Recent OTX pulses indicate a highly active threat landscape spanning mobile surveillance, credential theft, and state-sponsored espionage. ASO RAT is actively targeting Syrian government and media entities using Android trojans disguised as PDF readers. Meanwhile, the Vidar Stealer campaign is employing sophisticated AutoIt loaders, masquerading as hacktools like MicrosoftToolkit.exe, to harvest credentials via multi-stage infection chains. Separately, the Kimsuky APT group has evolved their toolset with PebbleDash-based malware, introducing Rust-based backdoors (HelloDoor) and leveraging VSCode Tunneling for covert C2 communications. Collectively, these campaigns demonstrate adversaries' continued reliance on living-off-the-land binaries (LOLBins), masquerading, and encrypted tunnels to evade detection.
Threat Actor / Malware Profile
ASO RAT (Android Surveillance)
- Actor: Unknown (Targeting Syria)
- Distribution: Disguised as PDF readers and Syrian government applications.
- Capabilities: SMS interception, camera access, GPS tracking, call logging, file exfiltration, and DDoS functionality.
- C2 Infrastructure: Uses DDNS (aso.ddns.net) resolving to Frankfurt-based infrastructure.
Vidar Stealer (Info Stealer)
- Actor: Unknown
- Distribution: AutoIt-based loaders distributed via masqueraded executables (e.g.,
MicrosoftToolkit.exe). Uses file extension renaming (.dotto.bat) to evade detection. - Capabilities: Credential theft, information harvesting.
- Behavior: Multi-stage payload execution; attempts to terminate security-related processes during discovery.
Kimsuky APT (PebbleDash)
- Actor: Kimsuky (North Korea)
- Targets: Defense, Government, Healthcare, Energy, Manufacturing.
- Tooling Evolution: New Rust-based backdoor
HelloDoor,httpMalice(Dropbox comms), and updatedhttpTroy. - Persistence: Leverages legitimate tools like VSCode Tunneling (
trycloudflare.com) for C2 blending.
IOC Analysis
The provided IOCs span domains, hostnames, and file hashes associated with active C2 infrastructure and payload delivery.
- Domains/Hostnames:
aso.ddns.net(ASO RAT C2)gz.technicalprorj.xyz(Vidar Stealer C2)female-disorder-beta-metropolitan.trycloudflare.com(Kimsuky Tunneling)attach.docucloud.o-r.kr,load.auraria.org(Kimsuky Payloads)
- File Hashes:
- MD5/SHA256 signatures for AutoIt loaders, Vidar payloads, and Android APKs (e.g.,
31514358bf684a1e466a9e8069c11031,881619a47b62b52305d92640cc4d4845a279c23a).
- MD5/SHA256 signatures for AutoIt loaders, Vidar payloads, and Android APKs (e.g.,
Operational Guidance: SOC teams should immediately block the listed domains at the proxy/firewall level. File hashes should be uploaded to EDR solutions for isolation. The use of trycloudflare.com indicates an adversary abusing privacy tunnels; rules detecting outbound connections to generic Cloudflare tunnel endpoints are required if whitelisting is not feasible.
Detection Engineering
YAML
---
title: Potential AutoIt Loader Masquerading Activity
description: Detects AutoIt execution with suspicious file extensions or masqueraded hacktools often associated with Vidar Stealer loaders.
status: experimental
date: 2026/05/14
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/66545c8b31f7a2b36f0d7c58/logsdetection: selection:
Image|endswith:
- '\autoit3.exe'
- '\aut2exe.exe'
CommandLine|contains:
- '.bat'
- '.dot'
- 'MicrosoftToolkit.exe'
condition: selection
falsepositives:
- Legitimate AutoIt script administration
---
title: VSCode Tunneling Process Execution
description: Detects the execution of VSCode with tunneling arguments, utilized by Kimsuky APT for C2 communication.
status: experimental
date: 2026/05/14
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/66545c8b31f7a2b36f0d7c58/logsdetection: selection:
Image|endswith:
- '\code.exe'
- '\Code - Insiders.exe'
CommandLine|contains:
- 'tunnel'
- 'forward'
condition: selection
falsepositives:
- Legitimate developer use of VSCode port forwarding
---
title: Connection to ASO RAT DDNS Infrastructure
description: Detects network connections to known ASO RAT Dynamic DNS infrastructure.
status: experimental
date: 2026/05/14
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/66545c8b31f7a2b36f0d7c58/logsdetection: selection:
DestinationHostname|contains:
- 'aso.ddns.net'
condition: selection
falsepositives:
- Unknown
kql
// Hunt for Vidar Stealer Loader Process Activity
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("autoit3.exe", "MicrosoftToolkit.exe")
or ProcessCommandLine contains ".dot"
or ProcessCommandLine contains ".bat"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| top 100 by Timestamp desc
// Hunt for Kimsuky APT Network Indicators
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("aso.ddns.net", "technicalprorj.xyz", "trycloudflare.com", "o-r.kr", "auraria.org")
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, InitiatingProcessFileName
| top 100 by Timestamp desc
powershell
# IOC Hunt Script for ASO RAT and Vidar Stealer Hashes
# Requires administrative privileges to scan system drives
$TargetHashes = @(
"31514358bf684a1e466a9e8069c11031",
"b3e706ba673cfeb9d205fb97b0ac624c",
"c3315d582e71412e830e019d036d811d",
"7ac9278876c83c9b597fae68acb6fbf9",
"5c373c2116ab4a615e622f577e22e9be",
"d1ec20144c83bba921243e72c517da5e",
"58ac2f65e335922be3f60e57099dc8a3"
)
$PathsToScan = @("C:\Users\", "C:\ProgramData\", "C:\Windows\Temp")
Write-Host "[+] Starting Hunt for ASO RAT and Vidar IOCs..."
foreach ($Path in $PathsToScan) {
if (Test-Path $Path) {
Write-Host "[Scanning] $Path"
Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue |
ForEach-Object {
$FilePath = $_.FullName
try {
$Hash = (Get-FileHash -Path $FilePath -Algorithm MD5 -ErrorAction Stop).Hash
if ($TargetHashes -contains $Hash) {
Write-Host "[ALERT] Malicious File Found: $FilePath (MD5: $Hash)" -ForegroundColor Red
}
} catch {
# Ignore access errors
}
}
}
}
# Check for active network connections to suspicious C2s
$SuspiciousHosts = @("aso.ddns.net", "gz.technicalprorj.xyz", "female-disorder-beta-metropolitan.trycloudflare.com")
$Connections = Get-NetTCPConnection | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, State, OwningProcess
foreach ($Conn in $Connections) {
$Process = Get-Process -Id $Conn.OwningProcess -ErrorAction SilentlyContinue
if ($Process) {
try {
$RemoteHostName = [System.Net.Dns]::GetHostEntry($Conn.RemoteAddress).HostName
if ($SuspiciousHosts | Where-Object { $RemoteHostName -like "*$_*" }) {
Write-Host "[ALERT] Suspicious Network Connection Detected: $($Process.ProcessName) connected to $RemoteHostName" -ForegroundColor Red
}
} catch {
# DNS resolution failed
}
}
}
Write-Host "[+] Hunt Complete."
# Response Priorities
* **Immediate:**
* Block all listed IOCs (domains and file hashes) on perimeter firewalls, proxies, and EDR systems.
* Isolate any endpoints returning hits on the Vidar Stealer or Kimsuky file hashes.
* Block execution of `MicrosoftToolkit.exe` and unsigned AutoIt scripts if not business critical.
* **24 Hours:**
* Conduct credential reset for users on devices flagged with Vidar Stealer activity (credential theft objective).
* Investigate logs for outbound connections to `*.trycloudflare.com` originating from developer workstations.
* **1 Week:**
* Review and restrict the use of VSCode tunneling in the enterprise network to prevent Kimsuky C2 blending.
* Update mobile device management (MDM) policies to block sideloading of APKs and flag applications requesting excessive permissions (SMS/Camera/GPS) to mitigate ASO RAT risk.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-malwareaso-ratvidar-stealerkimsuky-aptandroid-surveillancerust-malware
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.