Recent OTX pulses indicate a convergence of opportunistic financial malware and sophisticated infrastructure exploitation targeting enterprises. Threat actor Storm-3075 is aggressively leveraging the "AI hype," impersonating brands like ChatGPT and Claude to distribute Vidar and Lumma Stealer via malvertising and SEO poisoning. Simultaneously, UAT-8616 is actively exploiting critical vulnerabilities in Cisco Catalyst SD-WAN infrastructure (CVE-2026-20128, CVE-2026-20133) to deploy webshells (Godzilla, Behinder) and cryptocurrency miners. On the dark web, the actor o1oo1 is marketing SilabRAT, a new Malware-as-a-Service (MaaS) platform featuring HVNC and browser profile cloning, specifically targeting cryptocurrency wallets.
Collectively, these campaigns demonstrate a shift toward multi-vector attacks: social engineering for initial access on endpoints, and vulnerability exploitation for perimeter persistence. The primary objectives are credential theft, financial fraud, and resource hijacking.
Threat Actor / Malware Profile
Storm-3075 (AI Impersonation Campaign)
- Distribution: Malvertising, SEO poisoning, and fake AI software landing pages.
- Payloads: Vidar (information stealer), Lumma Stealer, Hijack Loader.
- Behavior: Steals browser cookies, passwords, and cryptocurrency wallet data. Often uses "adversary-in-the-middle" techniques to intercept 2FA tokens.
- C2: Communicates with command-and-control servers via HTTP/HTTPS using specific domains (e.g.,
brokeapt.com).
UAT-8616 (Infrastructure Exploitation)
- Target: Cisco Catalyst SD-WAN Manager/Controller.
- Vulnerabilities: Exploits CVE-2026-20128 (Auth Bypass) and CVE-2026-20133.
- Payloads: XenShell, Godzilla, Behinder, Sliver, XMRig.
- Behavior: Establishes persistent webshell access for lateral movement and deploys XMRig for unauthorized cryptocurrency mining.
o1oo1 (SilabRAT MaaS)
- Service Model: Sold on dark web forums for $5,000/month.
- Capabilities: Hidden VNC (HVNC) for invisible remote control, browser profile cloning to bypass session security, and direct cryptocurrency wallet theft.
- Persistence: Uses scheduled tasks and registry modification (via HijackLoader).
IOC Analysis
The provided IOCs offer immediate defensive value:
- File Hashes (SHA256/MD5): Represent droppers and payloads for Vidar, Lumma, and SilabRAT. SOC teams should hunt for these on endpoints using EDR hash queries or YARA rules.
- Domains & Hostnames:
brokeapt.com,pan.rongtv.xyz,pan.ssffaa19.xyzare likely C2 or payload delivery hosts. These must be blocked at the DNS layer and Firewall. - IP Addresses:
91.199.163.124is associated with SilabRAT infrastructure. - CVEs: CVE-2026-20128 and CVE-2026-20133 should be cross-referenced with vulnerability scanner results to identify unpatched SD-WAN appliances.
Detection Engineering
Sigma Rules
YAML
title: Potential Vidar or Lumma Stealer Activity
id: 4a88f1e8-2026-48b3-ae3f-1c8a2e9d7f1e
date: 2026/06/14
status: experimental
description: Detects suspicious process execution patterns often associated with Vidar and Lumma stealers using Hijack Loader.
references:
- https://otx.alienvault.com/pulse/6428c7d18a65f1c6b11c4a5b/
author: Security Arsenal
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\\explorer.exe'
- '\\cmd.exe'
Image|endswith:
- '\
undll32.exe'
- '\
egsvr32.exe'
CommandLine|contains:
- '.dll'
- 'http://'
condition: selection
falsepositives:
- Legitimate software installers
level: high
tags:
- attack.defense_evasion
- attack.t1055
---
title: Cisco SD-WAN Webshell Activity Detection
id: 7b99c2d9-3146-4a7e-9f1e-4d5e6f7a8b9c
date: 2026/06/14
status: experimental
description: Detects potential webshell execution patterns (Godzilla/Behinder) on network devices or related management servers.
references:
- https://otx.alienvault.com/pulse/6428c7d18a65f1c6b11c4a5c/
author: Security Arsenal
logsource:
category: web
product: apache
# Can also apply to nginx or iis based on deployment
detection:
selection_uri:
cs-uri-query|contains:
- 'eval'
- 'base64_decode'
- 'assert'
selection_header:
cs-user-agent|contains:
- 'antSword'
- 'Godzilla'
condition: 1 of selection*
falsepositives:
- Legitimate developer debugging tools
level: critical
tags:
- attack.persistence
- attack.t1505.003
---
title: SilabRAT MaaS Persistence Mechanism
id: 1c2d3e4f-5678-90ab-cdef-1234567890ab
date: 2026/06/14
status: experimental
description: Detects registry run keys associated with SilabRAT and HijackLoader persistence.
references:
- https://otx.alienvault.com/pulse/6428c7d18a65f1c6b11c4a5d/
author: Security Arsenal
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains:
- '\\Software\\Microsoft\\Windows\\CurrentVersion\\Run'
- '\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce'
Details|contains:
- 'powershell'
- 'cmd.exe'
filter:
Image|contains:
- '\\Program Files\'
- '\\Program Files (x86)\'
condition: selection and not filter
falsepositives:
- Legitimate software auto-start entries
level: high
tags:
- attack.persistence
- attack.t1547.001
KQL (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for domains and IPs associated with Storm-3075 and SilabRAT
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in~ (\"brokeapt.com\", \"rongtv.xyz\", \"ssffaa19.xyz\")
or RemoteIP == \"91.199.163.124\"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| extend IOCScore = \"Critical\"
// Hunt for Vidar/Lumma Stealer File Hashes
DeviceFileEvents
| where Timestamp > ago(30d)
| where SHA256 in (
\"0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531\",
\"25270cc429ada8028b5b33220ed412c47907ecceea7377d608fac5af01bed56a\",
\"5455341ed1bbe75a664fca2dd0794c508e1874f75360253a7ff5bc119bc92d80\",
\"3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b\",
\"79f8da9f9fb4ac7c16d9c210f1f6ef418357a3e7bf602b1dd03a490596fa58c5\"
)
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, FolderPath, SHA256
| extend IOCScore = \"High\"
PowerShell Hunt Script
PowerShell
<#
.SYNOPSIS
Hunt script for SilabRAT, Vidar, and HijackLoader artifacts.
.DESCRIPTION
Checks for known malicious file hashes and suspicious registry run keys.
#>
$MaliciousHashes = @(
\"0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531\",
\"25270cc429ada8028b5b33220ed412c47907ecceea7377d608fac5af01bed56a\",
\"5455341ed1bbe75a664fca2dd0794c508e1874f75360253a7ff5bc119bc92d80\",
\"3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b\",
\"79f8da9f9fb4ac7c16d9c210f1f6ef418357a3e7bf602b1dd03a490596fa58c5\",
\"d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa\"
)
# Scan C: drive for matching hashes (Quick scan of common user directories)
Write-Host \"[+] Scanning for malicious file hashes...\"
$PathsToScan = @(\"C:\\Users\\", \"C:\\ProgramData\\", \"C:\\Windows\\Temp\\")
foreach ($Path in $PathsToScan) {
if (Test-Path $Path) {
Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue |
ForEach-Object {
$Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
if ($Hash -in $MaliciousHashes) {
Write-Host \"[!] MALICIOUS FILE FOUND: $($_.FullName) | Hash: $Hash\" -ForegroundColor Red
}
}
}
}
# Check Registry Run Keys for Suspicious Entries
Write-Host \"[+] Checking Registry Run Keys for suspicious persistence...\"
$RunKeys = @(
\"HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\",
\"HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\",
\"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\",
\"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"
)
foreach ($Key in $RunKeys) {
if (Test-Path $Key) {
Get-ItemProperty -Path $Key -ErrorAction SilentlyContinue |
Get-Member -MemberType NoteProperty |
Where-Object { $_.Name -ne \"PSPath\" -and $_.Name -ne \"PSParentPath\" -and $_.Name -ne \"PSChildName\" -and $_.Name -ne \"PSDrive\" -and $_.Name -ne \"PSProvider\" } |
ForEach-Object {
$Value = (Get-ItemProperty -Path $Key).$($_.Name)
if ($Value -match \"powershell.*-enc\" -or $Value -match \"http://.*\.exe\" -or $Value -match \".*\\\AppData\\\.*\.exe\") {
Write-Host \"[!] SUSPICIOUS REGISTRY VALUE: $Key | Name: $($_.Name) | Value: $Value\" -ForegroundColor Yellow
}
}
}
}
Write-Host \"[+] Scan complete.\"
# Response Priorities
* **Immediate:**
* Block all listed IOCs (domains `brokeapt.com`, IPs `91.199.163.124`) on firewalls, secure web gateways, and endpoint DNS.
* Initiate a hunt for the specific SHA256 hashes across all endpoints using EDR.
* Patch Cisco Catalyst SD-WAN vulnerabilities CVE-2026-20128 and CVE-2026-20133 immediately.
* **24 Hours:**
* Conduct credential resets for accounts identified on devices with detected malware (Vidar/Lumma).
* Review proxy logs for connections to the identified hostnames and C2 infrastructure.
* Isolate hosts showing signs of XMRig or webshell activity.
* **1 Week:**
* Update user awareness training to specifically cover \"AI-themed\" social engineering and malvertising.
* Review network segmentation to ensure SD-WAN management interfaces are not exposed to the public internet.
* Implement application control to block the execution of unauthorized scripts (PowerShell) from user directories.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-aptvidar-stealersilabratcisco-sdwanai-phishingstorm-3075
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.