Back to Intelligence

Kimsuky PebbleDash, Vidar Stealer & ASO RAT: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
May 14, 2026
6 min read

Recent OTX pulses indicate a surge in diverse threat campaigns ranging from state-sponsored espionage to financially motivated credential theft. Intelligence has identified the Kimsuky APT group deploying advanced toolsets based on the PebbleDash platform, utilizing Rust-based backdoors (HelloDoor) and abusing VSCode tunneling for C2 evasion. Simultaneously, a Vidar Stealer campaign is active, leveraging AutoIt loaders and masquerading hacktools to deliver payloads. Lastly, the ASO RAT surveillance campaign continues to target Android users in the Syrian conflict zone using DDNS infrastructure.

Collectively, these campaigns demonstrate adversaries' reliance on living-off-the-land (LotL) binaries (VSCode), file masquerading techniques, and obscured C2 channels (Cloudflare tunnels, DDNS) to bypass traditional defenses.

Threat Actor / Malware Profile

1. Kimsuky (APT43) - PebbleDash Campaign

  • Malware Families: HelloDoor (Rust), httpMalice, httpTroy, AppleSeed, HappyDoor.
  • Distribution: Spear-phishing links leading to malicious payloads.
  • Persistence: Abuse of legitimate tools, specifically VSCode Tunneling, to maintain persistent C2 channels that blend in with administrative traffic.
  • Behavior: Use of HTTP and Dropbox communications for data exfiltration; process discovery and defense evasion.

2. Vidar Stealer Loader

  • Malware Families: Vidar, Arkei.
  • Distribution: Initial execution via MicrosoftToolkit.exe (a commonly abused hack tool).
  • Technique: File Masquerading. The attack chain involves renaming a malicious .dot file to .bat to evade detection filters.
  • Behavior: Process discovery, termination of security-related processes, and subsequent credential theft.

3. ASO RAT

  • Target: Government, Media, NGO, Defense in Syria.
  • Platform: Android.
  • Behavior: comprehensive surveillance including SMS interception, camera access, GPS tracking, and DDoS functionality.
  • C2: Uses DDNS (aso.ddns.net) hosted on Frankfurt-based infrastructure.

IOC Analysis

The indicators provided span multiple vectors requiring a layered defense approach:

  • Network Infrastructure: Dominated by Dynamic DNS (DDNS) and Cloudflare Tunnels (e.g., aso.ddns.net, female-disorder-beta-metropolitan.trycloudflare.com). Adversaries use these to hide the true origin of C2 servers.
  • File Hashes: A mix of MD5, SHA1, and SHA256 hashes associated with AutoIT scripts, Android APKs, and Rust binaries. These are critical for EDR correlation.
  • CVEs: ASO RAT indicators reference CVE-2023-44487 and CVE-2025-23419, suggesting potential exploitation of web servers or proxy services for initial access or C2 hosting.

Operational Guidance: SOC teams should immediately block the listed domains and IPs at the perimeter. File hashes should be uploaded to EDR solutions for "Block and Alert" policies. Special attention should be paid to outbound connections to trycloudflare.com endpoints from non-developer workstations.

Detection Engineering

Sigma Rules

YAML
title: Potential Vidar Stealer AutoIt Loader Activity
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
description: Detects execution of AutoIT interpreter processes spawning from renamed .bat files or hacktools like MicrosoftToolkit.exe, associated with Vidar Stealer campaigns.
status: experimental
date: 2026/05/15
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6428a1b2c3d4
tags:
    - attack.defense_evasion
    - attack.t1036.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        Image|endswith:
            - '\MicrosoftToolkit.exe'
            - '\AutoIt3.exe'
    selection_child:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\cscript.exe'
    selection_masquerade:
        CommandLine|contains:
            - '.bat'
            - '.dot'
    condition: selection_parent and (selection_child or selection_masquerade)
falsepositives:
    - Legitimate administration using AutoIT scripts
level: high
---
title: Kimsuky APT VSCode Tunneling Usage
id: b2c3d4e5-6789-01bc-def2-345678901234
description: Detects the use of Visual Studio Code tunneling features, often abused by Kimsuky for persistent C2 communications using the PebbleDash framework.
status: experimental
date: 2026/05/15
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6428e5f6a7b8
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\code.exe'
    selection_cli:
        CommandLine|contains: 'tunnel'
    filter_legit:
        ParentImage|contains:
            - '\Program Files\'
            - '\Visual Studio\'
    condition: selection_img and selection_cli and not filter_legit
falsepositives:
    - Legitimate developer remote access
level: medium
---
title: ASO RAT C2 Domain Connection
id: c3d4e5f6-7890-12cd-ef34-567890123456
description: Detects network connections to known ASO RAT DDNS infrastructure used for Android device surveillance and DDoS commands.
status: experimental
date: 2026/05/15
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/642891011213
tags:
    - attack.command_and_control
    - attack.t1071.004
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationHostname|contains:
            - 'aso.ddns.net'
    condition: selection
falsepositives:
    - Unknown
level: critical

KQL Hunt Query

KQL — Microsoft Sentinel / Defender
// Hunt for Vidar Stealer Loader and Kimsuky Network Indicators
// Union of process and network events
let IOCs = pack_array(
    "aso.ddns.net", 
    "gz.technicalprorj.xyz",
    "female-disorder-beta-metropolitan.trycloudflare.com",
    "attach.docucloud.o-r.kr",
    "load.auraria.org",
    "load.ssangyongcne.o-r.kr"
);
let MaliciousHashes = pack_array(
    "7ac9278876c83c9b597fae68acb6fbf9", // MD5 Vidar
    "5c373c2116ab4a615e622f577e22e9be", // MD5 Kimsuky
    "d1ec20144c83bba921243e72c517da5e"  // MD5 Kimsuky
);
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where FileName has_any ("MicrosoftToolkit.exe", "AutoIt3.exe") or SHA256 in (MaliciousHashes)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, SHA256
| union (DeviceNetworkEvents
| where Timestamp >= ago(7d)
| where RemoteUrl has_any (IOCs) or RemoteDomain has_any (IOCs)
| project Timestamp, DeviceName, RemoteUrl, RemotePort, RemoteIP, InitiatingProcessFileName
)

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    Hunt script for Vidar Stealer components and Kimsuky persistence mechanisms.
.DESCRIPTION
    Checks processes for VSCode tunneling and scans for specific file hashes on disk.
#>

$TargetHashes = @(
    "7ac9278876c83c9b597fae68acb6fbf9",
    "5c373c2116ab4a615e622f577e22e9be",
    "d1ec20144c83bba921243e72c517da5e",
    "58ac2f65e335922be3f60e57099dc8a3"
)

# 1. Check for VSCode Tunneling (Kimsuky C2 technique)
Write-Host "[+] Checking for VSCode Tunneling processes..."
$tunnelProcess = Get-Process | Where-Object { $_.ProcessName -eq "Code" -and $_.CommandLine -like "*tunnel*" }
if ($tunnelProcess) {
    Write-Host "[!] ALERT: VSCode Tunneling detected:" -ForegroundColor Red
    $tunnelProcess | Select-Object Id, ProcessName, Path, CommandLine | Format-List
} else {
    Write-Host "[-] No tunneling processes found."
}

# 2. File Hash Scan (Recursive scan of common user directories)
Write-Host "[+] Scanning for malicious file hashes..."
$paths = @("$env:USERPROFILE\Downloads", "$env:APPDATA", "$env:TEMP")

foreach ($path in $paths) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | Get-FileHash -Algorithm MD5 -ErrorAction SilentlyContinue | Where-Object { 
            $TargetHashes -contains $_.Hash.ToLower() 
        } | ForEach-Object {
            Write-Host "[!] ALERT: Malicious file found at $($_.Path)" -ForegroundColor Red
        }
    }
}

Write-Host "[+] Hunt Complete."


# Response Priorities

**Immediate (0-4h):**
*   Block all listed domains and IPs on firewalls and proxies.
*   Isolate any endpoints flagging on the provided MD5/SHA256 hashes.
*   Kill non-critical processes utilizing VSCode tunneling originating from non-dev assets.

**24 Hours:**
*   **Credential Audit:** In environments potentially hit by Vidar/Arkei, force reset of cached credentials and browser cookies.
*   **Mobile Threat Defense:** For organizations operating in Syria, scan Android devices for the ASO RAT hashes (MD5: `31514358bf684a1e466a9e8069c11031`).

**1 Week:**
*   **Application Control:** Implement policies blocking `MicrosoftToolkit.exe` and unauthorized AutoIt interpreters.
*   **Network Segmentation:** Restrict the ability of endpoints to initiate tunnels to Cloudflare or similar proxy services without explicit approval.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwarekimsuky-aptvidar-stealeraso-ratandroid-malwareinfo-stealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action