Back to Intelligence

Vidar v1.5 Go, Gremlin Stealer & Shai-Hulud: OTX Pulse Intelligence on Multi-Vector Infostealer Campaigns

SA
Security Arsenal Team
May 19, 2026
6 min read

Recent OTX pulses indicate a surge in sophisticated credential theft activity utilizing updated infostealers and supply chain compromises. The landscape is dominated by the re-emergence of Vidar v1.5, rewritten in Go to evade traditional detection, and the evolution of Gremlin Stealer, which now employs advanced resource-based obfuscation. Concurrently, threat actors are exploiting the software supply chain via malicious NPM packages (Shai-Hulud variants) and leveraging edge-device vulnerabilities (Cisco SD-WAN) to establish persistence for webshells and cryptocurrency miners. The collective objective across these campaigns is the exfiltration of browser credentials, cryptocurrency wallets, and session tokens, facilitated by diverse C2 infrastructures including Telegram and Steam profiles.

Threat Actor / Malware Profile

Vidar v1.5 (Go Variant)

  • Distribution: Typically distributed via SEO poisoning or malvertising. This sample is a 7 MB Go 1.25.4 native PE.
  • Payload Behavior: Infostealer targeting browser data, crypto wallets, and Steam sessions.
  • C2 Communication: Uses "dead-drop" resolvers via Telegram and Steam profile pages to fetch the actual C2 IP, making takedowns difficult.
  • Anti-Analysis: Implements a twelve-category sandbox scoring system to detect analysis environments.

Gremlin Stealer

  • Distribution: Phishing campaigns containing malicious attachments.
  • Payload Behavior: Siphons payment card details, browser data, and Discord tokens. Often bundled with other loaders like Agent Tesla or GuLoader.
  • Obfuscation: Uses commercial packing utilities with instruction virtualization (custom VM) to hide payloads inside embedded resource files.

Shai-Hulud (NPM Worm)

  • Distribution: Supply chain attack targeting NPM registry (typosquatting and copycatting).
  • Affected Packages: chalk-tempalte, @deadcode09284814/axios-util, axois-utils, color-style-utils.
  • Payload Behavior: Acts as a worm and infostealer, capable of DDoS and cryptocurrency theft.

UAT-8616 (Cisco Exploitation)

  • Tools: XenShell, Godzilla, Behinder, Sliver.
  • Objective: Initial access via CVE-2026-20182 (Auth Bypass) to deploy webshells and XMRig miners.

IOC Analysis

The provided pulses reveal a mix of infrastructure and file-based indicators:

  • IP Addresses & URLs: Specific C2 IPs (e.g., 149.154.167.99, 194.87.92.109) and domains used by Shai-Hulud (*.lhr.life). These should be blocked immediately at the perimeter.
  • File Hashes: Numerous MD5, SHA1, and SHA256 hashes for the Go-based Vidar binary, Gremlin variants, and webshells. These are critical for EDR correlation and scanning.
  • CVE Identifiers: CVE-2026-20182, CVE-2026-20133. Use these to prioritize patching for Cisco Catalyst SD-WAN infrastructure.
  • Operationalization: SOC teams should ingest these IOCs into SIEM solutions (e.g., Microsoft Sentinel) to trigger alerts on outbound connections to known C2s or file execution events matching the provided hashes.

Detection Engineering

Sigma Rules

YAML
title: Potential Vidar Stealer v1.5 Go Process Activity
id: 89e83e12-6b7c-4b3e-9f1a-1c2d3e4f5a6b
description: Detects suspicious process execution patterns associated with Vidar v1.5 written in Go, including potential sandbox checks and large binary sizes.
status: experimental
date: 2026/05/20
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6283a1f8c2d0e41234567890
tags:
    - attack.credential_access
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\vidar.exe'
            - '\loader.exe'
    selection_go:
        Company|contains:
            - '' # Go binaries often have empty company fields
        OriginalFileName|contains:
            - 'go-build'
    selection_sandbox:
        CommandLine|contains:
            - 'sandbox'
            - 'vmcheck'
            - 'debugger'
    condition: 1 of selection*
falsepositives:
    - Legitimate Go applications
level: high
---
title: Malicious NPM Package Installation (Shai-Hulud)
id: 77d72e11-5a6b-3a2d-8e0a-0b1c2d3e4f5a
description: Detects the installation of known malicious NPM packages associated with the Shai-Hulud worm campaign.
status: experimental
date: 2026/05/20
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6283a1f8c2d0e41234567892
tags:
    - attack.initial_access
    - attack.software_supply_chain
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\npm.cmd'
            - '\node.exe'
        CommandLine|contains:
            - 'install'
    malicious_packages:
        CommandLine|contains:
            - 'chalk-tempalte'
            - 'axios-util'
            - 'axois-utils'
            - 'color-style-utils'
    condition: selection and malicious_packages
falsepositives:
    - Legitimate developer installing similarly named packages (unlikely given typosquatting)
level: critical
---
title: Suspicious Cisco SD-WAN Vulnerability Exploitation Attempt
id: 66c61d00-4a5a-2a1c-7d09-9a0b1c2d3e4f
description: Detects potential webshell upload or exploitation activity targeting Cisco SD-WAN vulnerabilities (CVE-2026-20182).
status: experimental
date: 2026/05/20
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6283a1f8c2d0e41234567894
tags:
    - attack.initial_access
    - attack.web_shell
logsource:
    category: web
    product: apache
    service: access
detection:
    selection_uri:
        cs-uri-query|contains:
            - '/vpn'
            - '/api'
            - '.jsp'
    selection_exploit:
        cs-uri-query|contains:
            - 'CVE-2026-20182'
            - 'teamviewersetup.exe'
            - 'godzilla'
    condition: selection_uri or selection_exploit
falsepositives:
    - Administrative management traffic
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Vidar/Gremlin Network Connections
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("telegram.org", "steamcommunity.com") or RemoteIP in ("149.154.167.99", "135.181.237.59", "194.87.92.109", "80.200.28.28")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteIP, RemoteUrl, RemotePort
| extend timestamp = Timestamp

// Hunt for Shai-Hulud File Creation
DeviceFileEvents
| where Timestamp > ago(7d)
| where FolderPath contains "node_modules" and (FileName contains "chalk-tempalte" or FileName contains "axios-util" or FileName contains "axois-utils")
| project Timestamp, DeviceName, InitiatingProcessAccountName,FolderPath, FileName, SHA256

PowerShell Hunt Script

PowerShell
# IOC Hunt for Shai-Hulud NPM Packages and Suspicious Connections

Write-Host "[+] Checking for malicious NPM packages..."

$maliciousPackages = @("chalk-tempalte", "@deadcode09284814/axios-util", "axois-utils", "color-style-utils")

# Check common global npm paths
$npmPaths = @("$env:APPDATA\npm\node_modules", "$env:USERPROFILE\node_modules")

foreach ($path in $npmPaths) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -Directory | ForEach-Object {
            if ($_.Name -in $maliciousPackages) {
                Write-Host "[!] FOUND MALICIOUS PACKAGE: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

# Check running processes for suspicious C2 connections (Vidar/Gremlin IOCs)
Write-Host "[+] Checking active network connections for known C2 IPs..."

$targetIPs = @("149.154.167.99", "135.181.237.59", "194.87.92.109", "80.200.28.28")

$activeConnections = Get-NetTCPConnection -State Established | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess

foreach ($ip in $targetIPs) {
    $matches = $activeConnections | Where-Object { $_.RemoteAddress -eq $ip }
    if ($matches) {
        foreach ($match in $matches) {
            $process = Get-Process -Id $match.OwningProcess -ErrorAction SilentlyContinue
            Write-Host "[!] SUSPICIOUS CONNECTION TO $ip detected by PID: $($match.OwningProcess) - Process: $($process.ProcessName)" -ForegroundColor Red
        }
    }
}

Write-Host "[+] Hunt complete."

Response Priorities

  • Immediate:

    • Block all identified IOCs (IPs, Domains, URLs) at the firewall and proxy level.
    • Scan endpoints for the file hashes provided in the Vidar and Gremlin pulses.
    • Quarantine any systems found with the malicious NPM packages installed.

  • 24h:

    • Initiate credential rotation for accounts accessed from infected endpoints.
    • Audit developer workstations for signs of compromise via the Shai-Hulud supply chain attack.
    • Review VPN and edge logs for indicators of NTLM relay attacks associated with "The Gentlemen" actor.

  • 1 Week:

    • Patch Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20182, CVE-2026-20133) immediately.
    • Implement strict package allow-listing for NPM/pypi registries to prevent supply chain ingestion.
    • Enhance EDR policies to detect Go-based binaries with suspicious characteristics (e.g., packed code, missing metadata).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsvidar-stealergremlin-stealershai-huludsupply-chain-attackcredential-theft

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action