Threat Summary
The latest OTX pulse data for 2026-05-11 reveals a coordinated surge in credential theft campaigns leveraging advanced evasion tactics and supply chain compromises. The primary threat landscape is dominated by the TroyDen "Lure Factory" operation, which utilizes AI-generated biological taxonomy to lure developers and gamers into executing LuaJIT-based payloads (Redline, LummaStealer).
Simultaneously, a critical supply chain attack targeting the .NET ecosystem has been identified, where malicious NuGet packages impersonate Chinese UI libraries to deliver Quantum, Lumma, and AgentRacoon stealers. On the infrastructure side, the elusive Mr_Rot13 group is actively exploiting CVE-2026-41940 in cPanel to establish persistence via SSH backdoors and webshells, specifically targeting Government and Defense sectors.
The collective objective of these campaigns is the wholesale theft of browser credentials, cryptocurrency wallets, and SSH keys, facilitated by the emergence of Remus, a new 64-bit variant of Lumma Stealer using EtherHiding for C2 communication.
Threat Actor / Malware Profile
TroyDen (Lure Factory)
- Malware Families: LuaJIT, Redline, LummaStealer
- Distribution Method: GitHub repositories utilizing over 300 delivery packages. Filenames use AI-generated obscure biological/medical terms to appear legitimate.
- Payload Behavior: Two-component design often obfuscated with Prometheus obfuscator. Targeting developers (GitHub), gamers (Roblox), and crypto users.
Supply Chain Actors (NuGet)
- Malware Families: Lumma, Quantum, AgentRacoon, ArrowRAT
- Distribution Method: Typosquatting of legitimate Chinese UI libraries on NuGet (account:
bmrxntfj). Uses .NET Reactor for payload protection. - Persistence: Grafting malicious payloads onto decompiled legitimate code to evade detection during build processes.
Mr_Rot13
- Malware Families: Filemanager RAT, Cpanel-Python
- Distribution Method: Exploitation of CVE-2026-41940 (cPanel auth bypass).
- Payload Behavior: Deploys Go-based installers that plant SSH keys, PHP webshells, and malicious JavaScript for credential harvesting.
- C2 Communication: Telegram-based exfiltration and custom C2 domains.
Lumma Stealer (Remus Variant)
- Malware Families: Remus (64-bit), Tenzor
- Anti-Analysis: Uses EtherHiding (blockchain-based C2) to bypass network filtering. Includes specific anti-analysis checks.
IOC Analysis
The provided IOCs include IPv4 addresses, Domains, URLs, and File Hashes (MD5, SHA1, SHA256).
- IPv4 (e.g., 89.169.12.241, 130.12.180.135): These represent Command and Control (C2) nodes. SOC teams should block these at the perimeter firewall and NGFWs.
- Domains (e.g.,
forestoaker.com,dns-providersa2.com): Used for payload delivery (dead drops) and C2 communication. Many are registered on specific TLDs like.pics,.biz, or.live. Operationalization involves DNS sinkholing and HTTP proxy filtering. - File Hashes (e.g.,
b037fa1dd769891b538d9ca26131890c93e3458eec96c5354bdebe50d04a5b3d): High-fidelity indicators for EDR solutions. These should be uploaded to your SIEM for retrospective correlation and active hunting.
Tooling: Use OpenCTI or MISP for IOC management. Utilize Curl or Wget for safe URL validation, and VirusTotal for deep hash analysis.
Detection Engineering
YAML
title: Suspicious NuGet Package Child Process Execution
id: 4e8f9a1b-2c3d-4f5e-8g9h-1i2j3k4l5m6n
description: Detects child processes spawned by NuGet or MSBuild that exhibit malicious behavior, such as PowerShell spawning from a build context or connections to non-Microsoft domains.
status: experimental
date: 2026/05/11
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/66000000
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\nuget.exe'
- '\msbuild.exe'
- '\devenv.exe'
selection_child:
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\wscript.exe'
selection_network:
NetworkEvent: true
DestinationHostname|contains:
- '.com'
- '.net'
filter_legit:
DestinationHostname|contains:
- 'microsoft.com'
- 'nuget.org'
- 'visualstudio.com'
- 'github.com'
condition: selection_parent and selection_child and selection_network and not filter_legit
falsepositives:
- Legitimate build scripts that download dependencies from unofficial internal sources
level: high
tags:
- attack.execution
- attack.supply_chain
- nuget
---
title: Potential Lumma Stealer Remus Variant C2 Activity
description: Detects processes attempting to connect to domains associated with the Remus/Lumma 64-bit variant C2 infrastructure, specifically observing connections to suspicious TLDs like .pics, .biz, .live from user-land processes.
status: experimental
date: 2026/05/11
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/66000004
logsource:
category: network_connection
product: windows
detection:
selection_suspicious_tlds:
DestinationHostname|endswith:
- '.pics'
- '.biz'
- '.live'
- '.online'
selection_process:
Image|contains:
- 'AppData'
- 'Temp'
- 'Downloads'
condition: selection_suspicious_tlds and selection_process
falsepositives:
- Legitimate adware or rare benign software utilizing similar CDNs
level: high
tags:
- attack.command_and_control
- attack.exfiltration
- stealer
---
title: cPanel CVE-2026-41940 Exploitation and Webshell Activity
description: Detects potential exploitation of cPanel auth bypass and subsequent webshell or SSH key manipulation activity on Linux servers.
status: experimental
date: 2026/05/11
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/66000003
logsource:
product: linux
category: process
detection:
selection_cpanel_access:
Image|endswith:
- '/usr/local/cpanel/bin/cpdavd'
- '/usr/local/cpanel/cpsrvd'
selection_webshell_creation:
TargetFilename|contains:
- '/var/www/html'
- '/usr/local/cpanel/base'
selection_ssh_mod:
CommandLine|contains:
- 'ssh-keygen'
- 'authorized_keys'
condition: 1 of selection_*
falsepositives:
- Legitimate cPanel administration tasks
level: critical
tags:
- attack.initial_access
- attack.persistence
- cpanel
- cve-2026-41940
kql
// Hunt for connections to known IOCs from Pulse data
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in~ ("dns-providersa2.com", "forestoaker.com", "krondez.com", "baxe.pics", "vinte.online", "coox.live", "remnane.biz", "wrned.com", "wpsock.com") or
RemoteIP in~ ("89.169.12.241", "213.176.73.80", "213.176.73.130", "217.119.129.121", "217.119.129.76", "94.156.154.6", "213.176.73.159", "217.119.129.118", "130.12.180.135")
| extend DeviceCustom = pack_all()
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort, DeviceCustom
// Hunt for process creation related to AI-Lures and LuaJIT
DeviceProcessEvents
| where Timestamp > ago(7d)
| where (ProcessVersionInfoProductName contains "LuaJIT" or FileName =~ "luajit.exe" or FolderPath contains "\\AppData\\Local\\Temp\\") and
(InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe", "mshta.exe") or ProcessCommandLine contains "-e" )
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, SHA256
powershell
# PowerShell Hunt Script for Stealer File Hashes
# Checks specific file hashes provided in OTX pulses against system drives.
$targetHashes = @(
"efb675de4b3af3dac3c9cae91075fd7cc2f4f98e",
"019e6c2cf58386039133981f3377b085fbd70c98ae8613c7c6a4f10a9f2d9824",
"34e2d63b5db7e24c808711c2ca0c0a42afde97a0086d7d81609110c002d18d7c",
"596c453c9dbb7240f1ce05cc025496524ce7c538c23a9b2171174bf32b5691a1",
"02a5990b11293236e01f174f5999df20",
"22613c952459e65ce09fb6b5c1c03d47",
"2286f126ab4740ccf2595ad1fa0c615c",
"29222f5e73dd10088fcf1204aa21f87f",
"2de27ca8d97124adaf604b18161a441e",
"b037fa1dd769891b538d9ca26131890c93e3458eec96c5354bdebe50d04a5b3d",
"0d681bd160db1b1df5db321a6d2dd9ae81b2609b"
)
Write-Host "[+] Starting scan for known stealer IOCs..."
$drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root
foreach ($hash in $targetHashes) {
foreach ($drive in $drives) {
Write-Host "[*] Scanning $drive for hash $hash..."
Get-ChildItem -Path $drive -Recurse -ErrorAction SilentlyContinue |
ForEach-Object {
$fileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
if ($fileHash -eq $hash) {
Write-Host "[!] MATCH FOUND: $($_.FullName)" -ForegroundColor Red
}
# Also checking MD5 for the specific Mr_Rot13 indicators
$fileHashMD5 = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
if ($fileHashMD5 -eq $hash) {
Write-Host "[!] MATCH FOUND (MD5): $($_.FullName)" -ForegroundColor Red
}
}
}
}
Write-Host "[+] Scan complete."
Response Priorities
-
Immediate:
- Block all listed IPv4 addresses and domains at the perimeter and proxy level.
- Initiate a hunt for the SHA256 and MD5 file hashes provided in the pulse data across endpoints.
- Quarantine any systems identified communicating with
forestoaker.comordns-providersa2.com.
-
24 Hours:
- Force password resets and API key rotation for developer accounts utilizing GitHub or NuGet, specifically focusing on those who may have downloaded packages related to Chinese UI libraries or AI-labeled repositories.
- Audit Linux servers for the presence of the SSH keys associated with Mr_Rot13 (
CVE-2026-41940) and patch cPanel instances immediately.
-
1 Week:
- Implement strict code-signing policies for build pipelines to prevent the execution of unsigned or obfuscated NuGet packages.
- Review and restrict GitHub repository access and enforce branch protection rules to prevent Lure Factory style infiltration.
- Enhance network monitoring to detect EtherHiding behaviors and connections to non-standard TLDs associated with stealer C2s.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-credentialslumma-stealersupply-chain-attackinfostealercpanel-exploitationai-generated-lures
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.