OTX Pulse data indicates a surge in credential theft operations leveraging both new malware technologies and software supply chains. Key developments include a Go-language rewrite of Vidar (v1.5) featuring aggressive sandbox evasion and Steam/Telegram C2, the evolution of Gremlin Stealer using instruction virtualization, and the resurgence of the Shai-Hulud worm via npm packages targeting developers. Concurrently, threat actors UAT-8616 and "The Gentlemen" are exploiting edge device vulnerabilities (Cisco SD-WAN, Fortinet) to deploy webshells (Godzilla, Behinder) and credential harvesters (SystemBC).
Threat Actor / Malware Profile
Vidar v1.5 (Go Variant)
- Distribution: Likely distributed via phishing attachments or SEO poisoning.
- Payload Behavior: Native Go binary (1.25.4) acting as an infostealer. Targets browser credentials, crypto wallets, and Steam session data.
- C2 Communication: Uses "dead-drop" resolvers. Instead of hard-coded C2 IPs, it fetches commands from public profiles on Telegram and Steam to bypass network detection.
- Persistence/Defense: Heavy sandbox evasion using a 12-category scoring system to detect analysis environments. Includes AV killing capabilities.
Gremlin Stealer
- Distribution: Malicious spam campaigns.
- Payload Behavior: Highly obfuscated infostealer. It hides its malicious payload inside embedded resource files.
- Anti-Analysis: Protected by a commercial packer utilizing instruction virtualization, converting code into custom bytecode executed by a private VM, making static analysis difficult.
Shai-Hulud (NPM Supply Chain)
- Distribution: Typosquatting and copycat attacks on the Node Package Manager (npm) registry.
- Payload Behavior: Worm that spreads by creating malicious packages like
chalk-tempalteandaxois-utils. Includes infostealer modules and DDoS botnet capabilities. - Target: Developers and build environments.
The Gentlemen / UAT-8616
- Distribution: Exploitation of vulnerabilities in edge appliances (Fortinet CVE-2024-55591, Cisco CVE-2026-20182).
- Payload Behavior: Initial access brokers deploying webshells (Godzilla, Behinder) and establishing persistence with SystemBC (a proxy tool) for lateral movement and data exfiltration.
IOC Analysis
The provided pulses offer a mix of high-fidelity and behavioral indicators:
- File Hashes: Multiple MD5 and SHA256 hashes are provided for the Go-based Vidar sample, packed Gremlin Stealer variants, and webshells. These should be blocked in EDR and antivirus solutions.
- Network Indicators: IPs associated with C2 infrastructure (e.g.,
194.87.92.109) and Telegram/Steam endpoints are critical for perimeter blocking. - Software Packages: Specific npm package names (
chalk-tempalte,@deadcode09284814/axios-util) are provided for supply chain validation. - CVEs:
CVE-2026-20182(Cisco SD-WAN) andCVE-2024-55591(Fortinet) are critical for patch management prioritization.
Operization: SOC teams should import hashes into SIEM correlation engines for host telemetry hunting. Network IOCs should be added to firewall blocklists. DevOps teams must scan package-lock. files for the listed malicious packages.
Detection Engineering
Sigma Rules
YAML
---
title: Potential Vidar Stealer v1.5 Activity
id: 8a4b2c1d-5e6f-4a7b-8c9d-0e1f2a3b4c5d
description: Detects potential activity of Vidar Stealer v1.5 written in Go, characterized by accessing Steam or Telegram configuration directories for credential theft.
status: experimental
author: Security Arsenal
date: 2026/05/20
references:
- https://www.derp.ca/research/vidar-go-sandbox-dead-drop/
tags:
- attack.credential_access
- attack.collection
logsource:
category: file_access
product: windows
detection:
selection:
TargetFilename|contains:
- '\Steam\config\'
- '\Telegram Desktop\tdata\'
filter_legit:
Image|endswith:
- '\steam.exe'
- '\Telegram.exe'
condition: selection and not filter_legit
falsepositives:
- Legitimate backup tools accessing these directories
level: high
---
title: Malicious NPM Package Installation (Shai-Hulud Copycat)
id: b5c3d2e1-6f7a-4b8c-9d0e-1f2a3b4c5d6e
description: Detects the installation of known malicious npm packages associated with the Shai-Hulud copycat worm that steals credentials and crypto.
status: experimental
author: Security Arsenal
date: 2026/05/20
references:
- https://www.theregister.com/cyber-crime/2026/05/18/shai-hulud-copycat-hits-another-npm-package/
tags:
- attack.initial_access
- attack.software_supply_chain
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\npm.cmd'
- Image|endswith: '\node.exe'
selection_cli:
CommandLine|contains:
- 'chalk-tempalte'
- '@deadcode09284814/axios-util'
- 'axois-utils'
- 'color-style-utils'
condition: all of selection_*
falsepositives:
- None (Specific malicious package names)
level: critical
---
title: Suspicious Webshell Creation via Web Server Process
id: c6d4e3f2-7a8b-5c9d-0e1f-2a3b4c5d6e7f
description: Detects potential webshell creation (Godzilla, Behinder) initiated by web server processes often exploited by UAT-8616 or The Gentlemen actors.
status: experimental
author: Security Arsenal
date: 2026/05/20
references:
- https://blog.talosintelligence.com/sd-wan-ongoing-exploitation/
tags:
- attack.persistence
- attack.t1505.003
logsource:
category: file_creation
product: windows
detection:
selection:
Image|endswith:
- '\w3wp.exe'
- '\httpd.exe'
- '\java.exe'
TargetFilename|endswith:
- '.aspx'
- '.jsp'
- '.php'
filter:
TargetFilename|contains:
- '\inetpub\wwwroot\'
- '\htdocs\'
condition: selection and filter
falsepositives:
- Legitimate web application updates
level: high
Microsoft Sentinel (KQL)
KQL — Microsoft Sentinel / Defender
// Hunt for network connections to known C2 infrastructure from pulses
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIP in ("194.87.92.109", "176.65.139.31", "80.200.28.28", "149.154.167.99", "135.181.237.59")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteIP, RemotePort
| order by Timestamp desc
PowerShell Hunt Script
PowerShell
# Hunt for Vidar Stealer and Gremlin Stealer File Hashes
$targetHashes = @(
"702ef1b4007f07887e9faaee0667b50b", # Vidar MD5
"87332fcdf79e1c0bfb7713e9a52c0313", # Vidar MD5
"1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5", # Gremlin SHA256
"d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa" # XenShell SHA256
)
$drivesToScan = @("C:\", "D:\")
Write-Host "Scanning for malicious file hashes..."
foreach ($drive in $drivesToScan) {
if (Test-Path $drive) {
Get-ChildItem -Path $drive -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
$file = $_
try {
$hash = (Get-FileHash -Path $file.FullName -Algorithm MD5 -ErrorAction Stop).Hash.ToLower()
if ($targetHashes -contains $hash) {
Write-Host "[ALERT] Suspicious file found: $($file.FullName) | Hash: $hash" -ForegroundColor Red
}
} catch {
# Ignore errors for locked files or permission issues
}
}
}
}
Response Priorities
Immediate
- Block all listed IP addresses and domains at the firewall and proxy level.
- Quarantine hosts matching the provided file hashes.
- Hunt for the execution of
npm installwith the listed malicious package arguments.
24h
- Conduct identity verification for users with potential credential exposure (Steam, Telegram, Browser saved passwords).
- Review edge device logs (Cisco SD-WAN, Fortinet) for exploitation indicators of CVE-2026-20182 and CVE-2024-55591.
1 Week
- Patch Cisco Catalyst SD-WAN Manager and Fortinet appliances against the identified CVEs.
- Enforce strict signing policies for internal npm packages and implement Software Composition Analysis (SCA) in CI/CD pipelines.
- Review and restrict lateral movement pathways related to NTLM relay attacks.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-credentialsvidar-stealergremlin-stealernpm-supply-chaingentlemen-raascredential-harvesting
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.