Gremlin Stealer, SilabRAT, and PyPI Supply Chain Attacks: OTX Pulse Analysis

Current OTX Pulse data indicates a surge in sophisticated credential theft campaigns targeting enterprise environments through diverse vectors. Threat actors are leveraging "AI hype" for social engineering (Storm-3075), deploying advanced obfuscation techniques in info-stealers (Gremlin Stealer), and utilizing Malware-as-a-Service (SilabRAT) with Hidden Virtual Network Computing (HVNC) capabilities. Additionally, a significant supply chain attack targets developers via malicious PyPI packages (Miasma/Hades).

The collective objective of these campaigns is financial theft, session hijacking, and the exfiltration of sensitive credentials and cryptocurrency wallet keys. The convergence of these disparate techniques suggests a commoditization of high-end theft tools available to lower-tier actors.

Threat Actor / Malware Profile

Gremlin Stealer (Updated Variant)

Distribution: Malicious spam, bundled downloads.
Behavior: Hides payloads in embedded resources using commercial packing utilities with instruction virtualization. Transforms code into custom bytecode executed by a private VM.
Objectives: Steals payment card details, browser data, and session tokens (Discord/Telegram).

Storm-3075 (AI Brand Impersonation)

Distribution: SEO poisoning, malvertising, phishing pages impersonating ChatGPT, DeepSeek, Claude.
Payloads: Vidar Stealer, Lumma Stealer, Hijack Loader.
Objectives: Credential harvesting, initial access for ransomware or fraud.

SilabRAT (Threat Actor: o1oo1)

Model: Malware-as-a-Service ($5,000/month).
Capabilities: HVNC (Hidden Virtual Network Computing), browser profile cloning (to bypass MFA/session protections), AsmCrypt obfuscation.
Persistence: Uses HijackLoader for stealthy execution.

Miasma / Hades (Supply Chain)

Target: Bioinformatics and MCP developers.
Method: Typosquatting on PyPI/npm; malicious .pth startup hooks and trojanized .abi3.so extensions.
Execution: Executes upon Python import or environment initialization.

IOC Analysis

Indicator Types:

FileHash-SHA256: High-fidelity indicators for the Gremlin, SilabRAT, and PyPI malware payloads.
Domains/Hostnames: C2 infrastructure and malvertising landing pages (e.g., brokeapt.com, pan.rongtv.xyz).
CVEs: Specific vulnerabilities in Cisco Catalyst SD-WAN (CVE-2026-20128, CVE-2026-20133) exploited by UAT-8616 for initial access/webshell deployment.

Operational Guidance: SOC teams should immediately block the listed domains and IPs. File hashes should be uploaded to EDR detection rules for immediate quarantine. Network traffic logs should be queried for connections to the specified hostnames on non-standard ports often used by RATs.

Detection Engineering

YAML

title: Potential Gremlin Stealer or Infostealer Activity - Browser Credential Access
id: 4c31d9e8-5f2b-4b9a-9a1a-1c2d3e4f5a6b
description: Detects processes accessing browser credential files or cookies, a common behavior of Gremlin, Vidar, and Lumma stealers.
status: experimental
date: 2026/06/14
author: Security Arsenal
tags:
  - attack.credential_access
  - attack.t1003
logsource:
  category: file_access
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - '\Local\Google\Chrome\User Data\Default\Cookies'
      - '\Local\Google\Chrome\User Data\Default\Login Data'
      - '\Local\Mozilla\Firefox\Profiles\'
      - '\AppData\Roaming\Opera Software\Opera Stable\Login Data'
  filter:
    Image|endswith:
      - '\chrome.exe'
      - '\firefox.exe'
      - '\opera.exe'
  condition: selection and not filter
falsepositives:
  - Legitimate backup software accessing browser data
level: high
---
title: Suspicious Python Native Extension Loading - Miasma/Hades Supply Chain
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
description: Detects Python processes loading suspicious compiled extensions (.pyd/.so) or executing via .pth hooks, indicative of the PyPI supply chain attack targeting developers.
status: experimental
date: 2026/06/14
author: Security Arsenal
tags:
  - attack.initial_access
  - attack.t1195.002
logsource:
  category: process_creation
  product: windows
detection:
  selection_python:
    Image|endswith:
      - '\python.exe'
      - '\pythonw.exe'
  selection_suspicious_module:
    CommandLine|contains:
      - '.pth'
      - '.abi3.so'
      - 'site-packages\\'
  condition: all of selection_*
falsepositives:
  - Legitimate developer environments loading native packages
level: medium
---
title: SilabRAT HijackLoader Process Injection
id: b2c3d4e5-f6a7-8901-bcde-f12345678901
description: Detects process hollowing or injection techniques often used by HijackLoader to deploy SilabRAT or Agent Tesla.
status: experimental
date: 2026/06/14
author: Security Arsenal
tags:
  - attack.defense_evasion
  - attack.t1055.012
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\rundll32.exe'
      - '\regsvr32.exe'
      - '\powershell.exe'
    CommandLine|contains:
      - 'VirtualAlloc'
      - 'CreateRemoteThread'
      - 'WriteProcessMemory'
  condition: selection
falsepositives:
  - Rare legitimate system administration scripts
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for File Hash indicators from OTX Pulses
let IOCHashes = dynamic([
  "1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5",
  "2172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9b",
  "0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531",
  "6506d31707a39949f89534bf9705bcf889f1ecae3dbc6f4ff88d67a8be3d01b2",
  "3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b"
]);
DeviceProcessEvents
| where SHA256 in IOCHashes
| project Timestamp, DeviceName, FileName, ProcessCommandLine, SHA256, FolderPath
| union (
  DeviceNetworkEvents
  | where RemoteUrl in ("brokeapt.com", "pan.rongtv.xyz", "pan.ssffaa19.xyz") or RemoteIP == "91.199.163.124"
  | project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName
)

PowerShell Hunt Script

PowerShell

<#
.SYNOPSIS
  IOC Hunt Script for Gremlin, SilabRAT, and PyPI Supply Chain Indicators
.DESCRIPTION
  Scans the file system for specific SHA256 hashes and checks DNS resolution for known C2 domains.
#>

$IOC_Hashes = @(
    "1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5",
    "2172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9b",
    "0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531",
    "6506d31707a39949f89534bf9705bcf889f1ecae3dbc6f4ff88d67a8be3d01b2",
    "3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b"
)

$IOC_Domains = @("brokeapt.com", "pan.rongtv.xyz", "pan.ssffaa19.xyz", "91.199.163.124")

Write-Host "[+] Starting IOC Hunt..." -ForegroundColor Cyan

# Scan C:\ Drive for matching hashes (Optimized for specific extensions)
Write-Host "[+] Scanning for malicious file hashes..." -ForegroundColor Yellow
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue -Include *.exe, *.dll, *.so, *.pyd | ForEach-Object {
    $file = $_
    try {
        $hash = (Get-FileHash -Path $file.FullName -Algorithm SHA256 -ErrorAction Stop).Hash.ToLower()
        if ($IOC_Hashes -contains $hash) {
            Write-Host "[!] MALICIOUS FILE FOUND: $($file.FullName) | Hash: $hash" -ForegroundColor Red
        }
    } catch {
        # Ignore access errors
    }
}

# Check DNS Cache for C2 Domains
Write-Host "[+] Checking DNS Cache for malicious domains..." -ForegroundColor Yellow
Get-DnsClientCache | Where-Object { $IOC_Domains -contains $_.Entry } | ForEach-Object {
    Write-Host "[!] SUSPICIOUS DNS ENTRY FOUND: $($_.Entry) -> $($_.Data)" -ForegroundColor Red
}

Write-Host "[+] Hunt Complete." -ForegroundColor Green

Response Priorities

Immediate

Block IOCs: Block all listed SHA256 hashes, domains (brokeapt.com, *.rongtv.xyz, *.ssffaa19.xyz), and IP 91.199.163.124 at the perimeter and endpoints.
Patch: Apply patches for CVE-2026-20128 and CVE-2026-20133 to all Cisco Catalyst SD-WAN controllers immediately.

24 Hours

Credential Audit: Initiate forced password resets and MFA re-enrollment for accounts suspected of interacting with the malvertising (AI-themed links) or infected with SilabRAT/Gremlin.
Developer Scan: Scan developer workstations for the presence of the malicious PyPI/npm packages listed in the Hades/Miasma pulse.

1 Week

Supply Chain Hardening: Implement software composition analysis (SCA) and package verification for all Python and npm dependencies.
Architecture Review: Review SD-WAN segmentation to ensure management interfaces are not exposed to the internet.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub