Back to Intelligence

Vidar v1.5, Gremlin, and SHub Reaper: Surge in Multi-Platform Infostealers & Edge Device Exploitation

SA
Security Arsenal Team
May 18, 2026
5 min read

Recent OTX pulses indicate a coordinated surge in credential theft activity across Windows and macOS platforms, coupled with aggressive exploitation of network edge infrastructure. The re-emergence of Vidar v1.5 rewritten in Go suggests a tactical shift to evade static detection, while Gremlin Stealer employs advanced instruction virtualization to hide in resource files. On the macOS front, SHub Reaper is utilizing applescript:// schemes to bypass terminal defenses. Simultaneously, threat actors UAT-8616 and The Gentlemen are actively exploiting vulnerabilities in Cisco SD-WAN and Fortinet appliances (CVE-2026-20182, CVE-2024-55591) to establish initial access for botnets and credential harvesting. The collective objective is clear: acquisition of browser credentials, cryptocurrency wallets, and session tokens via evasion and infrastructure abuse.

Threat Actor / Malware Profile

Vidar v1.5 (Go)

  • Family: Infostealer (Arkei descendant)
  • Language: Go 1.25.4
  • Distribution: Malvertising, payload obfuscation
  • Behavior: Steals browser data, crypto wallets, Steam sessions. Features a 12-category sandbox scoring system to avoid analysis.
  • C2: Dead-drop resolver via Telegram and Steam user profile pages.

Gremlin Stealer

  • Family: Infostealer (Agent Tesla/Lokibot loader)
  • Distribution: Phishing attachments
  • Behavior: Harvests payment details, browser data, Discord tokens. Uses instruction virtualization (custom VM) for packing.
  • Evasion: Embeds payloads within legitimate-looking resource files to bypass heuristic scanning.

SHub Reaper (macOS)

  • Family: SHub / Atomic Stealer variant
  • Platform: macOS
  • Distribution: Fake installers for WeChat and Miro
  • Behavior: Extensive fingerprinting, cookie/password theft, keylogging. Spoofs Apple, Google, and Microsoft windows.
  • Persistence: Abuses applescript:// URL scheme to bypass Terminal-based security controls.

UAT-8616 & The Gentlemen

  • Type: APT / RaaS Operators
  • Vector: Exploitation of Edge Appliances (Cisco Catalyst SD-WAN, Fortinet)
  • Tools: Sliver, XenShell, SystemBC, XMRig, Nimplant
  • Objective: Initial access via NTLM relay or auth bypass to deploy webshells and credential harvesters.

IOC Analysis

The provided IOCs include:

  • File Hashes: Multiple MD5, SHA1, and SHA256 hashes for Go-based Vidar, Gremlin variants, and macOS payloads. These should be uploaded to EDR allowlist/blocklist configurations immediately.
  • Network Indicators: Specific IPs (e.g., 194.87.92.109, 176.65.139.31) and domains (e.g., hebsbsbzjsjshduxbs.xyz) used for C2 and dead-drop resolvers.
  • CVEs: CVE-2026-20182 (Cisco SD-WAN Auth Bypass) and CVE-2024-55591 (Fortinet) are critical for patch management prioritization.

SOC teams should operationalize these by blocking the listed domains and IPs at the perimeter. File hashes require hunting in SIEM logs correlating ProcessCreate events with SHA256 fields.

Detection Engineering

YAML
title: Potential Vidar Stealer Go Execution
id: 1f8a2b3c-4d5e-6f78-9a0b-1c2d3e4f5a6b
description: Detects potential execution of Vidar v1.5 written in Go based on suspicious process characteristics and C2 patterns.
status: experimental
date: 2026/05/19
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66486a8f8a8b5f0d8b1c2d3e
tags:
    - attack.credential_access
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection_go:
        Image|endswith: '.exe'
        Company|contains: 'None' # Go binaries often lack metadata or have 'None'
    selection_suspicious_parent:
        ParentImage|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\mshta.exe'
            - '\wscript.exe'
    selection_network:
        DestinationIp|contains:
            - '149.154.167.' # Telegram IP range used for C2
            - '135.181.237.'
    condition: all of selection_*
falsepositives:
    - Legitimate Go applications communicating with Telegram APIs
level: high
---
title: macOS SHub Reaper Applescript Bypass
id: 2a9b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects the use of applescript:// URL scheme often used by SHub Reaper to bypass Terminal defenses.
status: experimental
date: 2026/05/19
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66486a8f8a8b5f0d8b1c2d3e
tags:
    - attack.execution
    - attack.initial_access
logsource:
    category: process_creation
    product: macos
detection:
    selection_uri:
        CommandLine|contains: 'applescript://'
    selection_suspicious:
        Image|endswith:
            - '/osascript'
            - '/curl'
    condition: all of selection_*
falsepositives:
    - Legitimate administrative automation scripts
level: critical
---
title: Gremlin Stealer Resource Access
id: 3b0c4d5e-6f7a-8b9c-0d1e-2f3a4b5c6d7e
description: Detects processes accessing browser credential storage files characteristic of infostealers like Gremlin.
status: experimental
date: 2026/05/19
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66486a8f8a8b5f0d8b1c2d3e
tags:
    - attack.credential_access
logsource:
    category: file_access
    product: windows
detection:
    selection_browsers:
        TargetFilename|contains:
            - '\Google\Chrome\User Data\Default\Login Data'
            - '\Mozilla\Firefox\Profiles\'
            - '\AppData\Local\BraveSoftware\'
    selection_process:
        Image|endswith:
            - '.exe'
        NotImage|contains:
            - '\chrome.exe'
            - '\firefox.exe'
            - '\brave.exe'
    condition: all of selection_*
falsepositives:
    - Backup software accessing browser data
level: medium


kql
// Hunt for Vidar Go network connections and process execution
let VidarIOCs = dynamic(["149.154.167.99", "135.181.237.59", "142.250.151.94", "hebsbsbzjsjshduxbs.xyz", "mlroweb.com"]);
DeviceNetworkEvents
| where RemoteIP in (VidarIOCs) or RemoteUrl has_any (VidarIOCs)
| join kind=inner (
    DeviceProcessEvents
    | where InitiatingProcessFileName in~ ("cmd.exe", "powershell.exe", "mshta.exe")
) on DeviceId
| project Timestamp, DeviceName, FileName, FolderPath, RemoteIP, RemoteUrl, InitiatingProcessFileName, SHA256
| extend Timestamp = format_datetime(Timestamp, 'yyyy-MM-dd HH:mm:ss')


powershell
# PowerShell Hunt Script for Vidar and Gremlin Stealer Indicators
# Checks for specific file hashes and suspicious process activity

$TargetHashes = @(
    "2995ffb73342453b258926ec865c724e3567eee1bb8eb35d61796ee0c4f25105", # Vidar SHA256
    "1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5", # Gremlin SHA256
    "d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa"  # Cisco XenShell
)

Write-Host "[+] Scanning for processes matching known malicious hashes..."
$Processes = Get-WmiObject Win32_Process | ForEach-Object { 
    $Path = $_.ExecutablePath
    if ($Path -and (Test-Path $Path)) {
        $Hash = (Get-FileHash -Path $Path -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($Hash -in $TargetHashes) {
            Write-Host "[!] MALICIOUS PROCESS DETECTED: $Path (Hash: $Hash)" -ForegroundColor Red
            $_.Terminate()
        }
    }
}

Write-Host "[+] Checking for Persistence via Scheduled Tasks..."
$SuspiciousTasks = Get-ScheduledTask | Where-Object { 
    $_.Actions.Execute -like "*powershell*" -or 
    $_.Actions.Execute -like "*cmd*" -and 
    $_.Actions.Arguments -like "*applescript*" 
}

if ($SuspiciousTasks) {
    Write-Host "[!] Suspicious Scheduled Tasks found:" -ForegroundColor Yellow
    $SuspiciousTasks | Select-Object TaskName, TaskPath, Actions
}

Response Priorities

Immediate

  • Block IOCs: Push all listed IPs, domains (hebsbsbzjsjshduxbs.xyz, mlroweb.com), and file hashes to EDR, Firewall, and Proxy blocklists.
  • Hunt Artifacts: Execute the provided PowerShell script across endpoints to identify active Vidar or Gremlin processes.

24 Hours

  • Credential Reset: If infection is confirmed, force a password reset for all browser-stored credentials and crypto wallets on affected machines.
  • Edge Patching: Prioritize patching for CVE-2026-20182 (Cisco SD-WAN) and CVE-2024-55591 (Fortinet) on all edge devices.

1 Week

  • Architecture Hardening: Review Network Access Control (NAC) policies to limit lateral movement from compromised edge devices. Implement strict AppLocker/Code Signing policies to prevent unsigned Go binaries or macOS packages from executing.
  • Threat Hunting: Create a dedicated hunting dashboard for applescript:// usage and NTLM relay attempts on internal infrastructure.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsvidar-stealergremlin-stealershub-reapersystembcsd-wan-exploit

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action