Back to Intelligence

AI-Themed Phishing, MaaS Crypto-Stealers, and PyPI Worms: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
June 12, 2026
6 min read

OTX Pulse data indicates a coordinated surge in credential theft and financial fraud campaigns utilizing diverse delivery vectors. Adversaries, primarily financially motivated groups like Storm-3075 and the developer of SilabRAT (o1oo1), are exploiting current trends in AI (ChatGPT, Copilot) and software supply chains (PyPI, npm) to distribute payloads such as Vidar, Lumma Stealer, and SilabRAT.

The attack chains converge on credential harvesting, cryptocurrency wallet theft, and session hijacking. Techniques range from sophisticated malvertising and SEO poisoning to social engineering via TikTok tutorials and trojanized developer packages. The emergence of MaaS (Malware-as-a-Service) platforms like SilabRAT and "Needle" lowers the barrier to entry for attackers seeking browser profile cloning and HVNC capabilities.

Threat Actor / Malware Profile

Storm-3075 & AI-Themed Campaigns

  • Malware: Vidar, Lumma Stealer, Oyster, GhostSocks.
  • Distribution: Malvertising, SEO poisoning, fake AI platform landing pages (ChatGPT, DeepSeek).
  • Behavior: Initial access via social engineering leads to payload execution. Vidar and Lumma focus on exfiltrating browser data, crypto wallets, and 2FA sessions.

SilabRAT (o1oo1)

  • Type: MaaS ($5,000/month).
  • Capabilities: Hidden VNC (HVNC) for invisible remote control, browser profile cloning to bypass MFA, cryptocurrency wallet theft.
  • Loader: Utilizes HijackLoader and AsmCrypt for obfuscation and defense evasion.

Supply Chain Worms (Hades, Miasma, Mini Shai-Hulud)

  • Target: Bioinformatics and MCP developers.
  • Method: Typosquatting and malicious PyPI wheels/executable .pth hooks.
  • Behavior: Executes upon import (Python sys.path manipulation), delivering worms that steal credentials and propagate.

Needle (ThreatNeedle / RustyStealer)

  • Vector: Browser extension spoofing (MetaMask, Phantom) and fake desktop applications (Exodus, Ledger).
  • Mechanism: Modular C2 infrastructure; Rust-based agent for persistence and wallet spoofer integration.

IOC Analysis

The provided dataset includes:

  • Domains (C2/Phishing): brokeapt.com, msget.run, d4ug.site. These should be blocked at DNS and Proxy levels.
  • IPv4: 91.199.163.124 (SilabRAT C2). Immediate firewall block recommended.
  • File Hashes (SHA1/SHA256): Multiple hashes associated with loaders, droppers, and final payloads (e.g., Vidar, SilabRAT).
  • Operationalization: Load hashes into EDR telemetry for immediate scanning. Domains and IPs should be ingested into SIEM correlation rules to flag any outbound connection attempts.

Detection Engineering

YAML
---
title: Potential Vidar Stealer Distribution via PowerShell
date: 2026/06/12
description: Detects PowerShell commands often used in fake software tutorials to download stealers like Vidar, as observed in TikTok campaigns.
status: experimental
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - 'Invoke-WebRequest'
      - 'iwr'
      - 'curl'
      - 'DownloadString'
  condition: selection
falsepositives:
  - Legitimate software installation scripts
level: high
---
title: Suspicious Python Package Import (Supply Chain)
date: 2026/06/12
description: Detects execution of Python processes loading suspicious .pth files or native extensions associated with Miasma/Hades worms.
status: experimental
tags:
  - attack.execution
  - attack.initial_access
logsource:
  product: windows
  category: process_creation
detection:
  selection_python:
    Image|endswith: '\python.exe'
  selection_suspicious:
    CommandLine|contains:
      - '.pth'
      - '.abi3.so'
      - 'site-packages'
  condition: all of selection_*
falsepositives:
  - Legitimate developer environment setups
level: medium
---
title: SilabRAT C2 Network Activity
date: 2026/06/12
description: Detects network connections to known SilabRAT infrastructure or anomalous ports associated with HVNC operations.
status: experimental
tags:
  - attack.c2
  - attack.command_and_control
logsource:
  product: zeek
  service: conn
detection:
  selection_ip:
    id.orig_h:
      - '91.199.163.124'
  selection_port:
    destination_port:
      - 443
      - 80
      - 8443
  condition: 1 of selection*
falsepositives:
  - None
level: critical


kql
// Hunt for PowerShell processes involved in suspicious downloads
DeviceProcessEvents  
| where Timestamp > ago(7d)  
| where FileName in (~"powershell.exe", "pwsh.exe")  
| where ProcessCommandLine has_any ("Invoke-WebRequest", "DownloadFile", "msget.run", "d4ug.site")  
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName  
| order by Timestamp desc  
;
// Hunt for file creations matching known Malware SHA256 hashes
DeviceFileEvents  
| where Timestamp > ago(7d)  
| where SHA256 in ("0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531", "25270cc429ada8028b5b33220ed412c47907ecceea7377d608fac5af01bed56a", "3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b", "6506d31707a39949f89534bf9705bcf889f1ecae3dbc6f4ff88d67a8be3d01b2")  
| project Timestamp, DeviceName, FolderPath, SHA256, InitiatingProcessAccountName  
| order by Timestamp desc


powershell
# IOC Hunt Script for SilabRAT, Vidar, and Supply Chain Malware
# Requires Administrative Privileges

$LogPath = "C:\Windows\Temp\IOC_Hunt_$(Get-Date -Format 'yyyyMMdd').log"

Function Write-Log {
    Param ([string]$Message)
    Add-Content -Path $LogPath -Value "[$(Get-Date -Format 'HH:mm:ss')] $Message"
    Write-Host $Message
}

Write-Log "Starting IOC Hunt..."

# 1. Check for Network Connections to C2 IPs (SilabRAT)
$C2_IPs = @("91.199.163.124")
$Connections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue | Where-Object { $C2_IPs -contains $_.RemoteAddress }
if ($Connections) {
    Write-Log "[ALERT] Found active connection to known C2 IP: $($Connections.RemoteAddress)"
} else {
    Write-Log "No connections to known C2 IPs detected."
}

# 2. Scan specific directories for File Hashes (Simplified scan of Downloads/AppData)
$TargetHashes = @( 
    "0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531", 
    "25270cc429ada8028b5b33220ed412c47907ecceea7377d608fac5af01bed56a",
    "3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b",
    "6506d31707a39949f89534bf9705bcf889f1ecae3dbc6f4ff88d67a8be3d01b2"
)

$SearchPaths = @("$env:USERPROFILE\Downloads", "$env:APPDATA", "$env:LOCALAPPDATA")

Write-Log "Scanning common directories for malicious files..."
foreach ($Path in $SearchPaths) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $FileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($TargetHashes -contains $FileHash) {
                Write-Log "[CRITICAL] Malicious file found: $($_.FullName)"
            }
        }
    }
}

# 3. Check for Suspicious Scheduled Tasks (Common Persistence)
$SuspiciousTasks = Get-ScheduledTask | Where-Object { 
    $_.Actions.Execute -match "powershell" -and 
    $_.Actions.Arguments -match "(download|invoke-expression|hidden)" 
}
if ($SuspiciousTasks) {
    Write-Log "[WARN] Suspicious scheduled tasks detected. Please review: $($SuspiciousTasks.TaskName)"
}

Write-Log "Hunt complete. Log saved to $LogPath"


# Response Priorities

*   **Immediate**:
    *   Block all domains and IPs listed in the IOC section at perimeter firewalls and DNS resolvers.
    *   Initiate a hunt for file hashes across endpoints using EDR capabilities.
    *   Isolate any devices showing signs of connection to `91.199.163.124` or executing PowerShell scripts from `msget.run`.

*   **24 Hours**:
    *   Conduct identity verification for users in sectors identified as targeted (Finance, Tech, Education) if credential theft is suspected.
    *   Revoke and reset session tokens for browser profiles if browser cloning (SilabRAT) is detected.
    *   Review Python package repositories used by development teams for the presence of typosquatted packages mentioned in the "Hades/Miasma" pulse.

*   **1 Week**:
    *   **Architecture Hardening**: Implement strict application allowlisting for PowerShell and restrict its usage to signed scripts.
    *   **Supply Chain Security**: Enforce requirements for dependency verification (SBOM) and restrict internet access on build servers.
    *   **Awareness Training**: Update security awareness training to include AI-themed social engineering and "too good to be true" software tutorials on social media platforms.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealervidar-stealersilabratsupply-chain-attackcryptocurrency-theft

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action