Back to Intelligence

AI-Themed Infostealers & Supply Chain Attacks: Storm-3075, SilabRAT, and PyPI Worms — Detection Engineering

SA
Security Arsenal Team
June 10, 2026
5 min read

Threat Summary

Analysis of June 11 OTX Pulse data reveals a coordinated surge in credential theft operations leveraging "hype-driven" social engineering and developer supply chain compromises. Threat actors, specifically Storm-3075, are abusing the artificial intelligence boom to distribute Vidar and Lumma Stealer via malvertising campaigns impersonating ChatGPT and Copilot.

Simultaneously, the software supply chain is under fire from sophisticated campaigns targeting Python (PyPI) and Node.js (npm) repositories. Malware families including Hades, Mini Shai-Hulud, and Miasma are utilizing typosquatting and trojanized native extensions (.abi3.so) to compromise bioinformatics and MCP developers.

On the Dark Web, the SilabRAT MaaS (Malware-as-a-Service) is actively advertising advanced credential theft capabilities, including Hidden Virtual Network Computing (HVNC) and browser profile cloning to bypass 2FA protections. The collective objective of these campaigns is financial theft through credential harvesting and cryptocurrency wallet draining.

Threat Actor / Malware Profile

Storm-3075 (AI Brand Impersonation)

  • Malware: Vidar, Lumma Stealer, Hijack Loader, GhostSocks.
  • Distribution: SEO poisoning and malvertising for fake AI tools.
  • Behavior: Hijack Loader decrypts payloads; Lumma/Vidar exfiltrates browser data and system info.

SilabRAT (o1oo1)

  • Type: MaaS (Subscription: $5,000/mo).
  • Malware: SilabRAT, Hijackloader, AsmCrypt.
  • Behavior: Uses HVNC for invisible remote control; performs "browser profile cloning" to steal active session cookies/tokens, effectively bypassing MFA. Focuses on cryptocurrency wallets.

PyPI/NPM Worms (Hades, Mini Shai-Hulud, Miasma)

  • Distribution: Malicious packages on PyPI and npm (typosquatting).
  • Technique:
    • .pth startup hooks in Python site-packages.
    • Trojanized .abi3.so native extensions executing at import.
  • Objective: Cloning git credentials, targeting crypto users, and establishing persistence within dev environments.

Needle (ThreatNeedle)

  • Malware: RustyStealer, ThreatNeedle.
  • Behavior: Impersonates wallet apps (Exodus, Ledger); uses browser extension spoofers (MetaMask).

IOC Analysis

The provided IOCs span multiple vectors requiring distinct detection strategies:

  • File Hashes (SHA256/SHA1): Multiple payloads for Vidar, Lumma, SilabRAT, and Python worms (e.g., 0a26238f6c516de..., 6506d31707a399...). These must be loaded into EDR quarantine lists.
  • Network Infrastructure:
    • IPv4 91.199.163.124 (SilabRAT C2).
    • Domains brokeapt.com, pan.rongtv.xyz (Storm-3075 infrastructure).
  • Operationalization:
    • Firewall/Proxy: Block communication to 91.199.163.124 and the listed domains immediately.
    • EDR: Scan for the specific SHA256 hashes; focus on %APPDATA%, %TEMP%, and Python site-packages directories.

Detection Engineering

Sigma Rules

YAML
---
title: Potential PyPI Supply Chain Compromise via PTH Hooks
id: 8a4c2b1e-9f3a-4b1c-8d5e-1f2a3b4c5d6e
description: Detects creation of .pth files in Python site-packages directories, a technique used by Hades/Miasma worms to gain execution.
status: experimental
date: 2026/06/11
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6666d8a43f56d8f8a4c2b1e
tags:
    - attack.persistence
    - attack.t1547.001
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|contains: 
            - '\Lib\site-packages\'
            - '\lib\python3.\site-packages\'
        TargetFilename|endswith: '.pth'
    condition: selection
falsepositives:
    - Legitimate Python package installation
level: high
---
title: Infostealer Browser Data Access via Non-Browser Process
id: 9d5e3c2f-0a4b-5c2d-9e6f-2a3b4c5d6e7f
description: Detects non-browser processes accessing browser database files (Cookies, History), indicative of Vidar, Lumma, or SilabRAT activity.
status: experimental
date: 2026/06/11
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6666d8a43f56d8f8a4c2b1e
tags:
    - attack.credential_access
    - attack.t1005
logsource:
    product: windows
    category: file_access
detection:
    selection:
        TargetFilename|contains:
            - '\Google\Chrome\User Data\Default\Cookies'
            - '\Microsoft\Edge\User Data\Default\Cookies'
            - '\Mozilla\Firefox\Profiles\'
    filter:
        Image|endswith:
            - '\chrome.exe'
            - '\msedge.exe'
            - '\firefox.exe'
    condition: selection and not filter
falsepositives:
    - Security software scanning
level: high
---
title: Suspicious PowerShell Command Line Obfuscation (Hijack Loader)
id: 0e1f2a3b-4c5d-6e7f-8a9b-0c1d2e3f4a5b
description: Detects highly obfuscated PowerShell commands often used by Hijack Loader to decrypt and execute payloads like Vidar.
status: experimental
date: 2026/06/11
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6666d8a43f56d8f8a4c2b1e
tags:
    - attack.defense_evasion
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: process_creation
detection:
    selection_powershell:
        Image|endswith: '\powershell.exe'
    selection_obfuscation:
        CommandLine|contains:
            - 'FromBase64String'
            - 'IEX'
            - 'Invoke-Expression'
    selection_suspicious:
        CommandLine|contains:
            - 'http://'
            - 'brokeapt.com'
            - 'rongtv.xyz'
    condition: all of selection_*
falsepositives:
    - Admin scripts using base64
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for known malicious file hashes from OTX Pulses
DeviceFileEvents
| where Timestamp >= ago(7d)
| where SHA256 in (
    "0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531",
    "25270cc429ada8028b5b33220ed412c47907ecceea7377d608fac5af01bed56a",
    "6506d31707a39949f89534bf9705bcf889f1ecae3dbc6f4ff88d67a8be3d01b2"
)
| project Timestamp, DeviceName, FolderPath, FileName, SHA256, InitiatingProcessAccountName
;
// Hunt for network connections to SilabRAT C2 and Storm-3075 Infrastructure
DeviceNetworkEvents
| where Timestamp >= ago(7d)
| where RemoteIP == "91.199.163.124" or RemoteUrl in ("brokeapt.com", "pan.rongtv.xyz", "pan.ssffaa19.xyz")
| project Timestamp, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine

PowerShell Hunt Script

PowerShell
# Hunt for Indicators of Compromise related to AI-themed Stealers and Python Worms

$MaliciousHashes = @(
    "0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531",
    "25270cc429ada8028b5b33220ed412c47907ecceea7377d608fac5af01bed56a",
    "6506d31707a39949f89534bf9705bcf889f1ecae3dbc6f4ff88d67a8be3d01b2",
    "3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b"
)

Write-Host "[+] Checking for malicious file hashes on system..." -ForegroundColor Cyan

# Check common temp and appdata directories
$Paths = @("$env:TEMP", "$env:APPDATA", "$env:LOCALAPPDATA")

foreach ($Path in $Paths) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($MaliciousHashes -contains $hash) {
                Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

# Hunt for suspicious .pth files in Python environments (Hades/Miasma)
Write-Host "[+] Scanning for suspicious Python .pth hooks..." -ForegroundColor Cyan
$PythonPaths = @("$env:LOCALAPPDATA\Programs\Python", "$env:APPDATA\Python")

foreach ($BasePath in $PythonPaths) {
    if (Test-Path $BasePath) {
        Get-ChildItem -Path $BasePath -Filter "*.pth" -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            # Flag any .pth files found for manual review
            Write-Host "[?] Suspicious .pth file: $($_.FullName)" -ForegroundColor Yellow
        }
    }
}

Write-Host "[+] Hunt complete. Review findings." -ForegroundColor Green

Response Priorities

  • Immediate: Block network communication to 91.199.163.124 (SilabRAT) and brokeapt.com. Quarantine endpoints matching the provided SHA256 hashes.
  • 24h: Initiate credential reset and identity verification for developers and users in the targeted industries (Tech, Finance, Bioinformatics). Audit Python package repositories for malicious imports.
  • 1 Week: Implement strict allow-listing for Python pip and npm installations. Harden browser policies to prevent unauthorized extension installation (Needle threat vector). Deploy application control to block execution of unsigned binaries in temp directories.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsvidar-stealersilabratsupply-chaincredential-theftinfostealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action