Back to Intelligence

Jalisco PhaaS & LabubaRAT: AI-Powered Threat Landscape Analysis

SA
Security Arsenal Team
July 15, 2026
6 min read

Recent OTX pulses indicate a concerning surge in AI-assisted threat operations converging on credential theft and remote access. The intelligence highlights three distinct but operationally relevant active threats:

  1. AI-Enhanced Phishing-as-a-Service (PaaS): The "Jalisco" toolkit and "OmegaLord" harvester are being utilized to bypass MFA through real-time OAuth device code phishing, specifically targeting Microsoft 365 environments.
  2. Advanced RAT Infrastructure: A new Rust-based Remote Access Trojan, LabubaRAT, is actively distributing under the guise of NVIDIA software. It employs DNS tunneling and SOCKS5 proxying for evasion and data exfiltration.
  3. AI-Accelerated C2 Operations: The threat actor "bandcampro" is leveraging generative AI (Google Gemini CLI) to build and deploy botnets in minutes, specifically targeting healthcare infrastructure (dental clinics).

Collectively, these pulses demonstrate a shift toward "low-code" malware development and AI-enhanced social engineering, significantly reducing the time-to-compromise for adversaries.

Threat Actor / Malware Profile

1. Jalisco Toolkit & OmegaLord

  • Type: Phishing-as-a-Service (PaaS) / Credential Harvester
  • Distribution: Spear-phishing links leading to credential capture pages.
  • Behavior:
    • Jalisco: Automates the OAuth "device code" flow attack. It provisions fresh device codes in real-time to bypass time-based MFA checks and hijack user sessions.
    • OmegaLord: Serves as a secondary credential harvester, capturing traditional username/password combinations before passing users to the legitimate site.
  • Objective: Long-term access to Microsoft 365 ecosystems via OAuth token theft.

2. LabubaRAT

  • Type: Remote Access Trojan (RAT)
  • Language: Rust
  • Distribution: Masquerading as legitimate NVIDIA software installers (fake metadata/runtime artifacts).
  • Behavior: Establishes persistent footholds via registry run keys or scheduled tasks. Capabilities include host profiling, security tool identification, command execution, file transfer, and screenshot capture.
  • C2 & Evasion: Uses DNS Tunneling and SOCKS5 proxying to blend traffic with legitimate web browsing and bypass network inspection.

3. Patriot Bait (bandcampro)

  • Actor: bandcampro
  • Type: AI-Assisted Botnet Operator
  • Target: Healthcare (specifically OpenDental systems in North America).
  • Behavior: Uses Google Gemini CLI to write code, debug architecture, and deploy C2 infrastructure. Analysis shows the actor compromised a WordPress site to host the C2 panel and controlled endpoints within six minutes of AI interaction.

IOC Analysis

The provided IOCs cover the infrastructure supporting these campaigns.

  • Domains: Multiple phishing domains (e.g., authplanned.online, sessionopen0.site) associated with Jalisco/OmegaLord and C2 domains (pipicka.xyz, tralalarkefe.com) for RAT/Botnet operations.
  • File Hashes:
    • 9f8a2983fbf5479e8d8c267e0df4e73d (MD5) - Associated with Jalisco components.
    • 8c4e4804f21649e5ddc6a5670f3b3828a43bff304f02f184f9842c2569570f3d (SHA256) - LabubaRAT payload.
  • Network IPs: C2 IP addresses including 168.222.254.204, 191.44.109.130 (LabubaRAT), and 213.165.51.115 (Patriot Bait).

Operational Guidance: SOC teams should immediately load these indicators into EDR (for hash scanning), Firewall/SWG (for domain/IP blocking), and SIEM (for correlation).

Detection Engineering

YAML
---
title: Jalisco Toolkit Phishing Domain Access
id: 9b2c3d4e-5f6a-4b8c-9d1e-2f3a4b5c6d7e
status: experimental
description: Detects network connections to known domains associated with the Jalisco Phishing-as-a-Service toolkit and OmegaLord harvester.
references:
    - https://otx.alienvault.com/pulse/66955a1f8d9c8f4a1c2b3c4d
author: Security Arsenal Research
date: 2026/07/15
tags:
    - attack.credential_access
    - attack.initial_access
logsource:
    category: proxy
    product: zeek
detection:
    selection:
        hostname|contains:
            - 'authplanned.online'
            - 'levaquin2us.top'
            - 'sessionopen0.site'
            - 'grantfundingapplications.com'
    condition: selection
falsepositives:
    - Unknown
level: critical
---
title: LabubaRAT Execution via Suspicious Hash
id: a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects execution of LabubaRAT binaries based on known SHA256 hashes identified in OTX pulses.
references:
    - https://otx.alienvault.com/pulse/66955a1f8d9c8f4a1c2b3c4e
author: Security Arsenal Research
date: 2026/07/15
tags:
    - attack.execution
    - attack.persistence
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Hashes|contains:
            - 'SHA256=8c4e4804f21649e5ddc6a5670f3b3828a43bff304f02f184f9842c2569570f3d'
            - 'SHA256=b7443b0ab48d2f5786d1b6f3a580f02621e9ae5a3877ee3a44e01df13d984328'
    condition: selection
falsepositives:
    - Legitimate NVIDIA software (false positive if hash matches legitimate software, unlikely for these specific hashes)
level: high
---
title: Patriot Bait C2 Infrastructure Connection
id: f1e2d3c4-b5a6-4f7e-9d0c-1a2b3c4d5e6f
status: experimental
description: Detects outbound connections to IP addresses and domains associated with the 'bandcampro' Patriot Bait botnet campaign.
references:
    - https://otx.alienvault.com/pulse/66955a1f8d9c8f4a1c2b3c4f
author: Security Arsenal Research
date: 2026/07/15
tags:
    - attack.command_and_control
    - attack.botnet
logsource:
    category: network_connection
    product: windows
detection:
    selection_ip:
        DestinationIp|startswith:
            - '213.165.51.115'
    selection_domain:
        DestinationHostname|contains:
            - 'tralalarkefe.com'
    condition: 1 of selection*
falsepositives:
    - Rare
level: high


kql
// Hunt for Jalisco/OmegaLord Network Indicators
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in ("authplanned.online", "levaquin2us.top", "sessionopen0.site", "grantfundingapplications.com", "pipicka.xyz", "tralalarkefe.com")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| extend FullURL = strcat("https://", RemoteUrl)
| sort by Timestamp desc

// Hunt for LabubaRAT File Presence
DeviceFileEvents
| where Timestamp > ago(30d)
| where SHA256 in ("8c4e4804f21649e5ddc6a5670f3b3828a43bff304f02f184f9842c2569570f3d", "b7443b0ab48d2f5786d1b6f3a580f02621e9ae5a3877ee3a44e01df13d984328")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName

// Hunt for Patriot Bait / Bandcampro C2 IP
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIP == "213.165.51.115" or RemoteIP == "168.222.254.204" or RemoteIP == "191.44.109.130"
| summarize count() by DeviceName, RemoteIP, RemotePort


powershell
# PowerShell IOC Hunt Script for LabubaRAT & Jalisco Artifacts
# Requires Administrator privileges

Write-Host "Starting IOC Hunt for LabubaRAT and Jalisco Toolkits..." -ForegroundColor Cyan

# Define Malicious Hashes from Pulse Data
$MaliciousHashes = @( 
    "8c4e4804f21649e5ddc6a5670f3b3828a43bff304f02f184f9842c2569570f3d", 
    "b7443b0ab48d2f5786d1b6f3a580f02621e9ae5a3877ee3a44e01df13d984328",
    "9f8a2983fbf5479e8d8c267e0df4e73d"
)

# Scan common download directories and temp folders
$PathsToScan = @("C:\Users\", "C:\ProgramData\", "C:\Windows\Temp\")

foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Write-Host "Scanning $Path..." -ForegroundColor Yellow
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $FileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($MaliciousHashes -contains $FileHash) {
                Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

# Check for DNS cache entries related to C2 domains
$C2Domains = @("pipicka.xyz", "tralalarkefe.com")
Write-Host "Checking DNS Cache for C2 Domains..." -ForegroundColor Yellow
Get-DnsClientCache | Where-Object { $C2Domains -contains $_.Entry } | ForEach-Object {
    Write-Host "[!] SUSPICIOUS DNS ENTRY: $($_.Entry) - $($_.Data)" -ForegroundColor Red
}

Write-Host "Hunt Complete." -ForegroundColor Green


# Response Priorities

*   **Immediate:** Block all listed domains and IPs on perimeter firewalls and secure web gateways. Quarantine endpoints matching the LabubaRAT file hashes.
*   **24 Hours:** Audit Azure AD/Microsoft 365 sign-in logs for "Device Code" flow authentication events, specifically looking for anomalous geographic locations or device usage. Force password resets and revoke OAuth tokens for users potentially impacted by the Jalisco phishing campaign.
*   **1 Week:** Implement strict policies blocking the execution of unauthorized installers masquerading as NVIDIA software. Review and restrict the use of generative AI CLI tools (e.g., Google Gemini CLI) within the development environment to prevent "Patriot Bait" style insider-assisted attacks.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptjalisco-toolkitlabubaratpatriot-baitai-phishingoauth-theft

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.