Recent OTX pulse data reveals a convergence of sophisticated supply chain attacks targeting both developer ecosystems and server infrastructure. Three distinct threat actors—TroyDen, FAMOUS CHOLLIMA (North Korean nexus), and Mr_Rot13—are actively exploiting trusted platforms (GitHub, npm) and critical infrastructure vulnerabilities (cPanel) to deliver infostealers and remote access trojans (RATs).
The collective objective is credential theft, persistence within high-value environments (tech/gov/defense), and establishing SSH backdoors. The attack chains rely heavily on social engineering via AI-generated lures (TroyDen) and dependency confusion (FAMOUS CHOLLIMA), while Mr_Rot13 leverages a zero-day (CVE-2026-41940) for initial access on Linux servers.
Threat Actor / Malware Profile
TroyDen (The AI Lure Factory)
- Malware Families: LuaJIT, Redline, LummaStealer.
- Distribution: Over 300 GitHub repositories using AI-generated biological/medical taxonomy names to lure developers and gamers.
- Behavior: Two-component payload designed to evade detection. Exfiltrates browser credentials and crypto-wallet data.
FAMOUS CHOLLIMA (North Korean APT)
- Malware Families: OtterCookie, BeaverTail, InvisibleFerret, Koalemos.
- Distribution: Malicious npm packages employing a "two-layer" strategy (benign wrappers pulling malicious dependencies).
- Behavior: Steals system cookies and credentials, establishes SSH backdoors (InvisibleFerret), and uses Vercel for C2 infrastructure.
Mr_Rot13 (Infrastructure Hunter)
- Malware Families: Filemanager (Go-based RAT), Cpanel-Python.
- Distribution: Exploitation of CVE-2026-41940 (critical auth bypass) in cPanel & WHM.
- Behavior: Deploys SSH keys for persistence, drops PHP webshells, and utilizes JavaScript for credential harvesting. Uses Telegram for exfiltration.
IOC Analysis
The provided indicators span network infrastructure and payload artifacts:
- IPv4 Addresses (TroyDen C2): A cluster of 8 IPs (e.g.,
89.169.12.241,213.176.73.80) associated with LuaJIT delivery infrastructure. These should be blocked immediately at the perimeter. - Domains (Mr_Rot13 C2):
wrned.comandwpsock.comare likely used for C2 communication or payload staging. - File Hashes (MD5): 5 MD5 hashes provided for the Mr_Rot13 Go-based installer. SOC teams should scan endpoints and cloud workloads for these specific hashes.
- CVE: CVE-2026-41940 is the critical vector for Mr_Rot13. Patching is the primary mitigation, as IOCs may change rapidly.
Operationalization: Load the IPs and Domains into firewall blocklists and EDR watchlists. Use the MD5 hashes to query SIEM logs for execution events.
Detection Engineering
Sigma Rules
YAML
---
title: Potential TroyDen C2 Connection
id: 46b8f7a3-1c9d-4f12-8c3d-9e8b1a2f3c4d
description: Detects network connections to known TroyDen IP addresses associated with LuaJIT malware delivery.
status: experimental
date: 2026/05/13
author: Security Arsenal
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationIp|startswith:
- '89.169.12.'
- '213.176.73.'
- '217.119.129.'
- '94.156.154.'
condition: selection
falsepositives:
- Unknown
level: critical
---
title: Mr_Rot13 Webshell and Exploitation Activity
date: 2026/05/13
id: b7a3e4c9-2d1a-4b5f-9e8c-1d2a3b4c5d6e
description: Detects potential webshell upload or cPanel exploitation indicators based on suspicious process execution.
status: experimental
author: Security Arsenal
logsource:
category: process_creation
product: linux
detection:
selection_cpanel:
Image|endswith: '/cpanel'
CommandLine|contains: 'exploit'
selection_webshell:
Image|endswith: '/python'
CommandLine|contains: 'Filemanager'
selection_network:
DestinationIp|startswith:
- '89.169.12.'
- '213.176.73.'
condition: 1 of selection_*
falsepositives:
- Legitimate cPanel administration
level: high
---
title: Suspected Npm Supply Chain Compromise (Chollima)
date: 2026/05/13
id: c1d2e3f4-5a6b-7c8d-9e0f-1a2b3c4d5e6f
description: Detects execution of suspicious node processes often associated with OtterCookie or BeaverTail malware.
status: experimental
author: Security Arsenal
logsource:
category: process_creation
product: windows
detection:
selection_node:
Image|endswith: '\node.exe'
ParentImage|endswith: '\npm.cmd'
selection_suspicious:
CommandLine|contains:
- 'otter'
- 'beaver'
- 'koalemos'
condition: all of selection_*
falsepositives:
- Legitimate development testing
level: medium
KQL (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for TroyDen and Mr_Rot13 Network Indicators
let IOCs = dynamic(["89.169.12.241", "213.176.73.80", "213.176.73.130", "217.119.129.121", "217.119.129.76", "94.156.154.6", "213.176.73.159", "217.119.129.118", "wrned.com", "wpsock.com"]);
DeviceNetworkEvents
| where RemoteIP in (IOCs) or RemoteUrl has_any (IOCs)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemoteUrl, ActionType
| extend IOCHit = iff(RemoteIP in (IOCs), "IP", "Domain")
PowerShell Hunt Script
PowerShell
<#
.SYNOPSIS
IOC Hunter for TroyDen, Mr_Rot13, and Chollima Activity.
.DESCRIPTION
Checks for running processes connecting to C2 IPs and presence of known file hashes.
#>
$C2_IPs = @(
"89.169.12.241", "213.176.73.80", "213.176.73.130",
"217.119.129.121", "217.119.129.76", "94.156.154.6",
"213.176.73.159", "217.119.129.118"
)
$MaliciousHashes = @(
"02a5990b11293236e01f174f5999df20", "22613c952459e65ce09fb6b5c1c03d47",
"2286f126ab4740ccf2595ad1fa0c615c", "29222f5e73dd10088fcf1204aa21f87f",
"2de27ca8d97124adaf604b18161a441e"
)
# Check Network Connections
Write-Host "Checking for active C2 connections..." -ForegroundColor Cyan
Get-NetTCPConnection | Where-Object {
$C2_IPs -contains $_.RemoteAddress
} | ForEach-Object {
$Process = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[PSCustomObject]@{
PID = $_.OwningProcess
ProcessName = $Process.ProcessName
RemoteAddress = $_.RemoteAddress
State = $_.State
Status = "SUSPICIOUS"
}
}
# Check File Hashes in Common Paths
Write-Host "Scanning for malicious file hashes..." -ForegroundColor Cyan
$Paths = @("$env:TEMP", "$env:APPDATA", "C:\ProgramData", "C:\Windows\Temp")
foreach ($Path in $Paths) {
if (Test-Path $Path) {
Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | Get-FileHash -ErrorAction SilentlyContinue | Where-Object {
$MaliciousHashes -contains $_.Hash
} | ForEach-Object {
[PSCustomObject]@{
Path = $_.Path
Hash = $_.Hash
Algorithm = $_.Algorithm
Status = "MALWARE DETECTED"
}
}
}
}
# Response Priorities
* **Immediate**:
* Block all listed IPv4 addresses and domains at the firewall and proxy level.
* Identify and patch systems vulnerable to CVE-2026-41940 (cPanel).
* Scan all endpoints for the provided MD5 hashes.
* **24h**:
* Conduct a credential audit and forced password reset for developer accounts who may have interacted with suspicious GitHub or npm repositories.
* Review SSH keys on Linux servers for unauthorized entries (Mr_Rot13 persistence).
* **1 Week**:
* Implement software composition analysis (SCA) policies to block AI-generated or typosquatted packages in npm/GitHub workflows.
* Harden cPanel instances and restrict management interface access to specific source IPs.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-aptsupply-chaintroydenchollimacpanel-exploitinfostealer
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.