UAT-8616 & Interlock Cisco Exploits + FAMOUS CHOLLIMA NPM Supply Chain: OTX Pulse Analysis

Recent OTX Pulse data reveals a convergence of high-impact cyber-espionage and financially motivated attacks targeting enterprise infrastructure and software supply chains. Three distinct campaigns have been identified:

Cisco Infrastructure Assaults: The sophisticated threat actor UAT-8616 is actively exploiting CVE-2026-20182 (authentication bypass) in Cisco Catalyst SD-WAN Manager to deploy webshells (XenShell, Godzilla) and C2 frameworks (Sliver, Behinder). Simultaneously, the Interlock Ransomware Group has weaponized a zero-day vulnerability (CVE-2026-20131) in Cisco Firepower Management Center (FMC) to deploy the GHOSTKNIFE ransomware suite.
NPM Supply Chain Compromise: North Korean threat actors FAMOUS CHOLLIMA are conducting a "Contagious Interview" campaign, distributing malicious npm packages (OtterCookie, BeaverTail) that serve as infostealers and SSH backdoors.

Collectively, these campaigns indicate a shift toward exploiting ubiquitous network management platforms and developer tooling to establish persistent footholds for credential theft and data extortion.

Threat Actor / Malware Profile

UAT-8616

Target: Cisco Catalyst SD-WAN infrastructure.
Objective: Initial access, persistence, and resource hijacking (XMRig).
Malware & Tools:
- Webshells: XenShell, Godzilla (JSP-based), Behinder.
- C2 Frameworks: Sliver, AdaptixC2, gsocket.
Techniques: Exploits CVE-2026-20182 for authentication bypass. Uses webshells for direct interaction and deploys crypto-miners (XMRig) to monetize compromised infrastructure.

FAMOUS CHOLLIMA (North Korea)

Target: Software developers via npm supply chain.
Objective: Credential theft and long-term access to development environments.
Malware:
- OtterCookie / BeaverTail: Infostealers targeting browser data and credentials.
- InvisibleFerret: SSH backdoor for persistence.
Distribution: Typosquatting and dependency confusion on npm. Uses benign wrapper packages to pull malicious dependencies during build processes.

Interlock Ransomware Group

Target: Enterprise networks via Cisco FMC.
Objective: Data encryption and extortion.
Malware:
- GHOSTKNIFE / GHOSTSABER: Custom ransomware payloads.
- PlasmaLoader: Initial loader utilizing deserialization exploits.

IOC Analysis

The provided pulses contain actionable indicators across multiple vectors:

File Hashes: A SHA256 hash (d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa) associated with UAT-8616 activity has been released. SOC teams should immediately scan endpoints and VMDKs for this signature.
Network Infrastructure: The IP address 176.65.139.31 is listed as a C2 node. This IP should be blocked at perimeter firewalls and EDR policies.
CVE Identifiers: Priority patching is required for:
- CVE-2026-20182 (Cisco SD-WAN Auth Bypass)
- CVE-2026-20131 (Cisco FMC Zero-Day)
- CVE-2026-20133 (Cisco SD-WAN)

Operationalization: SOC teams should import these IOCs into SIEM correlation engines (e.g., Microsoft Sentinel, Splunk) to trigger alerts on firewall deny logs or EDR detection matches.

Detection Engineering

YAML

title: Potential Cisco SD-WAN CVE-2026-20182 Exploitation Attempt
id: 5c2a1b0d-4e8f-4a1c-9d2f-1a5b6c7d8e9f
description: Detects potential exploitation of Cisco SD-WAN Manager authentication bypass vulnerability via webshell-like activity or specific URI anomalies.
status: experimental
date: 2026/05/16
author: Security Arsenal
references:
    - https://blog.talosintelligence.com/sd-wan-ongoing-exploitation/
tags:
    - attack.initial_access
    - attack.t1190
logsource:
    category: web
detection:
    selection:
        c-uri|contains:
            - '/webshell'
            - '/admin/api/v1/'
    condition: selection
falsepositives:
    - Administrative management traffic from known internal IPs
level: high
---
title: Suspicious NPM Package Execution (OtterCookie/BeaverTail)
id: a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects execution of node processes spawned by potentially malicious npm packages associated with the FAMOUS CHOLLIMA campaign.
status: experimental
date: 2026/05/16
author: Security Arsenal
references:
    - https://panther.com/blog/tracking-an-ottercookie-infostealer-campaign-across-npm
tags:
    - attack.execution
    - attack.t1204
logsource:
    category: process_creation
detection:
    selection_parent:
        ParentImage|endswith:
            - '\node.exe'
            - '\npm.cmd'
    selection_child:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
    selection_cli:
        CommandLine|contains:
            - 'base64'
            - 'iex'
            - 'downloadstring'
    condition: all of selection_*
falsepositives:
    - Legitimate developer build scripts
level: high
---
title: Sliver C2 Beacon Activity
id: 9f8e7d6c-5b4a-3c2d-1e0f-9a8b7c6d5e4f
description: Detects network activity consistent with Sliver C2 beacons associated with UAT-8616.
status: experimental
date: 2026/05/16
author: Security Arsenal
tags:
    - attack.c2
    - attack.t1071
logsource:
    category: network_connection
detection:
    selection:
        DestinationPort|between:
            - 8888
            - 9999
        Initiated: 'true'
    filter:
        DestinationIp:
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
    condition: selection and not filter
falsepositives:
    - Legitimate applications using high ports
level: medium


kql
// Hunt for known malicious IP connections and process execution
DeviceNetworkEvents
| where RemoteIP == "176.65.139.31"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemotePort
| extend FullURL = iff(isnotempty(RemoteUrl), RemoteUrl, "N/A")
| order by Timestamp desc
;
// Hunt for suspicious Node.js processes (NPM Supply Chain)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in ("node.exe", "npm.cmd")
| where FileName in ("powershell.exe", "cmd.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("iex", "Invoke-Expression", "FromBase64String")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine
| order by Timestamp desc


powershell
# IOC Hunt Script: UAT-8616 Malware Hashes & Persistence
# Requires Admin privileges

$MaliciousHash = "d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa"
$Drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root

Write-Host "[+] Hunting for malicious hash $MaliciousHash..." -ForegroundColor Cyan

foreach ($Drive in $Drives) {
    try {
        Write-Host "[INFO] Scanning $Drive..." -ForegroundColor Yellow
        Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue | 
        Where-Object { !$_.PSIsContainer } | 
        ForEach-Object {
            $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($hash -eq $MaliciousHash) {
                Write-Host "[ALERT] Malicious file found: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
    catch {
        Write-Host "[ERROR] Access denied in $Drive" -ForegroundColor DarkGray
    }
}

Write-Host "[+] Checking for suspicious scheduled tasks (Godzilla/XenShell persistence)..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object { 
    $_.TaskName -match "update" -or $_.TaskName -match "system" -or $_.Actions.Execute -match "powershell" -and $_.Actions.Execute -match "-enc" 
} | Select-Object TaskName, TaskPath, State | Format-Table -AutoSize

Response Priorities

Immediate

Block network traffic to/from IP 176.65.139.31.
Isolate Cisco Catalyst SD-WAN and FMC appliances; apply patches for CVE-2026-20182 and CVE-2026-20131 immediately.
Scan all endpoints for the SHA256 hash d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa.

24 Hours

Audit npm package repositories for the presence of OtterCookie, BeaverTail, or suspicious dependencies.
Reset credentials for developer accounts and network administrators who may have been exposed to webshells or infostealers.
Review SD-WAN and FMC logs for indicators of authentication bypass or unauthorized administrative sessions.

1 Week

Implement strict allow-listing for outbound network traffic from network management interfaces.
Conduct a architecture review of SD-WAN segmentation to limit lateral movement from exploited management planes.
Enforce code-signing requirements for all internal npm packages and build artifacts.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub