Recent OTX pulses indicate a convergence of high-risk credential theft operations. Storm-3075 is aggressively exploiting the AI hype cycle, impersonating brands like ChatGPT and DeepSeek to distribute Vidar and Lumma Stealers via malvertising and SEO poisoning. Parallel to this, a sophisticated supply chain campaign is targeting Bioinformatics and MCP developers, deploying Hades, Mini Shai-Hulud, and Miasma worms through typosquatted packages on PyPI and npm that utilize malicious .pth hooks and native extensions. Meanwhile, the Argamal RAT campaign is targeting gamers through trojanized adult games, utilizing COM hijacking for persistence. The collective objective across these disparate vectors is the theft of sensitive credentials, financial data, and system access to facilitate secondary fraud or ransomware deployment.
Threat Actor / Malware Profile
Storm-3075
- Malware Families: Vidar, Lumma Stealer, Hijack Loader, Oyster, GhostSocks.
- Distribution: Social engineering, malvertising, and SEO poisoning mimicking AI platforms (ChatGPT, Copilot).
- Behavior: Initial access often leads to Hijack Loader, which decrypts and injects the final payload (Vidar/Lumma). These stealers target browser data, cryptocurrency wallets, and 2FA sessions.
TroyDen / Unknown Supply Chain Actors
- Malware Families: LuaJIT, Redline, Lumma Stealer, Hades, Mini Shai-Hulud, Miasma.
- Distribution: Malicious Python (PyPI) and JavaScript (npm) packages. The Hades/Miasma campaign specifically uses trojanized native
.abi3.soextensions and executable.pthstartup hooks. - Behavior: The malicious packages execute code immediately upon import (
import time), searchingsys.pathfor the next stage or establishing C2. The TroyDen campaign uses AI-generated lure names with biological taxonomy terms.
Argamal (Termixia)
- Malware Families: Argamal, Termixia.
- Distribution: Bundled with adult-themed games (hentai).
- Persistence: COM Hijacking. Replaces the
InprocServer32entry for the Windows Color System Calibration Loader DLL. - Behavior: Dwells on the system for days before downloading a RAT payload, achieving full system compromise.
IOC Analysis
The provided pulses contain a mix of network and file-based indicators:
- Domains/Hostnames: Includes C2 infrastructure such as
brokeapt.com,pan.rongtv.xyz, andasper1.freeddns.org. These should be blocked at the perimeter and DNS layers. - File Hashes: Multiple SHA1, SHA256, and MD5 hashes associated with loaders, payloads, and game installers. These are critical for EDR correlation and retrospective hunting.
- CVE: Mention of
CVE-2026-3102related to Argamal distribution.
Operational Guidance: SOC teams should immediately upload the SHA256 hashes to their EDR (e.g., CrowdStrike, SentinelOne) to trigger alerts on execution. Domains should be added to blocklists (Palo Alto, Cisco Umbrella). Given the prevalence of PowerShell in these attack chains, script block logging must be enabled.
Detection Engineering
Sigma Rules
---
title: Potential Vidar/Lumma Stealer Execution via PowerShell
description: Detects execution patterns often associated with Vidar and Lumma stealers using PowerShell download cradles or rundll32, as seen in Storm-3075 campaigns.
references:
- https://otx.alienvault.com/pulse/666...
author: Security Arsenal
date: 2026/06/10
tags:
- attack.defense_evasion
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\rundll32.exe'
CommandLine|contains:
- 'DownloadString'
- 'http://'
- 'https://'
condition: selection
falsepositives:
- Legitimate software updates
level: high
---
title: Suspicious Python Package Installation (Supply Chain)
description: Detects the installation of Python packages potentially involved in supply chain attacks (Hades/Miasma) executing code via .pth hooks or .so files in site-packages.
references:
- https://otx.alienvault.com/pulse/666...
author: Security Arsenal
date: 2026/06/10
tags:
- attack.initial_access
- attack.supply_chain
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\python.exe'
CommandLine|contains: 'pip install'
filter_main_pypi:
CommandLine|contains: 'pypi.org'
condition: selection and not filter_main_pypi
falsepositives:
- Installing from internal/private indexes
level: medium
---
title: Registry Modification for Windows Color System Calibration (Argamal)
description: Detects registry modifications associated with Argamal malware which hijacks the Windows Color System Calibration Loader via InprocServer32.
references:
- https://otx.alienvault.com/pulse/666...
author: Security Arsenal
date: 2026/06/10
tags:
- attack.persistence
- attack.t1546.015
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\CLSID\'
TargetObject|contains: 'InprocServer32'
Details|contains: '.dll'
filter_legit:
Details|contains:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
condition: selection and not filter_legit
falsepositives:
- Rare; legitimate software should use system paths
level: critical
KQL (Microsoft Sentinel)
// Hunt for known malicious file hashes from OTX Pulses (Storm-3075, Hades, Argamal, GriefLure)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where SHA256 in (
"6506d31707a39949f89534bf9705bcf889f1ecae3dbc6f4ff88d67a8be3d01b2",
"6d332f814f15f19758d65026bbfd0a8c49671b319ec77b8fa1b27fc48afff7d9", // Hades/Miasma
"0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531",
"25270cc429ada8028b5b33220ed412c47907ecceea7377d608fac5af01bed56a",
"5455341ed1bbe75a664fca2dd0794c508e1874f75360253a7ff5bc119bc92d80",
"56d722b0331bf0aaa86bb37483486c6dff6ad9427fc473ed7c3226c21a9bdd23", // Storm-3075
"197f11a7b0003aa7da58a3302cfa2a96a670de91d39ddebc7a51ac1d9404a7e6",
"35af2cf5494181920b8624c7b719d39590e2a5ff5eaa1a2fa1ba86b2b5aa9b43",
"61e9d76f07334843df561fe4bac449fb6fdaed5e5eb91480bded225f3d265c5f",
"7f80add94ee8107a79c87a9b4ccbd33e39eccd1596748a5b88629dd6ac11b86d",
"91a15554ec9e49c00c5ca301f276bd79d346968651d54204743a08a3ca8a5067" // GriefLure
)
| project Timestamp, DeviceName, AccountName, FolderPath, ProcessCommandLine, SHA256, InitiatingProcessFileName
PowerShell Hunt Script
# Hunt for Argamal COM Hijacking Persistence and suspicious Python paths
Write-Host "Checking for Argamal COM Hijacking (InprocServer32 modifications)..." -ForegroundColor Cyan
# Define CLSID for Windows Color System Calibration Loader (Common Target)
$ColorSystemCLSID = "1A051536-9BA4-4B48-A864-CB41A6D5F88E"
$PathsToCheck = @(
"Registry::HKCU\Software\Classes\CLSID\{$ColorSystemCLSID}\InprocServer32",
"Registry::HKLM\Software\Classes\CLSID\{$ColorSystemCLSID}\InprocServer32"
)
foreach ($Path in $PathsToCheck) {
if (Test-Path $Path) {
$Item = Get-ItemProperty -Path $Path
$DllPath = $Item."(default)"
# Filter for system DLLs (mscms.dll is the legitimate one)
if ($DllPath -and -not ($DllPath -like "*mscms.dll" -or $DllPath -like "*C:\Windows*")) {
Write-Host "[ALERT] Suspicious DLL found in InprocServer32: $DllPath" -ForegroundColor Red
if (Test-Path $DllPath) {
Write-Host "File exists on disk." -ForegroundColor Red
Get-FileHash -Path $DllPath -Algorithm SHA256 | Format-List
}
}
}
}
Write-Host "Checking for suspicious Python site-packages modifications (Hades/Miasma)..." -ForegroundColor Cyan
# Look for recent .pth or .so files in common site-packages locations (Basic Scan)
$PythonPaths = @(
"$env:LOCALAPPDATA\Programs\Python",
"$env:APPDATA\Python",
"C:\Python*"
)
$SuspiciousFiles = Get-ChildItem -Path $PythonPaths -Recurse -Include *.pth, *.so -ErrorAction SilentlyContinue |
Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-30) }
if ($SuspiciousFiles) {
Write-Host "[WARNING] Found recently modified Python extension files:" -ForegroundColor Yellow
$SuspiciousFiles | Select-Object FullName, LastWriteTime | Format-Table
}
# Response Priorities
* **Immediate:** Block identified domains (`brokeapt.com`, `asper1.freeddns.org`) and sinkhole associated IPs. Initiate a hunt for the SHA256 file hashes provided in the IOC analysis across all endpoints.
* **24h:** If evidence of infostealer infection (Lumma, Vidar, Redline) is found, force a password reset for all user credentials stored in browsers and revoke active session tokens for critical applications.
* **1 Week:** Implement application control policies to block unsigned Python packages and restrict execution of PowerShell in non-interactive modes. Conduct a review of software supply chain sources for developer environments.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.