Back to Intelligence

Vidar v1.5, SHub Reaper, and UAT-8616: Multi-Vector Credential Harvesting and Edge Exploitation

SA
Security Arsenal Team
May 18, 2026
6 min read

As of May 18, 2026, AlienVault OTX indicates a surge in sophisticated credential theft activity spanning Windows, macOS, and network infrastructure. A significant evolution has been observed in the Vidar infostealer, now rewritten in Go (v1.5) with heavy sandbox evasion and leveraging dead-drop C2 via Steam and Telegram profiles. Concurrently, the SHub Reaper variant targets macOS users through social engineering, utilizing the applescript:// scheme to bypass defenses while spoofing Apple and Google services.

In the infrastructure realm, threat actor UAT-8616 and the The Gentlemen RaaS operation are actively exploiting Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20128, CVE-2024-55591) to gain initial access. These actors are deploying webshells (XenShell, Godzilla) and cryptocurrency miners (XMRig), leveraging compromised edge appliances to harvest credentials via NTLM relay attacks. The collective objective of these campaigns is the mass exfiltration of browser credentials, cryptocurrency wallets, and session tokens for financial gain.

Threat Actor / Malware Profile

Vidar v1.5 (Go)

  • Type: Infostealer
  • Distribution: Malicious spam, fake installers.
  • Behavior: Re-architected in Go 1.25.4 native PE. Implements a 12-category sandbox scoring system to detect analysis environments. Steals browser data, Steam sessions, and crypto wallets.
  • C2: Uses "dead-drop" URLs hosted on Steam profile pages and Telegram channels to receive tasking.
  • Anti-Analysis: Heavy sandbox checks, Go binary packing.

Gremlin Stealer

  • Type: Infostealer
  • Distribution: Malspam, obfuscated attachments.
  • Behavior: Utilizes commercial packing utilities with instruction virtualization (custom bytecode VM). Hides payloads inside embedded resource files. Targets payment cards and browser credentials.
  • C2: Telegram exfiltration, standard HTTP/HTTPS C2.

SHub Reaper (macOS)

  • Type: Infostealer / Backdoor
  • Distribution: Fake WeChat and Miro installers.
  • Behavior: Multi-stage attack chain spoofing Apple, Google, and Microsoft. Uses applescript:// URL scheme to bypass Terminal-based defenses. Harvests browser data, Keychain entries, and cryptocurrency files.
  • Persistence: LaunchAgents, persistence mechanisms via AppleScript.

UAT-8616 / The Gentlemen

  • Type: State-aligned / RaaS Actor
  • Targeting: Cisco/Fortinet edge appliances, Technology sector.
  • Behavior: Exploits CVE-2026-20128 (Auth Bypass) and CVE-2024-55591. Deploys webshells (Godzilla, Behinder, Sliver) and XMRig. Uses NTLM relay for credential theft.
  • C2: AdaptixC2, gsocket.

IOC Analysis

The provided indicators of compromise (IOCs) reveal a multi-faceted infrastructure:

  • File Hashes: Multiple SHA256 and MD5 hashes provided for the Vidar Go binary, Gremlin variants, and macOS SHub samples. These are critical for EDR detection and retro-hunting.
  • Network Infrastructure: C2 IPs include 149.154.167.99 (Telegram related), 135.181.237.59, 194.87.92.109, and 176.65.139.31. Domains such as hebsbsbzjsjshduxbs.xyz are associated with SHub Reaper C2.
  • Vulnerabilities: CVEs (CVE-2026-20128, CVE-2026-20133, CVE-2024-55591) are prioritized for patch management to prevent initial access.

Operational Guidance: SOC teams should immediately block the listed IPs and domains at the perimeter. EDR solutions should be tuned to detect Go binaries with network activity and the usage of applescript:// on macOS endpoints. Vulnerability scanners must be updated to check for the specific Cisco SD-WAN CVEs.

Detection Engineering

Sigma Rules

YAML
---
title: Potential Vidar Stealer v1.5 Execution
id: 9e8b7f1a-2c3d-4f5e-8g9h-0i1j2k3l4m5n
description: Detects potential execution of Vidar Stealer v1.5 based on Go binary characteristics and network activity to non-standard ports associated with C2.
status: experimental
date: 2026/05/18
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66467a8e8e16e64d1a6e5e71
tags:
    - attack.credential_access
    - attack.execution
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '.exe'
        Company|contains: 'None' # Go binaries often lack metadata
        CommandLine|contains: 'go-build'
    condition: selection
falsepositives:
    - Legitimate Go applications
level: high
---
title: macOS SHub Reaper Applescript Scheme Usage
id: a1b2c3d4-e5f6-7890-g1h2-i3j4k5l6m7n8
description: Detects the use of applescript:// URL scheme which is utilized by SHub Reaper to bypass terminal defenses.
status: experimental
date: 2026/05/18
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66467a8e8e16e64d1a6e5e73
tags:
    - attack.execution
    - attack.initial_access
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        CommandLine|contains: 'applescript://'
    condition: selection
falsepositives:
    - Legitimate administrative automation
level: critical
---
title: Suspicious Webshell Process Creation (Cisco Exploitation)
id: b2c3d4e5-f6g7-8901-h2i3-j4k5l6m7n8o9
description: Detects execution of webshells or mining tools associated with UAT-8616 exploitation of Cisco SD-WAN.
status: experimental
date: 2026/05/18
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66467a8e8e16e64d1a6e5e72
tags:
    - attack.persistence
    - attack.t1505.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_webshell:
        Image|endswith:
            - 'cmd.exe'
            - 'powershell.exe'
        ParentImage|contains:
            - 'java.exe'
            - 'tomcat'
    selection_mining:
        Image|contains: 'xmrig'
    condition: 1 of selection*
falsepositives:
    - Authorized administrative tools
level: high

KQL Hunt Query (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Vidar and Gremlin Stealer Network Connections
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIP in ("149.154.167.99", "135.181.237.59", "194.87.92.109", "176.65.139.31") 
   or RemoteUrl has "hebsbsbzjsjshduxbs.xyz" 
   or RemoteUrl has "qq-0732gwh22.com"
| extend FullUrl = strcat(RemoteUrl, RemotePort)
| summarize Count = count() by DeviceName, InitiatingProcessFileName, RemoteIP, RemoteUrl
| order by Count desc


kql
// Hunt for Known Malicious File Hashes
DeviceProcessEvents
| where Timestamp > ago(30d)
| where SHA256 in (
    "2995ffb73342453b258926ec865c724e3567eee1bb8eb35d61796ee0c4f25105", 
    "1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5",
    "3ab9575225e00a83a4ac2b534da5a710bdcf6eb72884944c437b5fbe5c5c9235",
    "51b9f246d6da85631131fcd1fabf0a67937d4bdde33625a44f7ee6a3a7baebd2",
    "c917fcf8314228862571f80c9e4a871e"
)
| project Timestamp, DeviceName, AccountName, FileName, SHA256, ProcessCommandLine

PowerShell Hunt Script

PowerShell
# Hunt for SHub Reaper and Stealer Persistence in Registry
$MaliciousPaths = @(
    "*Steam*", 
    "*Telegram*", 
    "*WeChat*"
)

$RunKeys = @(
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce",
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
)

foreach ($Key in $RunKeys) {
    if (Test-Path $Key) {
        Get-ItemProperty -Path $Key -ErrorAction SilentlyContinue | 
        Get-Member -MemberType NoteProperty | 
        Where-Object { $_.Name -notlike "*PS*" } | 
        ForEach-Object {
            $Value = (Get-ItemProperty -Path $Key).$($_.Name)
            if ($Value -match "http" -or $Value -match ".exe") {
                Write-Host "Suspicious Entry Found in $Key :" $_.Name "->" $Value
            }
        }
    }
}

Response Priorities

Immediate (0-4 hours):

  • Block all listed IP addresses and domains (hebsbsbzjsjshduxbs.xyz, 149.154.167.99, etc.) at the firewall and proxy.
  • Isolate endpoints identified as communicating with these C2 servers.
  • hunt for the specific file hashes provided in the IOC list.

24 Hours:

  • Verify identity and session integrity for users with potential infostealer infections (Vidar/Gremlin) due to credential harvesting risk.
  • Audit Cisco Catalyst SD-WAN controllers for signs of compromise related to CVE-2026-20128 (unauthorized admin access, webshells).

1 Week:

  • Patch Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20128, CVE-2026-20133) and Fortinet CVE-2024-55591.
  • Implement application control to block unsigned Go binaries and macOS applications utilizing the applescript:// scheme.
  • Review and restrict access to Steam and Telegram profile pages from corporate networks.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsvidar-stealershub-reaperuat-8616gremlin-stealercisco-sdwan

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action