Back to Intelligence

UAT-5616 & Chollima Campaigns: Cisco SD-WAN Zero-Days & npm Supply Chain Attacks — Detection Engineering Briefing

SA
Security Arsenal Team
May 17, 2026
5 min read

Current OTX pulse data indicates a coordinated surge in high-impact exploitation targeting enterprise network infrastructure and the software supply chain. We are observing active exploitation of Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20182, CVE-2026-20133) by the actor UAT-5616, characterized by the rapid deployment of sophisticated webshells (XenShell, Godzilla) and C2 frameworks (Sliver, Behinder). Concurrently, the Interlock Ransomware Group is leveraging a zero-day in Cisco Firepower Management Center (CVE-2026-20131) to deploy custom payloads (GHOSTKNIFE, PlasmaLoader).

Parallel to these infrastructure assaults, North Korean threat actor FAMOUS CHOLLIMA continues to abuse the npm ecosystem with the "OtterCookie" infostealer campaign. This campaign employs a "contagious interview" tactic, delivering payloads (BeaverTail, InvisibleFerret) via typosquatted packages to compromise developer workstations. The collective objective spans credential harvesting, cryptomining, and pre-positioning for ransomware operations.

Threat Actor / Malware Profile

UAT-5616 (Cisco SD-WAN Exploitation)

  • Objective: Persistence, Network Tunneling, Cryptomining.
  • Distribution: Exploitation of CVE-2026-20182 (Auth Bypass) and CVE-2026-20133.
  • Payload Behavior: Deploys webshells (XenShell, Godzilla) for initial access, followed by C2 frameworks (Sliver, AdaptixC2).
  • Persistence: Utilization of built-in management interface mechanisms and scheduled tasks for XMRig miners.
  • Anti-Analysis: Heavy use of obfuscation in webshell payloads and gsocket for C2 communication to evade network inspection.

FAMOUS CHOLLIMA (npm Supply Chain)

  • Objective: Credential Theft (SSH, Browser), Initial Access.
  • Distribution: Malicious npm packages (e.g., variants of OtterCookie) using wrapper packages to clone legitimate libraries like big.js.
  • Payload Behavior: The BeaverTail loader executes PowerShell scripts to fetch additional payloads (Koalemos, InvisibleFerret).
  • C2 Communication: Uses Vercel-app-based infrastructure and Discord webhooks for data exfiltration.
  • Anti-Analysis: Code obfuscation within JavaScript files and process hollowing techniques.

Interlock Ransomware Group

  • Objective: Data Extortion, Encryption.
  • Distribution: Exploitation of CVE-2026-20131 (Cisco FMC Zero-Day).
  • Payload Behavior: Deploys PlasmaLoader to execute GHOSTKNIFE/GHOSTSABER payloads.
  • Persistence: Service registration and WMI event consumers.

IOC Analysis

The provided indicators reveal a multi-vector attack surface:

  • CVEs: Critical priority must be placed on CVE-2026-20182, CVE-2026-20133, and CVE-2026-20131. These represent the initial access vectors for UAT-5616 and Interlock.
  • File Hashes: A SHA256 hash (d94f75a...bcfa) associated with XenShell/Godzilla components was identified. SOC teams should scan endpoint filesystems and EDR telemetry for these specific artifacts.
  • Network Indicators: IPv4 176.65.139.31 is linked to C2 activity. This IP should be blocked immediately at the perimeter and firewalls.
  • Operationalization: Load the provided hashes into EDR solutions for "Live Response" hunting. Block the npm packages referenced in the Pulse 2 description via artifact allow-listing policies in CI/CD pipelines.

Detection Engineering

Sigma Rules

YAML
---
title: Potential Cisco SD-WAN Webshell Activity
id: 5b1c3f8e-7a6d-4b9e-8c1d-2f3e4a5b6c7d
description: Detects file creation or process execution patterns associated with XenShell and Godzilla webshells on Cisco infrastructure or Linux endpoints.
author: Security Arsenal Research
date: 2026/05/17
references:
  - https://blog.talosintelligence.com/sd-wan-ongoing-exploitation/
tags:
  - attack.persistence
  - attack.webshell
logsource:
  product: linux
  service: auditd
detection:
  selection:
    exe|endswith:
      - '/java'
      - '/tomcat'
    cmdline|contains:
      - 'XenShell'
      - 'Godzilla'
      - 'Behinder'
  condition: selection
falsepositives:
  - Legitimate administrative tools
level: high

---
title: Npm Supply Chain Initial Access via Node.js
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
description: Detects Node.js spawning PowerShell or cmd.exe, a behavior consistent with the BeaverTail loader used in the OtterCookie campaign.
author: Security Arsenal Research
date: 2026/05/17
references:
  - https://panther.com/blog/tracking-an-ottercookie-infostealer-campaign-across-npm
tags:
  - attack.initial_access
  - attack.execution
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: '\node.exe'
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
    CommandLine|contains:
      - 'npm'
      - 'node'
  condition: selection
falsepositives:
  - Legitimate developer build scripts
level: medium

---
title: Outbound Connection to Known C2 Infrastructure
id: f9e8d7c6-b5a4-3210-fedc-ba9876543210
description: Detects network connections to the IP address identified in OTX Pulse related to UAT-5616 activity.
author: Security Arsenal Research
date: 2026/05/17
tags:
  - attack.command_and_control
  - c2.traffic_connection
logsource:
  category: network_connection
detection:
  selection:
    DestinationIp|contains:
      - '176.65.139.31'
  condition: selection
falsepositives:
  - Unknown
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for connections to the malicious C2 IP
DeviceNetworkEvents
| where RemoteIP == "176.65.139.31"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemotePort, Protocol

// Hunt for the specific file hash associated with XenShell/Godzilla
DeviceFileEvents
| where SHA256 == "d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa"
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName

// Hunt for Node.js spawning PowerShell (OtterCookie/BeaverTail)
DeviceProcessEvents
| where InitiatingProcessFileName == "node.exe"
| where FileName in~ ("powershell.exe", "cmd.exe")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    IOC Hunt Script for UAT-5616 and Chollima Campaigns
.DESCRIPTION
    Scans the filesystem for the specific XenShell/Godzilla SHA256 hash and checks for suspicious npm processes.
#>

$TargetHash = "d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa"
$Drives = @("C:\", "D:\")

Write-Host "[*] Initiating Hunt for Malicious Hash..." -ForegroundColor Cyan

foreach ($Drive in $Drives) {
    if (Test-Path $Drive) {
        Write-Host "[*] Scanning $Drive..." -ForegroundColor Gray
        Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue | 
        Where-Object { -not $_.PSIsContainer } | 
        ForEach-Object {
            $FileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($FileHash -eq $TargetHash) {
                Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

Write-Host "[*] Checking for Suspicious Node.js Activity..." -ForegroundColor Cyan
$NodeProcesses = Get-WmiObject Win32_Process | Where-Object { $_.Name -eq "node.exe" }

foreach ($Process in $NodeProcesses) {
    $Children = Get-WmiObject Win32_Process | Where-Object { $_.ParentProcessId -eq $Process.ProcessId }
    if ($Children) {
        foreach ($Child in $Children) {
            if ($Child.Name -in @("powershell.exe", "cmd.exe")) {
                Write-Host "[!] Suspicious Child Process: Node.js spawning $($Child.Name) (PID: $($Child.ProcessId))" -ForegroundColor Yellow
                Write-Host "    Command: $($Child.CommandLine)" -ForegroundColor Gray
            }
        }
    }
}
Write-Host "[*] Hunt Complete." -ForegroundColor Green

Response Priorities

  • Immediate: Block IPv4 176.65.139.31 at all network boundaries. Initiate emergency patching for Cisco Catalyst SD-WAN (CVE-2026-20182) and Cisco FMC (CVE-2026-20131). Hunt for the file hash d94f75a...bcfa across all endpoints.
  • 24h: Conduct a credential audit for developer accounts if npm packages were recently downloaded. Review build pipelines for the presence of the "OtterCookie" or "BeaverTail" packages mentioned in OTX Pulse 2.
  • 1 Week: Implement strict allow-listing for npm packages in CI/CD pipelines. Review SD-WAN management interfaces for signs of webshell activity (e.g., unusual process names like XenShell or Godzilla in task lists).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptuat-8616chollimacisco-sd-wannpm-supply-chaininterlock-ransomware

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action