Recent OTX pulse data reveals a coordinated surge in credential theft operations leveraging diverse attack vectors. The intelligence highlights three distinct but overlapping campaigns:
-
Stealer-as-a-Service Evolution: The emergence of SilabRAT by actor o1oo1 and the evolution of Gremlin Stealer demonstrate a shift toward commercial-grade obfuscation (instruction virtualization) and "Malware-as-a-Service" (MaaS) models. These tools specifically target session cookies and cryptocurrency wallets, utilizing HVNC (Hidden Virtual Network Computing) to evade detection.
-
AI-Themed Social Engineering: Actor Storm-3075 is capitalizing on AI hype, impersonating brands like ChatGPT and DeepSeek to distribute Vidar and Lumma Stealers via malvertising and SEO poisoning.
-
Supply Chain & Infrastructure Compromise: A sophisticated campaign targeting Bioinformatics and MCP Developers utilizes malicious PyPI wheels (Hades, Mini Shai-Hulud) to compromise development environments. Simultaneously, the exploitation of Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20128) by actor UAT-8616 facilitates initial access for webshell deployment (Godzilla, Sliver) and cryptocurrency mining.
Collective Objective: Financial gain through the mass exfiltration of credentials, browser sessions, and cryptocurrency assets, supported by robust infrastructure allowing for persistent access and evasion.
Threat Actor / Malware Profile
| Threat Actor / Family | Distribution Method | Payload Behavior | C2 Communication | Persistence Mechanism | Anti-Analysis Techniques |
|---|---|---|---|---|---|
| Gremlin Stealer | Phishing attachments, embedded resource files | Steals payment cards, browser data, Discord tokens | Telegram exfiltration, HTTP/HTTPS | Registry Run keys, Scheduled Tasks | Commercial packers, Instruction Virtualization (VM-based code execution) |
| n | SilabRAT (o1oo1) | Darkweb sales, initial access brokers | Credential theft, browser profile cloning, Crypto wallet theft | Custom C2 protocols | Scheduled Tasks, Service Creation |
| Storm-3075 | Malvertising, SEO Poisoning, Fake AI sites | Drops Vidar/Lumma Stealers, GhostSocks proxy | HTTP/HTTPS | Scheduled Tasks, Startup Folders | Adversary-in-the-Middle (AiTM), Obfuscated PowerShell |
| PyPI Worms (Hades/Miasma) | Typosquatting, malicious npm/PyPI packages | Executes via .pth hooks or .abi3.so extensions, system info theft | HTTP/HTTPS | Python site-packages persistence | Trojanized native extensions, split-loader architecture |
| UAT-8616 | Exploitation of Cisco SD-WAN (CVE-2026-20128) | Webshell deployment (Godzilla/Behinder), XMRig mining | Webshell channels | System services, Webshell files | Vulnerability exploitation, Living-off-the-Land (LoL) binaries |
IOC Analysis
The provided intelligence consists primarily of file hashes (SHA256, SHA1, MD5), network infrastructure (IPv4, Domains), and CVE identifiers.
- File Hashes: A high volume of SHA256 hashes are associated with the payload binaries (Gremlin, SilabRAT, PyPI wheels). SOC teams should operationalize these by blocking execution on endpoints via EDR policies and scanning historical execution logs for matches.
- Network Indicators: The SilabRAT C2 IP (
91.199.163.124) and malvertising domains (brokeapt.com,rongtv.xyz) are critical for perimeter blocking. These should be added to firewall blocklists and DNS sinkhole services immediately. - CVEs: The Cisco SD-WAN CVEs (
CVE-2026-20128,CVE-2026-20133) require immediate patching or configuration hardening to prevent initial access by UAT-8616.
Tooling for Decoding:
- VirusTotal / Hybrid Analysis: For deep analysis of the file hashes.
- Cortex / TheHive: for IOC triage and case management.
- UnpacMe: To analyze the commercial packing and instruction virtualization used by Gremlin Stealer.
Detection Engineering
YAML
title: Potential Gremlin Stealer or SilabRAT Browser Credential Theft
id: 4e8f9a2b-1c3d-4f5e-9a6b-7c8d9e0f1a2b
description: Detects processes accessing browser credential databases (Login Data or Cookies) common to Gremlin, SilabRAT, Vidar, and Lumma stealers.
status: experimental
date: 2026/06/15
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/66a4b2d6e8b4a032a1b2c3d4
tags:
- attack.credential_access
- attack.t1003
logsource:
category: file_access
product: windows
detection:
selection:
TargetFilename|contains:
- '\AppData\Local\Google\Chrome\User Data\Default\Login Data'
- '\AppData\Local\Google\Chrome\User Data\Default\Cookies'
- '\AppData\Local\Microsoft\Edge\User Data\Default\Login Data'
- '\AppData\Roaming\Mozilla\Firefox\Profiles\'
- '\logins.'
- 'key4.db'
filter_legit:
Image|endswith:
- '\chrome.exe'
- '\msedge.exe'
- '\firefox.exe'
- '\browser.exe'
- '\opera.exe'
condition: selection and not filter_legit
falsepositives:
- Legitimate password managers accessing browser stores
level: high
---
title: Malicious PyPI Package Execution via PTH Hooks
id: 5b9f0a3c-2d4e-5g6f-0b7c-8d9e1f2a3b4c
description: Detects the execution of Python processes utilizing suspicious .pth files or native extensions, indicative of the Hades/Miasma supply chain attack.
status: experimental
date: 2026/06/15
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/66a4b2d6e8b4a032a1b2c3d6
tags:
- attack.initial_access
- attack.t1195
logsource:
category: process_creation
product: windows
detection:
selection_python:
Image|endswith: '\python.exe'
selection_suspicious:
CommandLine|contains:
- 'import site'
- '.pth'
- '.abi3.so'
- 'sitecustomize'
condition: selection_python and selection_suspicious
falsepositives:
- Legitimate developer environment setup
level: medium
---
title: Suspicious Cisco SD-WAN Exploitation Activity
id: 6c0g1b4d-3e5f-6h7g-1c8d-9e0f2a3b4c5d
description: Detects potential webshell activity or exploitation attempts related to CVE-2026-20128 on Cisco Catalyst SD-WAN devices.
status: experimental
date: 2026/06/15
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/66a4b2d6e8b4a032a1b2c3d5
tags:
- attack.initial_access
- attack.t1190
logsource:
category: web
product: apache
detection:
selection_uri:
cs-uri-query|contains:
- '/vpnssl/'
- 'api/'
- 'dataservice/'
selection_suspicious_patterns:
cs-uri-query|contains:
- 'exec('
- 'eval('
- 'base64'
- 'gnirtS' # String reversed obfuscation common in webshells
condition: selection_uri and selection_suspicious_patterns
falsepositives:
- Administrative management traffic
level: critical
**KQL (Microsoft Sentinel)**
kql
// Hunt for known Malicious File Hashes (Gremlin, SilabRAT, PyPI Worms)
let MaliciousHashes = pack_array(
"1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5",
"2172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9b",
"3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b",
"6506d31707a39949f89534bf9705bcf889f1ecae3dbc6f4ff88d67a8be3d01b2",
"6d332f814f15f19758d65026bbfd0a8c49671b319ec77b8fa1b27fc48afff7d9"
);
DeviceProcessEvents
| where SHA256 in (MaliciousHashes)
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, SHA256, FolderPath;
// Hunt for SilabRAT C2 Communication
DeviceNetworkEvents
| where RemoteIP == "91.199.163.124"
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort, RemoteUrl;
**PowerShell Hunt Script**
powershell
# IOC Hunt for Gremlin, SilabRAT, and AI-Themed Stealers
# Requires Admin Privileges
$MaliciousHashes = @(
"1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5",
"2172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9b",
"3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b"
)
Write-Host "Checking for active network connections to SilabRAT C2..."
$C2IP = "91.199.163.124"
Get-NetTCPConnection -RemoteAddress $C2IP -ErrorAction SilentlyContinue | Select-Object LocalAddress, LocalPort, OwningProcess, State
Write-Host "Scanning common download directories for known malicious samples..."
$Paths = @("$env:USERPROFILE\Downloads", "$env:TEMP", "$env:APPDATA")
foreach ($Path in $Paths) {
if (Test-Path $Path) {
Get-ChildItem -Path $Path -Recurse -File -ErrorAction SilentlyContinue | ForEach-Object {
$hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
if ($MaliciousHashes -contains $hash) {
Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
}
}
}
}
Write-Host "Checking for suspicious Python packages..."
$PythonPaths = @("$env:LOCALAPPDATA\Programs\Python", "$env:APPDATA\Python")
# Basic heuristic for .pth files in site-packages (Supply Chain Hunt)
foreach ($PPath in $PythonPaths) {
if (Test-Path $PPath) {
Get-ChildItem -Path $PPath -Filter "*.pth" -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
Write-Host "[?] Suspicious .pth file found: $($_.FullName)" -ForegroundColor Yellow
}
}
}
Response Priorities
-
Immediate (0-24h):
- Block all listed IOCs (IPs, Domains, Hashes) at the perimeter and endpoint.
- Isolate endpoints with confirmed hits for SilabRAT or Gremlin Stealer hashes.
- Hunt for the SilabRAT C2 IP (
91.199.163.124) in firewall and proxy logs.
-
24-48h:
- Force password resets and session invalidation for users potentially impacted by credential theft (especially those in Engineering/Finance, targeted by AI-themed phishing).
- Review network logs for signs of CVE-2026-20128 exploitation attempts targeting Cisco SD-WAN infrastructure.
- Audit developer workstations for the presence of the malicious PyPI packages identified.
-
1 Week:
- Patch Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20128, CVE-2026-20133).
- Implement strict PyPI/npm package verification policies for R&D teams.
- Enhance email/web filtering to block AI-themed malvertising domains associated with Storm-3075.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-credentialsinfostealersupply-chain-attackcredential-theftmalware-as-a-service
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.