Back to Intelligence

UAT-8616 & Chollima APTs: Critical Cisco Exploitation and NPM Supply Chain Attacks — OTX Pulse Analysis

SA
Security Arsenal Team
May 15, 2026
6 min read

Recent OTX pulses reveal a convergence of high-impact nation-state activity and cybercriminal exploitation focusing on edge infrastructure and software supply chains. The intelligence highlights three distinct but critical threads:

  1. Infrastructure Targeting (UAT-8616): A sophisticated threat actor is actively exploiting CVE-2026-20182 and CVE-2026-20133 in Cisco Catalyst SD-WAN Manager/Controller to gain administrative privileges. Post-exploitation involves deploying a sophisticated malware arsenal including XenShell, Godzilla, Behinder, and Sliver C2 beacons, alongside XMRig for cryptocurrency mining.

  2. Software Supply Chain (FAMOUS CHOLLIMA): North Korean actors are utilizing a "contagious interview" strategy to distribute OtterCookie and BeaverTail infostealers via malicious npm packages. These packages obfuscate payloads within benign wrappers, establishing SSH backdoors and exfiltrating credentials to Vercel-based C2 infrastructure.

  3. Ransomware Zero-Days (Interlock Group): The Interlock Ransomware Group is exploiting a critical zero-day deserialization vulnerability (CVE-2026-20131) in Cisco Firepower Management Center (FMC), deploying custom loaders (PlasmaLoader) and encryption tools (GHOSTSABER).

Collectively, these campaigns indicate a shift toward prioritizing vulnerabilities in network management and developer tooling to establish persistent access.

Threat Actor / Malware Profile

UAT-8616 (Cisco SD-WAN Exploitation)

  • Malware: XenShell, Godzilla, Behinder, Sliver, AdaptixC2, XMRig, Nimplant.
  • Distribution: Direct exploitation of internet-facing Cisco SD-WAN vulnerabilities.
  • Behavior: Authentication bypass leads to full admin takeover. Webshells (Godzilla/Behinder) are deployed for persistence. C2 is established via Sliver or gsocket. XMRig indicates secondary monetization via resource hijacking.
  • Persistence: Webshell deployment on management interfaces; scheduled tasks via obtained admin privileges.

FAMOUS CHOLLIMA (NPM Supply Chain)

  • Malware: OtterCookie, BeaverTail, InvisibleFerret, Koalemos.
  • Distribution: Malicious npm packages mimicking legitimate libraries (e.g., big.js), often distributed during fake recruitment processes.
  • Behavior: Upon installation, the malicious package executes PowerShell/bash scripts to fetch the infostealer payload. It targets browser credentials, system info, and SSH keys.
  • C2 Communication: Exfiltration to Vercel-hosted infrastructure (hardened C2).

Interlock Ransomware Group

  • Malware: PlasmaLoader, PLASMAGRID, GHOSTBLADE.
  • Behavior: Exploitation of CVE-2026-20131 allows unauthenticated remote code execution. Used to deploy payloads that disable security tools and encrypt network segments.

IOC Analysis

The provided indicators offer immediate defensive value:

  • IPv4: 176.65.139.31 (Observed in UAT-8616 C2 infrastructure). This IP should be blocked immediately at the perimeter.
  • File Hashes:
    • SHA256: d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa
    • MD5: d75cb9920d1d3d280518ddccfe4789d2
    • SHA1: 18821dbb53892d6faa14b1f063517a0302057290 These hashes likely belong to the webshells or loaders used in the SD-WAN campaign. SOC teams should load these into EDR solutions for retroactive hunting.
  • CVEs: Priority patching is required for CVE-2026-20182, CVE-2026-20133, and CVE-2026-20131.

Operational Guidance: SOCs should pivot on the IP address to identify internal hosts reaching out to this infrastructure. Hashes should be scanned against code repositories (npm artifacts) and endpoint file systems. Due to the lack of specific URLs in the NPM pulse, hunt for anomalous npm install or node.exe spawning shells.

Detection Engineering

YAML
---
title: Potential NPM Supply Chain Attack - OtterCookie/BeaverTail
id: 48392048-3028-4820-9283-049283049283
status: experimental
description: Detects suspicious child process execution patterns associated with the OtterCookie/BeaverTail npm campaign where Node.js spawns shells or obfuscated PowerShell commands.
references:
    - https://panther.com/blog/tracking-an-ottercookie-infostealer-campaign-across-npm
author: Security Arsenal
date: 2026/05/16
tags:
    - attack.execution
    - attack.t1204
    - attack.initial_access
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\node.exe'
            - '\npm.cmd'
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\wscript.exe'
            - '\cscript.exe'
    filter_legit:
        CommandLine|contains:
            - 'webpack'
            - 'vite'
            - 'react-scripts'
            - 'angular-cli'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate developer build scripts invoking shells
level: high
---
title: UAT-8616 Cisco SD-WAN Exploitation Indicators
id: 59483059-3948-5938-4958-394859384958
status: experimental
description: Detects network connections or file presence related to the UAT-8616 campaign targeting Cisco SD-WAN infrastructure with XenShell/Godzilla.
references:
    - https://blog.talosintelligence.com/sd-wan-ongoing-exploitation/
author: Security Arsenal
date: 2026/05/16
tags:
    - attack.command_and_control
    - attack.t1071
    - cve.2026.20182
logsource:
    category: network_connection
    product: windows
detection:
    selection_ip:
        DestinationIp|contains:
            - '176.65.139.31'
    selection_hash:
        Hashes|contains:
            - 'd94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa'
            - 'd75cb9920d1d3d280518ddccfe4789d2'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: critical
---
title: Suspicious Webshell File Creation - Godzilla/XenShell
id: 10293810-2938-1029-3810-293810293810
status: experimental
description: Detects the creation of files with extensions or keywords commonly associated with Godzilla and XenShell webshells often dropped after SD-WAN exploitation.
author: Security Arsenal
date: 2026/05/16
tags:
    - attack.persistence
    - attack.t1505.003
logsource:
    category: file_creation
    product: windows
detection:
    selection:
        TargetFilename|contains:
            - 'shell.aspx'
            - 'config.jsp'
            - 'debug.php'
            - 'XenShell'
    condition: selection
falsepositives:
    - Legitimate administrative interface deployments (rare)
level: high


kql
// Hunt for connections to known UAT-8616 infrastructure
DeviceNetworkEvents
| where RemoteIP in ("176.65.139.31")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemotePort, InitiatingProcessCommandLine
| extend FullUrl = strcat(RemoteIP, ":", RemotePort)
| order by Timestamp desc

// Hunt for suspicious Node.js process chains (NPM Supply Chain)
DeviceProcessEvents
| where FileName in ("node.exe", "npm.cmd")
| where InitiatingProcessFileName in ("powershell.exe", "cmd.exe", "wscript.exe") or 
  ProcessCommandLine contains "-e" or ProcessCommandLine contains "FromBase64String"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc


powershell
# IOC Hunt Script: UAT-8616 & NPM Malware Artifacts
# Requires Administrator Privileges

Write-Host "[+] Starting hunt for UAT-8616 and NPM supply chain artifacts..." -ForegroundColor Cyan

# Define Malicious Hashes from Pulse
$TargetHashes = @(
    "d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa", # SHA256
    "d75cb9920d1d3d280518ddccfe4789d2", # MD5
    "18821dbb53892d6faa14b1f063517a0302057290" # SHA1
)

# Check File System for Malicious Hashes
Write-Host "[*] Scanning for known malicious file hashes..." -ForegroundColor Yellow
$Drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root

foreach ($Drive in $Drives) {
    if (Test-Path $Drive) {
        Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue -Force |
        Where-Object { !$_.PSIsContainer -and $_.Length -gt 0 } |
        ForEach-Object {
            $Hash = Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue
            if ($TargetHashes -contains $Hash.Hash) {
                Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName) | Hash: $($Hash.Hash)" -ForegroundColor Red
            }
        }
    }
}

# Check for suspicious NPM packages (Indicators of behavior)
Write-Host "[*] Checking for common npm package paths..." -ForegroundColor Yellow
$NpmPaths = @(
    "$env:APPDATA\npm",
    "$env:USERPROFILE\node_modules",
    "$env:LOCALAPPDATA\Yarn"
)

# Check for recently modified JavaScript files in npm directories
$CutoffDate = (Get-Date).AddDays(-7)
foreach ($Path in $NpmPaths) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -Filter "*.js" -ErrorAction SilentlyContinue |
        Where-Object { $_.LastWriteTime -gt $CutoffDate } |
        ForEach-Object {
            $Content = Get-Content $_.FullName -Raw -ErrorAction SilentlyContinue
            # Simple heuristic for obfuscated JS (lots of eval/atob)
            if ($Content -match "eval\(" -or $Content -match "atob\(" -or $Content -match "\\x[0-9a-f]{2}") {
                Write-Host "[!] Suspicious obfuscated JS found: $($_.FullName)" -ForegroundColor Yellow
            }
        }
    }
}

Write-Host "[+] Hunt complete." -ForegroundColor Green


# Response Priorities

**Immediate (0-24h):**
*   **Network Blocking:** Block IP `176.65.139.31` at all firewalls and proxies.
*   **Vulnerability Scanning:** Initiate emergency scans for **CVE-2026-20182**, **CVE-2026-20133**, and **CVE-2026-20131** on all Cisco and network management infrastructure.
*   **Endpoint Isolation:** Isolate any endpoints returning positive matches for the provided file hashes.

**24-48h:**
*   **Identity Audit:** Given the OtterCookie/BeaverTail credential theft capability, force password resets for developer accounts and SSH keys used in the last 30 days.
*   **Webshell Hunt:** Inspect web directories for recently modified files matching Godzilla/XenShell signatures (e.g., `shell.aspx`, `.jsp` backdoors).
*   **NPM Audit:** Run `npm audit` on all build servers and developer workstations; quarantine packages tagged in the OtterCookie campaign.

**1 Week:**
*   **Architecture Hardening:** Implement segmentation for SD-WAN management interfaces; ensure they are not directly internet-facing.
*   **Supply Chain Controls:** Enforce signing requirements for internal npm packages and block execution of unsigned scripts in build environments.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptuut-8616chollima-aptcisco-sdwannpm-supply-chainransomware

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action