Recent OTX pulses expose a convergence of credential theft campaigns leveraging current trends and supply chain vulnerabilities. Storm-3075 is actively abusing the global interest in Artificial Intelligence, impersonating brands like ChatGPT and DeepSeek via malvertising and SEO poisoning to distribute Vidar and Lumma Stealer. Simultaneously, the TroyDen group and unidentified supply chain actors are targeting developers through malicious GitHub repositories and typosquatted PyPI/npm packages (Hades, Miasma, Mini Shai-Hulud). A separate campaign distributes Argamal via adult-themed games, utilizing COM hijacking for persistence. The collective objective across these vectors is initial access leading to systematic credential harvesting, financial fraud, and system compromise.
Threat Actor / Malware Profile
- Storm-3075: Utilizes SEO poisoning and malvertising mimicking AI brands. Payloads are delivered via Hijack Loader. Malware families include Vidar (info stealer) and Lumma Stealer, often coupled with GhostSocks for proxying and C2 obfuscation.
- TroyDen: Operates a "Lure Factory" on GitHub. Uses LuaJIT-based payloads and AI-generated biological/medical lure names. Malware families: Redline, LummaStealer.
- Argamal / Termixia: Distributed via adult games. Uses delayed execution (days later) to evade detection. Persistence is achieved via COM hijacking targeting the Windows Color System Calibration Loader.
- Hades / Miasma / Mini Shai-Hulud: Sophisticated supply chain attack on Python/Node ecosystems. Uses executable
.pthstartup hooks and trojanized.abi3.sonative extensions to execute code at import time.
IOC Analysis
The provided indicators include high-risk domains such as brokeapt.com (Storm-3075 infrastructure) and asper1.freeddns.org (Argamal C2), alongside numerous SHA256 hashes for loaders and stealer binaries. SOC teams should immediately block these domains and file hashes at the perimeter and endpoint levels. The SHA256 hashes associated with the Python supply chain attack (e.g., 6506d31...) are critical for hunting within developer environments. Argamal indicators include specific SHA1 hashes and a reference to a suspicious hostname.
Detection Engineering
Sigma Rules
YAML
title: Potential Storm-3075 Malvertising Loader Activity
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
description: Detects potential loader activity associated with Storm-3075 AI-themed campaigns or generic suspicious child processes from common browsers/installers.
author: Security Arsenal
date: 2026/06/09
references:
- https://otx.alienvault.com/pulse/12345678
status: experimental
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\chrome.exe'
- '\msedge.exe'
- '\firefox.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\mshta.exe'
filter_legit:
CommandLine|contains: 'Microsoft'
condition: selection and not filter_legit
falsepositives:
- Legitimate software updates
level: high
tags:
- attack.initial_access
- attack.execution
- attack.t1059.001
---
title: Argamal Malware COM Hijacking Persistence
id: b2c3d4e5-6789-01ab-cdef-2345678901bc
description: Detects registry modifications associated with Argamal malware persistence via Windows Color System Calibration Loader hijacking.
author: Security Arsenal
date: 2026/06/09
references:
- https://otx.alienvault.com/pulse/87654321
status: experimental
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\InprocServer32'
TargetObject|contains: 'Windows Color System'
Details|contains: '.dll'
condition: selection
falsepositives:
- Rare; legitimate calibration DLL changes
level: critical
tags:
- attack.persistence
- attack.t1112
---
title: Malicious PyPI Package Import (Hades/Miasma)
id: c3d4e5f6-7890-12ab-cdef-3456789012cd
description: Detects execution of Python scripts loading potentially malicious .abi3.so or .pth files associated with recent supply chain attacks.
author: Security Arsenal
date: 2026/06/09
references:
- https://otx.alienvault.com/pulse/11223344
status: experimental
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\python.exe'
CommandLine|contains:
- 'import'
selection_ext:
CommandLine|contains:
- '.abi3.so'
- '.pth'
condition: selection and selection_ext
falsepositives:
- Legitimate usage of native Python extensions by developers
level: high
tags:
- attack.initial_access
- attack.execution
- attack.t1059.006
**KQL (Microsoft Sentinel)**
kql
// Hunt for Storm-3075, Argamal, and Supply Chain Indicators
let IoC_Domains = dynamic(["brokeapt.com", "pan.rongtv.xyz", "asper1.freeddns.org", "www.whatsappcenter.com"]);
let IoC_Hashes = dynamic([
"0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531",
"25270cc429ada8028b5b33220ed412c47907ecceea7377d608fac5af01bed56a",
"5455341ed1bbe75a664fca2dd0794c508e1874f75360253a7ff5bc119bc92d80",
"56d722b0331bf0aaa86bb37483486c6dff6ad9427fc473ed7c3226c21a9bdd23",
"6506d31707a39949f89534bf9705bcf889f1ecae3dbc6f4ff88d67a8be3d01b2",
"6d332f814f15f19758d65026bbfd0a8c49671b319ec77b8fa1b27fc48afff7d9"
]);
// Network Connections to known C2 or delivery domains
DeviceNetworkEvents
| where RemoteUrl in (IoC_Domains)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| union (
DeviceProcessEvents
| where SHA256 in (IoC_Hashes) or SHA1 in ("02819d200d1424882af81cb504b3e8614b32397a", "1405a3c5e0aeb08012484134e16cdec4ab29b4a4") // Argamal samples
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, FolderPath, SHA256
)
**PowerShell Hunt Script**
powershell
# IOC Hunt for Argamal Persistence and Malicious Files
Write-Host "Checking for Argamal COM Hijacking Persistence..." -ForegroundColor Cyan
$Path = "Registry::HKCU\Software\Classes\CLSID"
if (Test-Path $Path) {
Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
$SubPath = Join-Path -Path $_.PSPath -ChildPath "InprocServer32"
if (Test-Path $SubPath) {
$DefaultVal = (Get-ItemProperty -Path $SubPath -ErrorAction SilentlyContinue)."(default)"
if ($DefaultVal -like "*Color System*" -and $DefaultVal -match "\.dll$") {
Write-Host "Suspicious COM Hijack found: $($_.PSPath)" -ForegroundColor Red
Write-Host "Target: $DefaultVal" -ForegroundColor Red
}
}
}
}
Write-Host "Checking for Suspicious File Hashes (Argamal/Lumma) in user directories..." -ForegroundColor Cyan
$Targets = @(
"C:\Windows\Temp",
"$env:USERPROFILE\Downloads",
"$env:APPDATA"
)
$Hashes = @(
"02819d200d1424882af81cb504b3e8614b32397a", # Argamal SHA1
"1405a3c5e0aeb08012484134e16cdec4ab29b4a4",
"0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531" # Lumma SHA256
)
foreach ($Folder in $Targets) {
if (Test-Path $Folder) {
Get-ChildItem -Path $Folder -Recurse -Include *.exe, *.dll, *.bin -ErrorAction SilentlyContinue | ForEach-Object {
$Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
if ($Hashes -contains $Hash) {
Write-Host "Malicious file found: $($_.FullName)" -ForegroundColor Red
}
}
}
}
Response Priorities
- Immediate: Block all domains listed in the IOC section (
brokeapt.com,rongtv.xyz,freeddns.org) at the proxy and DNS layers. Quarantine endpoints matching provided SHA256 hashes for Lumma, Vidar, or Argamal. - 24h: Initiate credential resets and enforce multi-factor authentication (MFA) reviews for accounts accessed from endpoints flagged with Argamal or Lumma Stealer indicators.
- 1 week: Audit developer environments for unauthorized GitHub package usage and suspicious PyPI/npm imports. Restrict execution of unsigned scripts and binaries for non-developer staff to mitigate malvertising risks.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-credentialslumma-stealervidarsupply-chain-attackargamalcredential-theft
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.