Back to Intelligence

Lumma Stealer, Vidar, and SilabRAT Credential Harvesting Campaigns: OTX Pulse Analysis & Detection Engineering

SA
Security Arsenal Team
June 10, 2026
6 min read

Recent OTX pulses indicate a coordinated surge in credential theft and infostealer activity, heavily leveraging current trends in Artificial Intelligence (AI) and software development. Threat actors, primarily Storm-3075 and o1oo1, alongside unidentified groups, are utilizing multi-vector attack chains to harvest sensitive data. The core objective across these campaigns is financial gain through credential theft, cryptocurrency wallet compromise, and the sale of initial access via Malware-as-a-Service (MaaS) offerings.

The attack chains are diverse:

  1. Social Engineering: Impersonating AI brands (ChatGPT, Claude) via SEO poisoning and malvertising to distribute Vidar, Lumma Stealer, and Hijack Loader.
  2. Supply Chain Compromise: Targeting developers and bioinformatics researchers via malicious PyPI and npm packages (Mini Shai-Hulud, Miasma) using typosquatting and trojanized native extensions.
  3. MaaS Distribution: The SilabRAT trojan and Needle crypto-stealer are actively marketed on dark web forums, offering hidden VNC (HVNC) and browser profile cloning capabilities to bypass security controls.

These campaigns demonstrate a shift towards high-volume, automated lure generation (AI-assisted) and sophisticated persistence mechanisms like Hijack Loader and AsmCrypt obfuscation.

Threat Actor / Malware Profile

Storm-3075 (AI-Themed Lures)

  • Malware Families: Vidar, Lumma Stealer, Hijack Loader, Oyster, GhostSocks.
  • Distribution: Malvertising, SEO poisoning, and social engineering impersonating AI platforms (ChatGPT, DeepSeek).
  • Payload Behavior: Vidar and Lumma focus on stealing browser data, cryptocurrency wallets, and system information. Hijack Loader acts as a shellcode loader to execute subsequent payloads.
  • C2 Communication: HTTP/HTTPS to hardcoded domains (e.g., brokeapt.com).
  • Persistence: Scheduled tasks or registry run keys established by the loader.

o1oo1 (SilabRAT MaaS)

  • Malware Family: SilabRAT (with HijackLoader and AsmCrypt).
  • Distribution: Dark web forums ($5,000/month subscription), likely via phishing or cracked software.
  • Payload Behavior: Advanced Remote Access Trojan (RAT) featuring Hidden VNC (HVNC) for invisible remote control, browser profile cloning to bypass MFA/session protections, and cryptocurrency wallet theft.
  • C2 Communication: Encrypted HTTP to C2 infrastructure (IP: 91.199.163.124).
  • Persistence: Uses Hijack Loader for shellcode execution and establishes scheduled tasks for persistence.

Unknown Actor (Supply Chain)

  • Malware Families: Hades, Mini Shai-Hulud, Miasma, LuaJIT-based infostealers.
  • Distribution: Malicious packages on PyPI and npm repositories targeting developers (MCP, Bioinformatics). Uses typosquatting and trojanized .abi3.so or .pth files.
  • Payload Behavior: Steals credentials and SSH keys. Split loader-payload architecture searches sys.path to execute.

Needle Crypto-Stealer

  • Malware Families: ThreatNeedle, RustyStealer.
  • Distribution: Malicious browser extensions and cracked wallet software.
  • Payload Behavior: Impersonates legitimate wallet apps (Exodus, Trezor) and extensions (MetaMask, Phantom). Uses a "wallet-spoofer" module to swap transaction addresses.

IOC Analysis

The provided IOCs include:

  • Domains/Hostnames: brokeapt.com, pan.rongtv.xyz, pan.ssffaa19.xyz. These should be added to DNS sinkholes and blocked at the perimeter.
  • IPv4 Addresses: 91.199.163.124 (SilabRAT C2). Block inbound/outbound traffic to this IP.
  • File Hashes (SHA1/SHA256): Multiple hashes for Vidar, Lumma, SilabRAT, and supply chain worms.
    • SOC Operationalization: EDR solutions should be configured to alert on execution or file creation matching these hashes. SIEM correlations should look for these hashes in DeviceProcessEvents or DeviceFileEvents.
  • Tooling: YARA rules can be generated from the binary hashes. C2 IP/Domain reputation can be checked using AlienVault OTX or VirusTotal integrations within the SIEM.

Detection Engineering

YAML
title: Potential Lumma Stealer or Vidar Loader Activity
id: c4a5e1b0-88f5-4b4e-9d2f-1a2b3c4d5e6f
status: experimental
description: Detects suspicious process execution patterns associated with Lumma Stealer and Vidar distribution campaigns, often involving PowerShell downloading content from suspicious domains or executing signed binaries masquerading as AI tools.
references:
    - https://otx.alienvault.com/
author: Security Arsenal
date: 2026/06/10
tags:
    - attack.execution
    - attack.initial_access
    - attack.t1204
    - attack.t1566
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
        Image|endswith:
            - '\mshta.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
    filter_legit:
        CommandLine|contains:
            - 'Windows'
            - 'System32'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate administrative scripts
level: high
---
title: SilabRAT MaaS C2 Traffic Pattern
id: d5b6f2c1-99g6-5c5f-0e3g-2b3c4d5e6f7g
status: experimental
description: Detects potential network connections to known SilabRAT infrastructure or characteristics of its C2 communication, often involving high-entropy data or specific user-agents.
references:
    - https://otx.alienvault.com/
author: Security Arsenal
date: 2026/06/10
tags:
    - attack.command_and_control
    - attack.t1071
logsource:
    category: network_connection
    product: windows
detection:
    selection_ip:
        DestinationIp|contains:
            - '91.199.163.124'
    selection_domain:
        DestinationHostname|contains:
            - 'brokeapt.com'
            - 'rongtv.xyz'
    selection_behavior:
        Initiated: 'true'
        DestinationPort:
            - 80
            - 443
    condition: 1 of selection_*
falsepositives:
    - Rare, unless specific corporate traffic uses these domains/IPs
level: critical
---
title: Suspicious Python Package Execution (Miasma/Mini Shai-Hulud)
id: e6c7g3d2-00h7-6d6g-1f4h-3c4d5e6f7g8h
status: experimental
description: Detects execution of Python processes loading suspicious paths or modules associated with the malicious PyPI campaign targeting developers (Miasma, Hades).
references:
    - https://otx.alienvault.com/
author: Security Arsenal
date: 2026/06/10
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: windows
detection:
    selection_python:
        Image|endswith:
            - '\python.exe'
            - '\python3.exe'
    selection_cli:
        CommandLine|contains:
            - 'site-packages'
            - '.pth'
            - '.abi3.so'
    condition: all of selection_*
falsepositives:
    - Legitimate developer builds or testing environments
level: medium


kql
// Hunt for SilabRAT and Vidar/Lumma IOCs in DeviceNetworkEvents
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("brokeapt.com", "rongtv.xyz", "ssffaa19.xyz") 
   or RemoteIP == "91.199.163.124"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort

// Hunt for process execution of known file hashes (SHA256)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where SHA256 in (
    "0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531",
    "25270cc429ada8028b5b33220ed412c47907ecceea7377d608fac5af01bed56a",
    "3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b",
    "79f8da9f9fb4ac7c16d9c210f1f6ef418357a3e7bf602b1dd03a490596fa58c5",
    "6506d31707a39949f89534bf9705bcf889f1ecae3dbc6f4ff88d67a8be3d01b2"
)
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, FolderPath, SHA256


powershell
# PowerShell Script to Hunt for SilabRAT and Infostealer Artifacts
# Requires Administrative Privileges

Write-Host "Starting Hunt for SilabRAT, Lumma, and Vidar Artifacts..." -ForegroundColor Cyan

# 1. Check for Suspicious Scheduled Tasks (Common Loader Persistence)
Write-Host "\n[+] Checking Scheduled Tasks for suspicious patterns..." -ForegroundColor Yellow
Get-ScheduledTask | Where-Object { 
    $_.Actions.Execute -like "*powershell*" -or 
    $_.Actions.Execute -like "*rundll32*" -or 
    $_.Actions.Execute -like "*regsvr32*" -and 
    $_.Actions.Arguments -match "http" 
} | Select-Object TaskName, TaskPath, State, Actions

# 2. Check for File Hashes in Common Drop Paths (AppData, Temp)
Write-Host "\n[+] Scanning common drop directories for known IOCs..." -ForegroundColor Yellow
$targetHashes = @(
    "0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531",
    "25270cc429ada8028b5b33220ed412c47907ecceea7377d608fac5af01bed56a",
    "3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b"
)

$paths = @("$env:APPDATA", "$env:LOCALAPPDATA\Temp", "$env:TEMP")

foreach ($path in $paths) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | Get-FileHash -Algorithm SHA256 -ErrorAction SilentlyContinue | Where-Object { $targetHashes -contains $_.Hash } | Select-Object Path, Hash
    }
}

# 3. Check for Suspicious Network Connections (SilabRAT IP)
Write-Host "\n[+] Checking for active connections to C2 infrastructure..." -ForegroundColor Yellow
$maliciousIP = "91.199.163.124"
Get-NetTCPConnection -RemoteAddress $maliciousIP -ErrorAction SilentlyContinue | Select-Object LocalAddress, RemoteAddress, State, OwningProcess

Write-Host "\n[*] Hunt Complete." -ForegroundColor Green


# Response Priorities

*   **Immediate:**
    *   Block all identified domains (`brokeapt.com`, `*.rongtv.xyz`) and IPs (`91.199.163.124`) at the firewall and proxy level.
    *   Isolate endpoints with matches on the provided file hashes (SilabRAT, Vidar, Lumma).

*   **24 Hours:**
    *   Initiate credential reset procedures for accounts accessed from infected endpoints, focusing on financial systems and cryptocurrency wallets.
    *   Review browser extension logs for unauthorized additions related to crypto-wallets (Needle campaign).

*   **1 Week:**
    *   Implement strict allow-listing for Python/Package repositories (PyPI, npm) for developer workstations to mitigate supply chain risks.
    *   Conduct security awareness training focusing on AI-themed social engineering and malvertising.
    *   Review EDR policies to enhance detection of loaders like Hijack Loader and AsmCrypt obfuscation.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialslumma-stealervidarsilabratsupply-chain-attackinfostealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action