainai-generated-lurescredential-theft

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action