Recent OTX pulses reveal a coordinated surge in credential-theft activity across Windows and macOS ecosystems, facilitated by sophisticated initial access vectors. The threat landscape is dominated by the re-emergence of Vidar v1.5 (recompiled in Go to evade detection), advanced obfuscation in Gremlin Stealer, and the evolution of SHub Reaper on macOS.
These campaigns appear to be bolstered by initial access brokers, notably The Gentlemen RaaS and actor UAT-8616, who are actively exploiting edge infrastructure (Cisco SD-WAN, Fortinet) to establish footholds. The collective objective is systematic credential harvesting (browser data, crypto wallets, session tokens) and financial theft, utilizing dead-drop resolvers (Telegram, Steam) and covert C2 channels.
Threat Actor / Malware Profile
Vidar v1.5 (Go)
- Family: Infostealer (Arkei descendant)
- Distribution: Malvertising, exploit kits
- Payload: 7MB Go 1.25.4 native PE
- Behavior: Heavy sandbox checks (12-category scoring), steals Steam/Browser/Crypto data.
- C2: Dead-drop resolver via Telegram and Steam profile pages.
- Anti-Analysis: Significant sandbox evasion; language shift from .NET/C++ to Go complicates static analysis.
Gremlin Stealer
- Family: Infostealer (associated with Agent Tesla, LokiBot)
- Distribution: Phishing attachments
- Payload: Packed binary with instruction virtualization
- Behavior: Conceals payload in embedded resources; siphons payment card details and browser cookies.
- Persistence: Standard registry run keys / scheduled tasks.
SHub Reaper (macOS)
- Family: Atomic macOS Stealer / AMOS variant
- Distribution: Fake WeChat and Miro installers
- Payload: Multi-stage delivery chain
- Behavior: Spoofs Apple, Google, and Microsoft services; uses
applescript://URL scheme to bypass terminal defenses. - Persistence: Launch agents / Daemons.
The Gentlemen / UAT-8616
- Type: RaaS / Initial Access Broker
- TTPs: Exploiting CVE-2026-20128 (Cisco SD-WAN), CVE-2025-32433, NTLM relay.
- Objective: Selling access to enterprise networks for follow-on infostealer deployment.
IOC Analysis
The provided indicators span multiple infrastructure types requiring immediate blocking:
- IPv4 Addresses: Includes C2 servers for Vidar (
149.154.167.99,135.181.237.59) and Gremlin (194.87.92.109). SOC teams should treat any egress connections to these IPs as critical alerts. - Domains:
hebsbsbzjsjshduxbs.xyz(SHub Reaper C2),mlroweb.com. These should be sinkholed. - File Hashes: A mix of MD5, SHA1, and SHA256. Notably, Vidar samples are large (7MB) due to the Go runtime.
- CVEs:
CVE-2026-20128,CVE-2025-32433. Use vulnerability scanners to prioritize patching on edge appliances.
Operationalization: Feed these IOCs into EDR query engines (CrowdStrike, SentinelOne) and SIEM correlation rules immediately.
Detection Engineering
YAML
title: Suspicious Network Connection to Vidar or SHub C2 Infrastructure
id: c12a1b2c-3d4e-5f6a-7b8c-9d0e1f2a3b4c
description: Detects network connections to known C2 infrastructure associated with Vidar Stealer (Go) and SHub Reaper based on OTX Pulse data.
status: experimental
date: 2026/05/19
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/6648b2d3e3b8b
tags:
- attack.command_and_control
- attack.exfiltration
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationIp|startswith:
- '149.154.167.'
- '135.181.237.'
- '194.87.92.'
DestinationPort:
- 443
- 80
condition: selection
falsepositives:
- Legitimate traffic to Telegram IPs (149.154.x.x is common, requires context)
level: high
---
title: macOS Suspicious Applescript URL Scheme Execution
id: d23e4f5a-6b7c-8d9e-0f1a-2b3c4d5e6f7a
description: Detects the use of applescript:// URL scheme, a technique used by SHub Reaper to bypass defenses and execute payloads.
status: experimental
date: 2026/05/19
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/6648b2d3e3b8b
tags:
- attack.execution
- attack.initial_access
logsource:
category: process_creation
product: macos
detection:
selection:
CommandLine|contains: 'applescript://'
condition: selection
falsepositives:
- Legitimate administrative automation scripts
level: high
---
title: Potential Gremlin Stealer Resource Access Pattern
id: e34f5a6b-7c8d-9e0f-1a2b-3c4d5e6f7a8b
description: Detects processes accessing browser credential files (Cookies, Login Data) that are not the browser itself, indicative of infostealers like Gremlin or Vidar.
status: experimental
date: 2026/05/19
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/6648b2d3e3b8b
tags:
- attack.credential_access
logsource:
category: file_access
product: windows
detection:
selection_target:
TargetFilename|contains:
- '\AppData\Local\Google\Chrome\User Data\Default\Cookies'
- '\AppData\Local\Google\Chrome\User Data\Default\Login Data'
- '\AppData\Roaming\Mozilla\Firefox\Profiles\'
selection_img:
Image|endswith:
- '\chrome.exe'
- '\firefox.exe'
- '\msedge.exe'
filter:
Image|endswith:
- '\chrome.exe'
- '\firefox.exe'
- '\msedge.exe'
condition: selection_target and not filter
level: high
kql
// Hunt for SHub and Vidar Network IOCs
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in ("hebsbsbzjsjshduxbs.xyz", "mlroweb.com", "qq-0732gwh22.com")
or RemoteIP in ("149.154.167.99", "135.181.237.59", "194.87.92.109")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, RemotePort
powershell
# IOC Hunt Script for Vidar/Gremlin File Hashes
# Requires Get-FileHash (PowerShell 4.0+)
$TargetHashes = @(
"702ef1b4007f07887e9faaee0667b50b",
"87332fcdf79e1c0bfb7713e9a52c0313",
"1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5",
"c917fcf8314228862571f80c9e4a871e"
)
$SearchPaths = @("C:\Users\", "C:\ProgramData\", "C:\Windows\Temp")
Write-Host "[+] Scanning for Malicious File Hashes..." -ForegroundColor Cyan
foreach ($path in $SearchPaths) {
if (Test-Path $path) {
Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
try {
$hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction Stop).Hash
if ($TargetHashes -contains $hash) {
Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
Write-Host " - MD5: $hash" -ForegroundColor Red
}
} catch {
# Ignore locked files or access errors
}
}
}
}
# Check Network Connections for Bad IPs (Requires Admin)
Write-Host "[+] Checking Active Network Connections for C2 IPs..." -ForegroundColor Cyan
$BadIPs = @("149.154.167.99", "135.181.237.59", "194.87.92.109")
$connections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue
foreach ($ip in $BadIPs) {
$hit = $connections | Where-Object { $_.RemoteAddress -eq $ip }
if ($hit) {
$process = Get-Process -Id $hit.OwningProcess -ErrorAction SilentlyContinue
Write-Host "[!] C2 CONNECTION DETECTED: $ip" -ForegroundColor Red
Write-Host " - Local Address: $($hit.LocalAddress):$($hit.LocalPort)" -ForegroundColor Red
Write-Host " - Process: $($process.ProcessName) (PID: $($hit.OwningProcess))" -ForegroundColor Red
}
}
# Response Priorities
* **Immediate:** Block all listed IOCs (IPs, Domains) at the perimeter and firewalls. Scan endpoints for the specific MD5/SHA256 hashes provided (Vidar, Gremlin, SHub).
* **24h:** Conduct credential audits for users with potential infections (Vidar/Gremlin targets). Force reset of passwords for browser-saved credentials on affected segments.
* **1 week:** Patch Cisco SD-WAN vulnerabilities (CVE-2026-20128) immediately. Restrict the use of `applescript://` schemes on macOS endpoints if possible via configuration profiles.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-credentialsvidar-stealergremlin-stealershub-reapercredential-theftmac-malware
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.