Back to Intelligence

AI-Themed Infostealers & 4BID ProxyShell Campaigns: Storm-3075, TroyDen, and 4BID OTX Analysis

SA
Security Arsenal Team
June 9, 2026
6 min read

Date: 2026-06-10
Source: AlienVault OTX Live Pulse Data
TLP: White

Threat Summary

Recent OTX pulses highlight a dual-front threat landscape. On one side, financially motivated actors Storm-3075 and TroyDen are aggressively exploiting the "AI hype cycle." These groups are distributing sophisticated infostealers (Lumma, Vidar, Redline) using malvertising and SEO poisoning that impersonates platforms like ChatGPT, Claude, and DeepSeek, specifically targeting developers and gamers.

Simultaneously, the hacktivist group 4BID (and affiliates) is broadening its geopolitical scope beyond Russia and Belarus. They are exploiting ProxyShell vulnerabilities in unpatched Microsoft Exchange servers to deploy webshells (fd.aspx) and post-exploitation frameworks like Sliver, Havoc, and Mythic Apollo. This expansion now targets critical infrastructure in the Middle East and North Africa (MENA), signaling an escalation in cross-border cyber-operations.

Threat Actor / Malware Profile

Storm-3075 & TroyDen (Infostealer Campaigns)

  • Objective: Credential harvesting, financial fraud, and session hijacking.
  • Distribution: Malvertising campaigns redirecting to typosquatted AI domains; GitHub repositories hosting malicious payloads disguised as AI tools using biological taxonomy naming conventions (e.g., obscure medical terms).
  • Payloads:
    • Lumma Stealer / Vidar: Info-stealers targeting browser cookies, wallets, and 2FA sessions.
    • Hijack Loader: A shellcode loader used to decrypt and execute the final payloads.
    • LuaJIT: Used in TroyDen campaigns for obfuscation and execution.
  • C2 & Persistence: C2 communications established via HTTP/HTTPS to domains generated by domain generation algorithms (DGA). Persistence achieved via scheduled tasks or registry run keys.

4BID (Hacktivist Operations)

  • Objective: Disruption, data exfiltration, and DDoS coordination.
  • Vector: Exploitation of ProxyShell (Microsoft Exchange vulnerabilities) to deploy fd.aspx webshells.
  • Tooling: Heavy reliance on "Bring Your Own Vulnerable Driver" (BYOVD) techniques to disable security tools, followed by the deployment of open-source C2 frameworks: Sliver, Havoc, Mythic Apollo, and AdaptixC2.
  • Targets: Government, Manufacturing, Healthcare, and Aerospace sectors in Belarus, Egypt, Kazakhstan, Russia, Syria, and UAE.

IOC Analysis

The provided OTX pulses include a mix of infrastructure and file-based indicators:

  • Network Infrastructure:
    • Domains (Storm-3075): brokeapt.com, rongtv.xyz. These are likely malvertising landing pages or C2 domains. SOC teams should block these at the DNS layer.
    • IPv4 (4BID): 185.221.153.121, 45.112.194.82. These are C2 nodes or proxy servers used by the hacktivists. Immediate firewall blocking is required.
  • File Hashes:
    • SHA256 hashes associated with Lumma Stealer and Hijack Loader loaders. These should be added to Endpoint Detection and Response (EDR) blocklists.
    • MD5 hashes associated with 4BID tools (Sliver/Havoc implants).
  • CVE:
    • CVE-2023-44976 (Linked to 4BID operations in pulse data) and standard ProxyShell chains. Vulnerability scanning is critical.

Operationalization: Feed hashes into EDR telemetry (e.g., CrowdStrike, SentinelOne). Block IPs and Domains at the perimeter (Firewall/Palo Alto/Cisco ASA). Use SIEM correlations to alert on outbound connections to the listed infrastructure.

Detection Engineering

Below are detection mechanisms tailored to the specific TTPs observed in these pulses.

YAML
---
title: Potential ProxyShell Exploitation via Exchange Backend
id: 6998a13c-4310-4110-9906-48c77b3f83b1
status: experimental
description: Detects exploitation attempts against Microsoft Exchange Server indicative of ProxyShell activity, specifically looking for patterns associated with 4BID group TTPs including autodiscover abuse and fd.aspx webshell creation.
references:
    - https://www.microsoft.com/security/blog
author: Security Arsenal Research
date: 2026/06/10
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2021.34473
logsource:
    product: windows
    service: iis
detection:
    selection:
        cs-uri-stem|contains:
            - '/autodiscover/autodiscover.xml'
            - '/mapi/nspi/'
    filter_legit:
        cs-user-agent|contains: 'Microsoft' 
    selection_webshell:
        cs-uri-stem|contains: 'fd.aspx'
    condition: selection and not filter_legit or selection_webshell
falsepositives:
    - Legacy Exchange Client access
level: high
---
title: Suspicious Process Execution via Hijack Loader Patterns
id: e3b1c5d9-0a2f-4a5b-9e8c-1d2f3a4b5c6d
status: experimental
description: Detects execution patterns associated with Hijack Loader and AI-themed malware distribution (Storm-3075), specifically looking for control.exe or regsvr32 spawning from unusual parent processes or loading signed binaries with suspicious arguments.
references:
    - https://otx.alienvault.com
author: Security Arsenal Research
date: 2026/06/10
tags:
    - attack.defense_evasion
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_loader:
        ParentImage|endswith:
            - '\explorer.exe'
            - '\msedge.exe'
            - '\chrome.exe'
        Image|endswith:
            - '\control.exe'
            - '\regsvr32.exe'
        CommandLine|contains:
            - 'dllregister'
            - 'open'
    selection_context:
        CommandLine|contains:
            - 'brokeapt' # Context from pulse domain
            - 'ai-tools'
    condition: selection_loader or selection_context
falsepositives:
    - Legitimate system administration
level: medium
---
title: Hacktivist C2 Framework Initialization (Sliver/Havoc)
id: f9a8e7d6-5c4b-3a2b-1c9d-0e8f7a6b5c4d
status: experimental
description: Detects process execution and network activity indicative of Sliver or Havoc C2 frameworks used by 4BID hacktivists. Focuses on specific default named pipes or memory allocation patterns often observed in these frameworks.
references:
    - https://securelist.com
author: Security Arsenal Research
date: 2026/06/10
tags:
    - attack.command_and_control
    - attack.t1071
logsource:
    category: process_creation
    product: windows
detection:
    selection_sliver:
        Image|endswith:
            - '\sliver.exe'
            - '\sliver-client.exe'
    selection_havoc:
        Image|endswith:
            - '\Havoc.exe'
            - '\Demon.exe'
    selection_behavior:
        CommandLine|contains:
            - '--mtls'
            - '--http'
            - 'generate'
    condition: 1 of selection_*
falsepositives:
    - Security Researcher testing
level: critical

KQL Hunt Query (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for 4BID Infrastructure and Webshell Activity
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has "fd.aspx" 
    or RemoteIP in ("185.221.153.121", "45.112.194.82", "138.226.236.52")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemoteUrl, ActionType
| extend IOCMatch = "4BID_Pulse_2026-06-10"
;
// Hunt for Storm-3075 File Hashes
DeviceProcessEvents 
| where Timestamp > ago(30d)
| where SHA256 in (
    "0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531",
    "25270cc429ada8028b5b33220ed412c47907ecceea7377d608fac5af01bed56a",
    "5455341ed1bbe75a664fca2dd0794c508e1874f75360253a7ff5bc119bc92d80",
    "56d722b0331bf0aaa86bb37483486c6dff6ad9427fc473ed7c3226c21a9bdd23"
)
| project Timestamp, DeviceName, FolderPath, SHA256, InitiatingProcessFileName
| extend IOCMatch = "Storm-3075_Pulse_2026-06-09"

PowerShell IOC Hunt Script

PowerShell
<#
.SYNOPSIS
    Hunt script for indicators related to Storm-3075 and 4BID Pulses.
.DESCRIPTION
    Checks for file presence of known malware hashes and registry keys associated with persistence for GhostSocks and common C2 frameworks.
#>

$TargetHashes = @(
    "0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531",
    "25270cc429ada8028b5b33220ed412c47907ecceea7377d608fac5af01bed56a",
    "5455341ed1bbe75a664fca2dd0794c508e1874f75360253a7ff5bc119bc92d80",
    "56d722b0331bf0aaa86bb37483486c6dff6ad9427fc473ed7c3226c21a9bdd23",
    "4f5c5b3ef45cfff7721754487a86aeff9a2e6e32"
)

$MaliciousDomains = @("brokeapt.com", "rongtv.xyz", "ssffaa19.xyz")

Write-Host "[+] Scanning for known file hashes..." -ForegroundColor Cyan
$Drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root

foreach ($Drive in $Drives) {
    Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue | 
    ForEach-Object {
        $HashObj = Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue
        if ($TargetHashes -contains $HashObj.Hash) {
            Write-Host "[!] MALWARE DETECTED: $($_.FullName) | Hash: $($HashObj.Hash)" -ForegroundColor Red
        }
    }
}

Write-Host "[+] Checking DNS Cache for Storm-3075 domains..." -ForegroundColor Cyan
$DnsCache = Get-DnsClientCache -ErrorAction SilentlyContinue
foreach ($Domain in $MaliciousDomains) {
    if ($DnsCache.Name -like "*$Domain*") {
        Write-Host "[!] Suspicious DNS Entry found for: $Domain" -ForegroundColor Red
    }
}

Write-Host "[+] Checking for 4BID Webshell artifacts (fd.aspx)..." -ForegroundColor Cyan
$WebPaths = @("C:\inetpub\wwwroot", "C:\inetpub\wwwroot\wss", "C:\inetpub\wwwroot\aspnet_client")
foreach ($Path in $WebPaths) {
    if (Test-Path $Path) {
        $Webshell = Get-ChildItem -Path $Path -Filter "*.aspx" -Recurse -ErrorAction SilentlyContinue | Where-Object { $_.Name -eq "fd.aspx" }
        if ($Webshell) {
            Write-Host "[!] WEBHELL DETECTED: $($Webshell.FullName)" -ForegroundColor Red
        }
    }
}

Response Priorities

  • Immediate (0-4h):
    • Block all identified IP addresses (185.221.153.121, etc.) and domains (brokeapt.com) at the perimeter.
    • Isolate endpoints matching the Lumma/Vidar file hashes.
    • Scan Microsoft Exchange servers for the fd.aspx webshell and signs of ProxyShell exploitation.
  • 24h:
    • Conduct credential reset for accounts logged into devices infected with infostealers (Lumma/Vidar/Redline).
    • Hunt for Sliver/Havoc processes in memory on servers within the targeted sectors (Healthcare/Gov).
  • 1 Week:
    • Apply Exchange security updates to mitigate ProxyShell.
    • Implement strict allow-listing for GitHub repositories used by developers to counter TroyDen supply chain attacks.
    • Review web proxy logs for traffic to AI-themed typosquatting domains.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptlumma-stealerproxyshellsliver-c2infostealerai-lures

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action