Back to Intelligence

AI-Themed Infostealer Surge: Storm-3075, TroyDen, and SilabRAT Campaign Analysis — Detection & Hunt Pack

SA
Security Arsenal Team
June 10, 2026
5 min read

Threat Summary

Recent OTX pulses indicate a coordinated surge in threat activity leveraging the "AI hype cycle" as a primary social engineering vector. Three distinct clusters—Storm-3075, TroyDen, and the SilabRAT MaaS operation—are actively distributing information stealers (Lumma, Vidar, Redline) and remote access trojans. The attack chains consistently utilize malvertising, SEO poisoning, and fraudulent GitHub repositories to deliver payloads via HijackLoader and LuaJIT. The primary objective across all campaigns is financial theft via credential harvesting and cryptocurrency wallet compromise.

Threat Actor / Malware Profile

Storm-3075 (AI Brands as Bait)

  • Distribution: Malvertising campaigns impersonating ChatGPT, Copilot, and Claude.
  • Payloads: Vidar, Lumma Stealer, GhostSocks.
  • Loader: Hijack Loader (shellcode loader used to decrypt and execute payloads).
  • Techniques: Adversary-in-the-Middle (AiTM) attacks, SEO manipulation to push malicious domains (e.g., brokeapt.com).

TroyDen (Lure Factory)

  • Distribution: GitHub repositories hosting over 300 delivery packages.
  • Payloads: LuaJIT-based infostealers, Redline, LummaStealer.
  • Lures: AI-generated file names using obscure biological/medical taxonomy to evade filters and entice developers/gamers.
  • Techniques: Two-component payload design, utilizing Prometheus obfuscator.

o1oo1 (SilabRAT)

  • Distribution: Darkweb forums (Malware-as-a-Service, $5,000/month).
  • Payloads: SilabRAT, HijackLoader, AsmCrypt.
  • Capabilities: Hidden VNC (HVNC) for invisible remote control, browser profile cloning (session hijacking), cryptocurrency wallet theft.
  • Persistence: Utilizes AsmCrypt for obfuscation and standard startup mechanisms.

IOC Analysis

The provided indicators of compromise (IOCs) include:

  • Network Infrastructure: IPv4 91.199.163.124 (SilabRAT C2) and domains brokeapt.com, rongtv.xyz, ssffaa19.xyz (Storm-3075).
  • File Hashes: Multiple SHA256 hashes associated with Lumma Stealer, Vidar, and SilabRAT loaders.

Operational Guidance: SOC teams should immediately block the listed domains and IP addresses at the perimeter. File hashes should be uploaded to EDR solutions for retrospective hunting. The presence of HijackLoader or LuaJIT processes on non-developer workstations should trigger immediate isolation.

Detection Engineering

Sigma Rules

YAML
---
title: Potential Infostealer Process Accessing Browser Data
id: 8f3a1c92-b742-4c5e-8e1a-2f9b8e1d3c5a
description: Detects processes accessing browser cookie or history files, common in Lumma, Vidar, and SilabRAT campaigns.
status: experimental
author: Security Arsenal
date: 2026/06/10
tags:
  - attack.credential_access
  - attack.t1005
logsource:
  category: process_access
  product: windows
detection:
  selection:
    TargetImage|contains:
      - '\Google\Chrome\User Data\Default\Cookies'
      - '\Google\Chrome\User Data\Default\History'
      - '\Mozilla\Firefox\Profiles'
      - '\Microsoft\Edge\User Data\Default\Cookies'
    GrantedAccess|contains:
      - '0x1010'
      - '0x1410'
      - '0x143a'
  filter:
    SourceImage|endswith:
      - '\chrome.exe'
      - '\msedge.exe'
      - '\firefox.exe'
condition: selection and not filter
falsepositives:
  - Legitimate backup software
  - Browser extensions
level: high
---
title: Suspicious PowerShell Execution from GitHub (TroyDen Lures)
id: 9b4d2e03-a8b1-4f7d-9c2e-3e0f9a2e4d6c
description: Detects PowerShell scripts downloading or executing content from GitHub, a tactic used in TroyDen's AI-assisted lure factory.
status: experimental
author: Security Arsenal
date: 2026/06/10
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains: 'github.com'
    CommandLine|contains:
      - 'Invoke-WebRequest'
      - 'Invoke-RestMethod'
      - 'DownloadString'
      - 'IEX'
condition: selection
falsepositives:
  - Legitimate developer automation scripts
level: medium
---
title: HijackLoader and Shellcode Execution Indicators
id: 1c5e3f92-c9a1-4d5e-8f2b-4e0g9h3i5j7k
description: Detects behaviors associated with HijackLoader and shellcode injection seen in Storm-3075 and SilabRAT campaigns.
status: experimental
author: Security Arsenal
date: 2026/06/10
tags:
  - attack.defense_evasion
  - attack.t1055
logsource:
  category: process_creation
  product: windows
detection:
  selection_suspicious_parent:
    ParentImage|endswith:
      - '\explorer.exe'
      - '\winword.exe'
      - '\excel.exe'
    Image|endswith:
      - '\rundll32.exe'
      - '\regsvr32.exe'
      - '\control.exe'
  selection_shellcode:
    CommandLine|contains:
      - ',#1'
      - 'DllRegisterServer'
      - 'control.exe'
  filter_legit:
    CommandLine|contains:
      - 'shell32.dll'
      - 'UserAccountControlSettings'
condition: all of selection_* and not filter_legit
falsepositives:
  - System configuration changes
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in ("brokeapt.com", "pan.rongtv.xyz", "pan.ssffaa19.xyz") or RemoteIP == "91.199.163.124"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| union (
    DeviceProcessEvents
    | where Timestamp > ago(7d)
    | where SHA256 in ("0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531", "25270cc429ada8028b5b33220ed412c47907ecceea7377d608fac5af01bed56a", "5455341ed1bbe75a664fca2dd0794c508e1874f75360253a7ff5bc119bc92d80", "56d722b0331bf0aaa86bb37483486c6dff6ad9427fc473ed7c3226c21a9bdd23", "3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b", "79f8da9f9fb4ac7c16d9c210f1f6ef418357a3e7bf602b1dd03a490596fa58c5", "fb56e66920c84ef9e51db0ea23144f5755daef97cbff8613b05ab56d0dc9d623", "fbce30a0c852972fdc24f1b6a7c270512a50ef1a7c6c88c88b92a2dcbdfdd023")
    | project Timestamp, DeviceName, FileName, SHA256, FolderPath
)

PowerShell Hunt Script

PowerShell
# IOC Hunt Script for Storm-3075, TroyDen, and SilabRAT Campaigns
# Checks for known file hashes and suspicious network connections

$KnownHashes = @(
    "0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531",
    "25270cc429ada8028b5b33220ed412c47907ecceea7377d608fac5af01bed56a",
    "5455341ed1bbe75a664fca2dd0794c508e1874f75360253a7ff5bc119bc92d80",
    "56d722b0331bf0aaa86bb37483486c6dff6ad9427fc473ed7c3226c21a9bdd23",
    "3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b",
    "79f8da9f9fb4ac7c16d9c210f1f6ef418357a3e7bf602b1dd03a490596fa58c5",
    "fb56e66920c84ef9e51db0ea23144f5755daef97cbff8613b05ab56d0dc9d623",
    "fbce30a0c852972fdc24f1b6a7c270512a50ef1a7c6c88c88b92a2dcbdfdd023"
)

Write-Host "Scanning for malicious file hashes..." -ForegroundColor Yellow
$Drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root

foreach ($Drive in $Drives) {
    Write-Host "Scanning $Drive..."
    Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue | Where-Object { !$_.PSIsContainer } | ForEach-Object {
        $FileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($KnownHashes -contains $FileHash) {
            Write-Host "MATCH FOUND: $($_.FullName) with hash $FileHash" -ForegroundColor Red
        }
    }
}

Write-Host "Checking network connections to C2 infrastructure..." -ForegroundColor Yellow
$TargetIP = "91.199.163.124"
$Connections = Get-NetTCPConnection -RemoteAddress $TargetIP -ErrorAction SilentlyContinue
if ($Connections) {
    Write-Host "Active connection detected to C2 IP: $TargetIP" -ForegroundColor Red
    $Connections | Format-Table LocalAddress, LocalPort, RemoteAddress, RemotePort, State, OwningProcess
} else {
    Write-Host "No active connections to $TargetIP found."
}

Response Priorities

  • Immediate: Block identified domains (brokeapt.com, rongtv.xyz) and IP (91.199.163.124) on firewalls and proxies. Initiate endpoint scans for the listed SHA256 hashes.
  • 24h: If infections are detected, prioritize credential resets for users with access to financial systems or crypto wallets. Review browser session cookies for anomalies.
  • 1 Week: Harden software development policies regarding the usage of unverified GitHub packages. Implement strict allow-listing for AI-related software downloads to prevent malvertising impacts.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptlumma-stealervidar-stealersilabratsocial-engineeringmalvertising

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action