Back to Intelligence

UAT-8616 & Chollima APTs: Cisco SD-WAN Exploits & NPM Supply Chain Attacks — OTX Pulse Analysis

SA
Security Arsenal Team
May 18, 2026
6 min read

Recent intelligence from the OTX pulse feed indicates a surge in high-impact exploitation targeting enterprise infrastructure and software supply chains. We are tracking three distinct but critical campaigns: the active exploitation of Cisco Catalyst SD-WAN vulnerabilities by the actor UAT-8616, a sophisticated npm supply chain attack attributed to FAMOUS CHOLLIMA (North Korean nexus), and ransomware activity by the Interlock group leveraging a Cisco FMC zero-day.

Collectively, these pulses reveal a trend toward "living-off-the-land" binaries and supply chain subversion. UAT-8616 is leveraging authentication bypasses (CVE-2026-20182) to deploy webshells (Godzilla, Behinder) and cryptominers (XMRig). Simultaneously, FAMOUS CHOLLIMA is utilizing a "Contagious Interview" tactic, distributing the OtterCookie infostealer via malicious npm packages. The convergence of these threats suggests a coordinated push to exfiltrate credentials and establish persistence in network edge devices and development environments.

Threat Actor / Malware Profile

Threat ActorMalware FamiliesProfile & Behavior
UAT-8616XenShell, Godzilla, Behinder, Sliver, AdaptixC2, XMRig, Nimplant, KScan, gsocketDistribution: Exploitation of Cisco Catalyst SD-WAN (CVE-2026-20182, CVE-2026-20133).
Payload: Webshells (Godzilla/Behinder) for initial access, followed by C2 frameworks (Sliver).
Objective: Lateral movement, network tunneling (gsocket), and credential mining. Often deploys XMRig for resource monetization.
FAMOUS CHOLLIMAOtterCookie, BeaverTail, InvisibleFerret, KoalemosDistribution: Malicious npm packages (big.js wrappers) distributed via fake job interviews (Contagious Interview).
Payload: JavaScript-based infostealers targeting browser data, SSH keys, and system info.
C2: Uses Vercel for infrastructure to blend in with legitimate web traffic.
Objective: Credential theft and initial access into development environments.
Interlock RansomwareGHOSTKNIFE, GHOSTSABER, GHOSTBLADE, PlasmaLoader, PLASMAGRIDDistribution: Exploitation of zero-day CVE-2026-20131 in Cisco Firepower Management Center (FMC).
Payload: Custom ransomware binaries (GHOSTSABER) delivered via PlasmaLoader.
Objective: Data encryption and extortion.

IOC Analysis

The provided pulses offer a mix of CVEs, file hashes, and network infrastructure.

  • CVEs: Prioritize CVE-2026-20182 (Cisco SD-WAN Auth Bypass), CVE-2026-20133 (Cisco SD-WAN), and CVE-2026-20131 (Cisco FMC Zero-Day). These are the primary entry vectors.
  • File Hashes: A specific SHA256 (d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa) and MD5 (d75cb9920d1d3d280518ddccfe4789d2) are associated with the UAT-8616 payloads.
  • Network Infrastructure: IP 176.65.139.31 is listed as a C2 node. SOC teams should block this IP immediately at the perimeter.
  • Operationalization: Feed the hashes into EDR solutions for immediate scanning. The CVEs should be imported into vulnerability management (VM) tools for urgent patching. The IP should be added to Firewall blocklists and SIEM watchlists.

Detection Engineering

YAML
title: Potential UAT-8616 Webshell Activity via Cisco SD-WAN
description: Detects potential webshell activity associated with XenShell or Godzilla following exploitation of Cisco SD-WAN vulnerabilities.
status: experimental
date: 2026/05/18
author: Security Arsenal
references:
    - https://blog.talosintelligence.com/sd-wan-ongoing-exploitation/
tags:
    - attack.persistence
    - attack.t1505.003
logsource:
    category: web
detection:
    selection_uri:
        Uri|contains:
            - '/api/v1/monitor'
            - '/component'
    selection_keywords:
        cs-method: POST
    selection_headers:
        cs-user-agent|contains:
            - 'godzilla'
            - 'behinder'
            - 'xenshell'
    condition: 1 of selection_*
falsepositives:
    - Legitimate administrative access to Cisco SD-WAN Manager
level: critical
---
title: Malicious NPM Package Execution - BeaverTail/OtterCookie
description: Detects execution of potentially malicious npm packages associated with the Contagious Interview campaign (BeaverTail/OtterCookie).
status: experimental
date: 2026/05/18
author: Security Arsenal
references:
    - https://panther.com/blog/tracking-an-ottercookie-infostealer-campaign-across-npm
tags:
    - attack.initial_access
    - attack.t1195.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\
ode.exe'
        - Image|endswith: '\
pm.cmd'
    selection_cli:
        CommandLine|contains:
            - 'beavertail'
            - 'ottercookie'
            - 'koalemos'
            - 'invisibleferret'
    condition: all of selection_*
falsepositives:
    - Legitimate developers installing packages with similar names (unlikely)
level: high
---
title: Suspicious Process Execution - Interlock Ransomware Loader
description: Detects execution of PlasmaLoader or GhostKnife binaries associated with Interlock Ransomware Group.
status: experimental
date: 2026/05/18
author: Security Arsenal
references:
    - https://www.recordedfuture.com/blog/march-2026-cve-landscape
tags:
    - attack.execution
    - attack.t1059\logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\\plasmaloader.exe'
            - '\\ghostknife.exe'
            - '\\ghostsaber.exe'
    condition: selection
falsepositives:
    - Rare, these names are specific to the threat actor
level: critical


kql// Hunt for C2 communication related to UAT-8616 IP and known ports
DeviceNetworkEvents
| where RemoteIP == \"176.65.139.31\"
| project Timestamp, DeviceName, InitiatingProcessAccount, InitiatingProcessCommandLine, RemoteIP, RemotePort, Protocol

// Hunt for execution of Node.js processes potentially loading malicious NPM packages
DeviceProcessEvents
| where FileName in~ (\"node.exe\", \"npm.cmd\")
| where ProcessCommandLine has_any (\"beavertail\", \"ottercookie\", \"koalemos\")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, FolderPath

// Hunt for file hashes associated with UAT-8616 payloads
DeviceFileEvents
| where SHA256 == \"d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa\" or MD5 == \"d75cb9920d1d3d280518ddccfe4789d2\"
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, MD5, InitiatingProcessAccountName


powershell# PowerShell IOC Hunt Script for UAT-8616 and NPM Packages
# Usage: Run as Administrator on endpoints

Write-Host \"[*] Starting Threat Hunt for UAT-8616 and Chollima Indicators...\" -ForegroundColor Cyan

# 1. Check for Specific File Hashes
$targetHashes = @(
    \"d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa\",
    \"d75cb9920d1d3d280518ddccfe4789d2\"
)

Write-Host \"[*] Scanning for known malicious file hashes...\" -ForegroundColor Yellow
Get-ChildItem -Path C:\\ -Recurse -ErrorAction SilentlyContinue | 
    ForEach-Object { 
        $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($targetHashes -contains $hash) {
            Write-Host \"[!] MALICIOUS FILE FOUND: $($_.FullName)\" -ForegroundColor Red
        }
    }

# 2. Check for Suspicious NPM Modules
Write-Host \"[*] Checking for malicious npm packages (beavertail, ottercookie)...\" -ForegroundColor Yellow
$npmPaths = @(\"$env:\\APPDATA\
pm\", \"$env:\\ProgramFiles\
odejs\
ode_modules\")

foreach ($path in $npmPaths) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -Directory -Recurse -ErrorAction SilentlyContinue | 
            Where-Object { $_.Name -match \"beavertail|ottercookie|koalemos|invisibleferret\" } | 
            ForEach-Object { 
                Write-Host \"[!] SUSPICIOUS NPM MODULE FOUND: $($_.FullName)\" -ForegroundColor Red 
            }
    }
}

# 3. Check for Suspicious Scheduled Tasks (Persistence)
Write-Host \"[*] Checking for suspicious scheduled tasks...\" -ForegroundColor Yellow
Get-ScheduledTask | Where-Object { 
    $_.Actions.Execute -match \"powershell|cmd|wscript\" -and 
    $_.TaskName -notmatch \"Microsoft|Windows\" -and 
    $_.TaskName -match \"update|service|daemon\" 
} | Select-Object TaskName, Actions, Author | Format-Table -AutoSize

Write-Host \"[*] Hunt Complete.\" -ForegroundColor Green

Response Priorities

Immediate (0-4 hours):

  • Block IOCs: Immediately block IP 176.65.139.31 at all network perimeter devices (Firewall, Proxy).
  • Isolate: Isolate any systems alerting on the specific file hashes (d94f75..., d75cb...).
  • Hunt: Run the provided PowerShell script on critical DevOps and Network Management hosts.

Within 24 Hours:

  • Credential Reset: If OtterCookie or BeaverTail is suspected in the environment, force a password reset for all developer accounts and rotate SSH keys used for infrastructure access.
  • Patch Management: Identify all instances of Cisco Catalyst SD-WAN and Firepower Management Center (FMC). Apply patches for CVE-2026-20182, CVE-2026-20133, and CVE-2026-20131 immediately.

Within 1 Week:

  • Architecture Review: Review network segmentation to ensure SD-WAN management interfaces are not exposed to the public internet.
  • Supply Chain Policy: Implement strict allow-listing for internal npm registries and prohibit the use of public npm packages in production pipelines without code review.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptaptwebshellransomwaresupply-chaincve-exploit

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action