The OTX pulses reveal a coordinated surge in infostealer campaigns targeting developers and technical professionals through software supply chain attacks. These campaigns, primarily attributed to TroyDen threat actors and North Korean-linked FAMOUS CHOLLIMA, utilize multi-vector distribution channels including GitHub repositories, NuGet packages, and npm libraries. The attackers employ sophisticated tactics including AI-generated lure names, typosquatting of legitimate libraries, and social engineering around recent high-profile code leaks (Claude Code). The primary objective appears to be credential harvesting (browser credentials, SSH keys, crypto wallets) and establishing persistent access for follow-on activities including ransomware deployment. The campaigns demonstrate advanced evasion techniques including code obfuscation, legitimate process masquerading, and blockchain-based C2 infrastructure.
Threat Actor / Malware Profile
TroyDen Lure Factory
Distribution Method: GitHub repositories with AI-generated biological/medical terminology in package names, over 300 delivery packages identified. Payload Behavior: LuaJIT-based infostealers with two-component design; first component establishes persistence, second downloads and executes Redline and LummaStealer. C2 Communication: Hardcoded IPv4 addresses for C2 communication; uses non-standard ports. Persistence Mechanism: Registry modifications and scheduled tasks with obfuscated names. Anti-Analysis Techniques: Prometheus obfuscator; employs LuaJIT to evade traditional signature detection; anti-VM checks.
LummaStealer (via NuGet)
Distribution Method: Malicious NuGet packages typosquatting Chinese UI libraries (account: bmrxntfj). Payload Behavior: .NET Reactor-protected payloads targeting browser credentials, cryptocurrency wallets, SSH keys, and local files. C2 Communication: Domain-based C2 via dns-providersa2.com; HTTP POST for data exfiltration. Persistence Mechanism: DLL sideloading through legitimate applications; registry run keys. Anti-Analysis Techniques: Code obfuscation using .NET Reactor; uses legitimate library code as camouflage.
OtterCookie (North Korean FAMOUS CHOLLIMA)
Distribution Method: Malicious npm packages using "contagious interview" technique; benign wrappers pulling malicious dependencies. Payload Behavior: Steals browser cookies, credentials; establishes SSH backdoor for lateral movement. C2 Communication: Vercel-based C2 infrastructure for blending with legitimate traffic. Persistence Mechanism: Registry run keys; scheduled tasks; service creation. Anti-Analysis Techniques: Multi-layer obfuscation; uses legitimate library names (big.js clone).
Vidar Stealer & GhostSocks (Claude Code Lure)
Distribution Method: Trojanized GitHub repositories exploiting Claude Code leak. Payload Behavior: Vidar v18.7 for credential theft; GhostSocks for proxy/C2 communication. C2 Communication: Direct IP connections over port 443; SSL/TLS encrypted. Persistence Mechanism: Registry run keys; scheduled tasks. Anti-Analysis Techniques: Uses legitimate repository names; encrypted traffic.
EtherRAT & TukTuk (Ransomware Delivery)
Distribution Method: Malicious MSI disguised as Sysinternals tools. Payload Behavior: Ethereum blockchain via EtherHiding for dynamic C2 configuration; uses Mimikatz for credential harvesting; NetExec for lateral movement. C2 Communication: Blockchain-based C2 updates via Ethereum transactions; Cloudflare tunneling. Persistence Mechanism: WMI event subscriptions; service creation; scheduled tasks. Anti-Analysis Techniques: Legitimate process masquerading; blockchain-based command and control.
IOC Analysis
The pulses contain a diverse set of indicators requiring different operational approaches:
IPv4 Addresses (14 unique IPs): Should be blocked at network perimeter and firewall level; SOC teams should query firewall and proxy logs for any connections to these IPs. Use SIEM correlation rules to alert on connections to these IPs within 24 hours.
Domains (2): dns-providersa2.com and g8way.io should be blocked via DNS sinkholing and added to blocklists. These domains are used for C2 communication and initial payload delivery.
File Hashes (12 total): Include MD5, SHA1, and SHA256 variants. These should be added to EDR/XDR blocking rules and scanned for across endpoints. Use threat intelligence platforms to automatically correlate with execution attempts.
URLs (5): Include specific endpoints for payload delivery and C2 check-ins. Block these URLs at the proxy level and search web proxy logs for access attempts.
CVE (1): CVE-2025-55182 requires patch verification across the enterprise. Use vulnerability management platforms to track remediation status.
Hostnames (2): Associated with C2 infrastructure; should be monitored for DNS resolution and blocked at the perimeter.
To operationalize these indicators effectively:
- Load into SIEM for automated correlation with endpoint events
- Add to EDR/XDR blocking rules with immediate enforcement
- Implement DNS sinkholing for domain indicators
- Create firewall rules to block IP ranges
- Use threat intelligence platforms for automatic enrichment and updating
Detection Engineering
---
title: Suspicious GitHub Repository Cloning with AI-Generated Lure Names
id: 65b8e8d3-92c4-4536-8a23-c7f1d9e5a8b2
description: Detects cloning of GitHub repositories with biological/medical terminology often used by TroyDen Lure Factory for malware delivery
author: Security Arsenal
date: 2026/05/14
status: stable
tags:
- attack.initial_access
- attack.resource_development
- attack.t1583.001
- attack.t1190
references:
- https://otx.alienvault.com/pulse/
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\git.exe'
- '\git-remote-https.exe'
CommandLine|contains|all:
- 'clone'
- 'https://github.com/'
filter_legit:
ParentImage|contains:
- '\Visual Studio\'
- '\JetBrains\'
- '\Microsoft VS Code\'
selection_lure:
CommandLine|contains:
- 'bacteria'
- 'virus'
- 'pathogen'
- 'taxonomy'
- 'medical'
- 'biological'
- 'microbe'
condition: selection and not filter_legit and selection_lure
falsepositives:
- Legitimate biology or medical research projects
level: high
---
title: Suspicious NuGet Package Installation with C2 Communication
id: a4d2c7f1-8e5b-4239-8b6a-2c5d4e8f9a1b
description: Detects installation of NuGet packages from suspicious accounts followed by network connections to known C2 domains
author: Security Arsenal
date: 2026/05/14
status: stable
tags:
- attack.initial_access
- attack.execution
- attack.t1059.001
- attack.t1071.001
references:
- https://otx.alienvault.com/pulse/
logsource:
category: process_creation
product: windows
detection:
selection_nuget:
Image|endswith: '\nuget.exe'
CommandLine|contains: 'install'
selection_suspicious:
CommandLine|contains:
- 'bmrxntfj'
selection_network:
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\node.exe'
CommandLine|contains:
- 'dns-providersa2.com'
- 'upload'
- 'check'
timeframe: 5m
condition: (selection_nuget and selection_suspicious) or selection_network
falsepositives:
- Legitimate NuGet operations (rare)
level: high
---
title: PowerShell Download from Vercel and GitHub Associated with North Korean Infostealers
id: c5e3d8f2-9f6c-4347-9c7b-3d6e5f9a0b2c
description: Detects PowerShell downloading from Vercel or GitHub infrastructure associated with OtterCookie and North Korean campaigns
author: Security Arsenal
date: 2026/05/14
status: stable
tags:
- attack.initial_access
- attack.execution
- attack.command_and_control
- attack.t1059.001
- attack.t1102
references:
- https://otx.alienvault.com/pulse/
logsource:
category: process_creation
product: windows
detection:
selection_powershell:
Image|endswith: '\powershell.exe'
CommandLine|contains:
- 'Invoke-WebRequest'
- 'iwr'
- 'Invoke-RestMethod'
- 'irm'
- 'DownloadString'
- 'dl'
selection_c2:
CommandLine|contains:
- 'vercel.app'
- 'github.com'
selection_suspicious_patterns:
CommandLine|contains:
- 'big.js'
- 'ottercookie'
- 'beavertail'
- 'koalemos'
- 'invisibleferret'
timeframe: 5m
condition: selection_powershell and selection_c2 and selection_suspicious_patterns
falsepositives:
- Legitimate Vercel/GitHub operations (rare)
level: high
kql
// Hunt for connections to known C2 infrastructure from OTX pulses
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in ("dns-providersa2.com", "g8way.io")
or RemoteIP in ("89.169.12.241", "213.176.73.80", "213.176.73.130", "217.119.129.121",
"217.119.129.76", "94.156.154.6", "213.176.73.159", "217.119.129.118",
"147.45.197.92", "94.228.161.88")
| summarize count() by DeviceName, RemoteUrl, RemoteIP, InitiatingProcessFileName
| sort by count_ desc
| extend Alert = "Known C2 Infrastructure Contact"
// Hunt for suspicious file executions with matching hashes
DeviceProcessEvents
| where Timestamp > ago(7d)
| where SHA256 in ("019e6c2cf58386039133981f3377b085fbd70c98ae8613c7c6a4f10a9f2d9824",
"34e2d63b5db7e24c808711c2ca0c0a42afde97a0086d7d81609110c002d18d7c",
"596c453c9dbb7240f1ce05cc025496524ce7c538c23a9b2171174bf32b5691a1",
"06f63fe3eba5a2d1e2177d49f25721c2bdd90f3c46f19e29740899fa908453bf",
"7d5e84dd59165422f31a5a0e53aabba657a6fbccc304e8649f72d49e468ae91a")
or MD5 in ("77c73bd5e7625b7f691bc00a1b561a0f", "d8256fbc62e85dae85eb8d4b49613774",
"73ce2438d4ed475e03727b7b000d2794", "77fbe265fd65c7f7b6d323fb6de6a4fd",
"b188fbc6ff5557767e73e4c883a553a3", "b2d51212744f404714fd909e87254d98",
"c92cf9a1af5b1fe25cdcb8771ce52be4")
| summarize count() by DeviceName, FileName, SHA256, MD5, ProcessCommandLine
| sort by count_ desc
| extend Alert = "Known Malware Hash Execution"
// Hunt for suspicious PowerShell execution with C2 indicators
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessVersionInfoCompanyName =~ "Microsoft Corporation"
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has "Invoke-WebRequest" or
ProcessCommandLine has "iwr" or
ProcessCommandLine has "Invoke-RestMethod" or
ProcessCommandLine has "irm"
| where ProcessCommandLine has_any("dns-providersa2.com", "g8way.io",
"vercel.app", "rti.cargomanbd.com")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| extend Alert = "Suspicious PowerShell C2 Activity"
powershell
# PowerShell IOC Hunt Script for Infostealer Campaign Detection
# Checks for registry artifacts, file paths, and network connections
# associated with malware families in OTX pulses
Write-Host "Running Infostealer Campaign IOC Hunt..." -ForegroundColor Yellow
# Check for suspicious scheduled tasks
Write-Host "`nChecking for suspicious scheduled tasks..." -ForegroundColor Cyan
$suspiciousTasks = Get-ScheduledTask | Where-Object {
$_.TaskName -match "update|windows|system|service" -and
$_.Actions.Execute -match "powershell|cmd|mshta" -and
$_.Actions.Arguments -match "iwr|irm|invoke-webrequest|downloadstring"
}
if ($suspiciousTasks) {
Write-Host "Found suspicious scheduled tasks:" -ForegroundColor Red
$suspiciousTasks | Format-List TaskName, Actions, State
} else {
Write-Host "No suspicious scheduled tasks found." -ForegroundColor Green
}
# Check for persistence in registry run keys
Write-Host "`nChecking persistence registry keys..." -ForegroundColor Cyan
$runKeys = @(
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce",
"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
"HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
)
$suspiciousRunEntries = foreach ($key in $runKeys) {
if (Test-Path $key) {
Get-ItemProperty $key -ErrorAction SilentlyContinue |
Get-Member -MemberType NoteProperty |
Where-Object { $_.Name -ne "PSPath" -and $_.Name -ne "PSChildName" } |
Where-Object {
$value = (Get-ItemProperty $key).$_."Name"
$value -match "powershell|cmd|mshta" -and
($value -match "iwr|irm|invoke-webrequest|downloadstring|dns-providersa2")
} |
Select-Object @{Name="Key"; Expression={$key}}, @{Name="ValueName"; Expression={$_.Name}},
@{Name="Value"; Expression={(Get-ItemProperty $key).$_."Name"}}
}
}
if ($suspiciousRunEntries) {
Write-Host "Found suspicious registry run entries:" -ForegroundColor Red
$suspiciousRunEntries | Format-Table -AutoSize
} else {
Write-Host "No suspicious registry run entries found." -ForegroundColor Green
}
# Check for connections to known C2 infrastructure
Write-Host "`nChecking for active network connections to C2 infrastructure..." -ForegroundColor Cyan
$c2IPs = @("89.169.12.241", "213.176.73.80", "213.176.73.130", "217.119.129.121",
"217.119.129.76", "94.156.154.6", "213.176.73.159", "217.119.129.118",
"147.45.197.92", "94.228.161.88")
$suspiciousConnections = Get-NetTCPConnection | Where-Object {
$c2IPs -contains $_.RemoteAddress
} | ForEach-Object {
$process = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[PSCustomObject]@{
LocalAddress = $_.LocalAddress
LocalPort = $_.LocalPort
RemoteAddress = $_.RemoteAddress
RemotePort = $_.RemotePort
State = $_.State
ProcessName = if ($process) { $process.ProcessName } else { "Unknown" }
ProcessID = $_.OwningProcess
ProcessPath = if ($process) { $process.Path } else { "Unknown" }
}
}
if ($suspiciousConnections) {
Write-Host "Found active connections to C2 infrastructure:" -ForegroundColor Red
$suspiciousConnections | Format-Table -AutoSize
} else {
Write-Host "No active connections to C2 infrastructure found." -ForegroundColor Green
}
# Check for file artifacts related to malware families
Write-Host "`nChecking for suspicious file artifacts..." -ForegroundColor Cyan
$suspiciousPaths = @(
"$env:TEMP\*.js",
"$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\*.vbs",
"$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\*.lnk"
)
$suspiciousFiles = foreach ($path in $suspiciousPaths) {
if (Test-Path $path) {
Get-ChildItem $path -ErrorAction SilentlyContinue |
Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) } |
Where-Object {
$content = Get-Content $_.FullName -Raw -ErrorAction SilentlyContinue
$content -match "dns-providersa2|g8way\.io|Invoke-WebRequest|iwr|irm"
}
}
}
if ($suspiciousFiles) {
Write-Host "Found suspicious file artifacts:" -ForegroundColor Red
$suspiciousFiles | Format-Table FullName, LastWriteTime, Length -AutoSize
} else {
Write-Host "No suspicious file artifacts found." -ForegroundColor Green
}
Write-Host "`nHunt complete." -ForegroundColor Yellow
Response Priorities
Immediate Actions (0-4 hours):
- Block all identified IPv4 addresses at network perimeter firewalls
- Implement DNS sinkholing for dns-providersa2.com and g8way.io
- Deploy file hash blocking rules for all SHA256/MD5 indicators across EDR/XDR
- Hunt for active connections to C2 infrastructure and isolate affected endpoints
- Verify patch status for CVE-2025-55182 and apply if missing
24-Hour Actions:
- If credential-stealing malware (Lumma, OtterCookie, Vidar) is confirmed, initiate identity verification processes for all privileged accounts
- Rotate credentials for accounts that may have been compromised based on access patterns
- Conduct forensic analysis of affected systems to determine scope of data exfiltration
- Review and potentially reset SSH keys and authentication tokens used by developers
- Implement additional monitoring for cryptocurrency wallet activities in affected environments
1-Week Actions:
- Architect software supply chain security controls for GitHub, NuGet, and npm usage
- Implement code signing verification requirements for internal packages
- Deploy package repository scanning tools with malware detection capabilities
- Review and restrict developer tool permissions to prevent unauthorized package installations
- Conduct security awareness training focused on AI-generated lure detection and social engineering
- Implement zero-trust network controls for development environments
- Establish behavioral baselines for developer workstations to detect anomalous activity
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.