Back to Intelligence

UAT-8616 & FAMOUS CHOLLIMA: Critical Cisco SD-WAN Exploitation & NPM Supply Chain Attack

SA
Security Arsenal Team
May 15, 2026
5 min read

Threat Summary: Recent OTX pulses indicate a surge in high-severity exploitation activity targeting enterprise infrastructure and software supply chains. The threat actor UAT-8616 is actively exploiting Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20182, CVE-2026-20133) to deploy webshells (XenShell, Godzilla, Behinder, Sliver) and cryptocurrency miners (XMRig). Simultaneously, North Korean group FAMOUS CHOLLIMA continues the "Contagious Interview" campaign, distributing the OtterCookie infostealer via malicious npm packages. Additionally, the Interlock Ransomware Group has begun exploiting a zero-day in Cisco FMC (CVE-2026-20131) to deploy GHOSTSABER ransomware. These campaigns collectively demonstrate a shift towards exploiting authentication bypasses and dependency confusion to establish persistence and exfiltrate credentials.

Threat Actor / Malware Profile:

  • UAT-8616 (Sophisticated Adversary):
    • Target: Cisco Catalyst SD-WAN Controller/Manager.
    • Method: Exploits authentication bypass CVEs (2026-20182, 2026-20133) to gain admin privileges.
    • Payload: Deploys webshells (XenShell, Godzilla, Behinder) for C2 and XMRig for resource monetization.
    • C2: Utilizes AdaptixC2, Sliver, and gsocket for communication.
  • FAMOUS CHOLLIMA (North Korea):
    • Target: Software developers (Technology sector).
    • Method: Malicious npm packages (OtterCookie, BeaverTail) using typosquatting/dependency confusion.
    • Payload: BeaverTail (loader), InvisibleFerret (SSH backdoor), Koalemos (infostealer).
    • Objective: Credential theft, system access, supply chain compromise.
  • Interlock Ransomware Group:
    • Target: Network infrastructure.
    • Method: Exploitation of CVE-2026-20131 (Cisco FMC Zero-Day).
    • Payload: PlasmaLoader, GHOSTSABER, GHOSTKNIFE.
    • Objective: Ransomware deployment and double-extortion.

IOC Analysis: The provided intelligence includes specific indicators of compromise (IOCs) crucial for network defense.

  • File Hashes: The SHA256 hash d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa corresponds to a malicious artifact associated with the SD-WAN exploitation. SOC teams should ingest this hash into EDR solutions to flag execution attempts.
  • Network Indicators: IPv4 address 176.65.139.31 is identified as a C2 node or infrastructure associated with UAT-8616. Firewall and proxy logs should be queried for connections to this IP.
  • CVEs: High-priority patching is required for CVE-2026-20182, CVE-2026-20133, and CVE-2026-20131.

Detection Engineering:

The following detection rules and scripts are designed to identify the specific behaviors and artifacts described in the OTX pulses.

YAML
title: Potential UAT-8616 Webshell Activity
id: 12345678-aaaa-bbbb-cccc-123456789012
description: Detects process execution patterns associated with UAT-8616 webshells including XenShell, Godzilla, and Behinder on SD-WAN infrastructure.
author: Security Arsenal
date: 2026/05/15
status: experimental
references:
    - https://otx.alienvault.com/pulse/660000000000
tags:
    - attack.persistence
    - attack.web_shell
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\\powershell.exe'
            - '\\cmd.exe'
            - '\\w3wp.exe'
        CommandLine|contains:
            - 'Godzilla'
            - 'Behinder'
            - 'XenShell'
            - 'Sliver'
    condition: selection
falsepositives:
    - Administrative scripts containing these keywords (rare)
level: high

---
title: XMRig Cryptominer Execution Post-Exploitation
id: 87654321-aaaa-bbbb-cccc-123456789012
description: Detects the execution of XMRig, often dropped by UAT-8616 following the exploitation of Cisco SD-WAN vulnerabilities.
author: Security Arsenal
date: 2026/05/15
status: experimental
references:
    - https://otx.alienvault.com/pulse/660000000000
tags:
    - attack.resource_hijacking
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|contains: 'xmrig'
    condition: selection
falsepositives:
    - Authorized mining operations (should be blocked on enterprise servers)
level: critical


kql
// Hunt for network connections to known UAT-8616 infrastructure and file hash presence
// Source: AlienVault OTX Pulse Analysis
DeviceNetworkEvents
| where RemoteIP == "176.65.139.31"
| project Timestamp, DeviceName, InitiatingProcessAccount, RemoteIP, RemotePort, ActionType
| union (
    DeviceProcessEvents
    | where SHA256 == "d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa"
    | project Timestamp, DeviceName, FileName, SHA256, AccountName, ProcessCommandLine
)


powershell
# IOC Hunt Script for UAT-8616 Malware Artifacts
# Checks for the presence of specific file hashes and suspicious process activity
$TargetHash = "d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa"
$Drives = @("C:\", "D:\", "E:\")

Write-Host "[*] Scanning for UAT-8616 Indicators of Compromise..."

# Check for specific file hash
foreach ($Drive in $Drives) {
    if (Test-Path $Drive) {
        Write-Host "[*] Scanning $Drive for matching hash..."
        Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            try {
                $Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction Stop).Hash
                if ($Hash -eq $TargetHash) {
                    Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
                }
            } catch {
                # Ignore access errors
            }
        }
    }
}

# Check for active XMRig processes (associated with UAT-8616 monetization)
$Processes = Get-Process -ErrorAction SilentlyContinue | Where-Object {$_.ProcessName -like "*xmrig*"}
if ($Processes) {
    Write-Host "[!] SUSPICIOUS CRYPTO MINING PROCESS DETECTED:" -ForegroundColor Yellow
    $Processes | Format-Table Id, ProcessName, Path
} else {
    Write-Host "[+] No XMRig processes found."
}


**Response Priorities:**

*   **Immediate:**
    *   Block all network traffic to/from `176.65.139.31` at the firewall and proxy level.
    *   Prioritize patching for **CVE-2026-20182**, **CVE-2026-20133**, and **CVE-2026-20131** on Cisco infrastructure.
    *   Scan all endpoints for the file hash `d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa` and terminate any instances of `xmrig.exe` on non-authorized systems.
*   **24 Hours:**
    *   If OtterCookie infection is suspected (via npm packages), rotate all credentials for developers and build systems.
    *   Audit npm and `package-lock.` files for references to the "Koalemos", "BeaverTail", or "OtterCookie" packages.
*   **1 Week:**
    *   Implement strict segmentation for SD-WAN management interfaces to prevent direct internet exposure.
    *   Review and harden software supply chain security (SBOM enforcement, private npm registries).
    *   Conduct a threat hunt for webshells (Godzilla, Behinder) on internal web servers.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptuat-8616ottercookieinterlock-ransomwaresd-wannpm-supply-chain

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action