The OTX pulse data reveals a coordinated surge in credential theft campaigns across multiple vectors, with threat actors leveraging emerging trends like AI technology to create sophisticated lures. These campaigns span from AI-themed social engineering (Storm-3075) to supply chain attacks targeting developers (TroyDen, unknown actor) and specialized attacks on gamers and enterprise sectors.
The common thread across these diverse campaigns is the relentless focus on credential theft, with various techniques including infostealers, backdoors, and remote access trojans. Threat actors are adapting their tactics to current trends, using AI platforms as bait, exploiting the popularity of gaming communities, and compromising software supply chains to maximize their reach and impact.
These campaigns demonstrate a high level of sophistication in both social engineering and technical execution, with malware employing multiple persistence mechanisms, anti-analysis techniques, and evasion strategies to avoid detection. The targeting of critical sectors like telecommunications, healthcare, defense, and government suggests a focus on high-value credentials and potential espionage or financial gain motives.
Threat Actor / Malware Profile
Storm-3075 (AI Brand Impersonation Campaign)
- Distribution: Social engineering campaigns impersonating AI platforms (ChatGPT, Copilot, DeepSeek, Claude)
- Malware Families: Vidar, Lumma Stealer, Hijack Loader, Oyster, GhostSocks
- Payload Behavior: Credential theft, financial fraud, malware installation
- Persistence: Unknown
- C2 Communication: Unknown
- Anti-Analysis: Unknown
- Targeted Industries: Education, Finance, Technology, Retail
TroyDen (Lure Factory)
- Distribution: GitHub-hosted packages with AI-generated lure names using biological taxonomy
- Malware Families: LuaJIT, Redline, LummaStealer
- Payload Behavior: Information stealing, credential theft
- Persistence: Unknown
- C2 Communication: Unknown
- Anti-Analysis: Prometheus obfuscator
- Targeted Industries: Technology (specifically developers, gamers, Roblox players, crypto users)
Unknown Actor (Supply Chain Attack)
- Distribution: Malicious PyPI and npm packages targeting bioinformatics and MCP developers
- Malware Families: Hades, Mini Shai-Hulud, Miasma
- Payload Behavior: Information stealing, credential theft
- Persistence: Executable .pth startup hooks, trojanized native .abi3.so extensions
- C2 Communication: Unknown
- Anti-Analysis: Split loader-payload architecture
- Targeted Industries: Technology (specifically bioinformatics and MCP developers)
Unknown Actor (Argamal)
- Distribution: Adult-themed games
- Malware Families: Argamal, Termixia
- Payload Behavior: Remote access trojan (RAT), full system compromise
- Persistence: COM hijacking via InprocServer32 entry for Windows Color System Calibration Loader DLL
- C2 Communication: Unknown
- Anti-Analysis: Delayed execution (after several days)
- Targeted Countries: Russian Federation, Brazil, Germany
- Targeted Industry: Gaming
Unknown Actor (Operation GriefLure)
- Distribution: Spear phishing with authentic legal documents and fabricated whistleblower complaints
- Malware Families: sfsvc.exe, 360.dll
- Payload Behavior: Living-off-the-land techniques
- Persistence: Unknown
- C2 Communication: Unknown
- Anti-Analysis: Unknown
- Targeted Industries: Telecommunications, Healthcare, Defense, Government
- Targeted Countries: Philippines, Vietnam
IOC Analysis
The OTX pulses contain various indicator types that SOC teams should operationalize:
-
Domain Names: Used for C2 infrastructure and phishing sites
- Tooling: DNS monitoring solutions, SIEM correlation, threat intelligence platforms
- Action: Block on DNS resolvers and web proxies, monitor for attempts to resolve
-
Hostnames: Specific systems within compromised networks or C2 infrastructure
- Tooling: Network traffic analysis, IDS/IPS rules, host-based monitoring
- Action: Investigate internal systems matching these patterns, monitor for connections
-
File Hashes (SHA1, SHA256, MD5): Malicious executables, scripts, or documents
- Tooling: EDR solutions, AV systems, hash-based detection tools, SIEM
- Action: Add to blocklists, scan for files matching these hashes across endpoints
-
CVE References: Known vulnerabilities exploited by the campaigns
- Tooling: Vulnerability scanners, patch management systems
- Action: Prioritize patching of these specific vulnerabilities
For operationalizing these indicators, SOC teams should:
- Import into threat intelligence platforms (TIPs) for automated correlation
- Create SIEM rules to alert on matches
- Feed into EDR solutions for real-time detection and blocking
- Develop firewall and proxy rules to block network-level indicators
- Regularly refresh detection mechanisms as new indicators are discovered
Detection Engineering
Sigma Rules
YAML
---
title: Suspicious AI Platform Impersonation Process
id: f5a1b3c2d4e5f6a7b8c9d0e1f2a3b4c5
description: Detects processes with potential AI platform impersonation patterns observed in Storm-3075 campaign
author: Security Arsenal
date: 2026/06/09
modified: 2026/06/09
references:
- https://www.microsoft.com/en-us/security/blog/2026/06/08/ai-brands-as-bait-how-threat-actors-are-using-the-ai-hype-in-social-engineering/
tags:
- attack.credential_access
- attack.initial_access
- storm-3075
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\chrome.exe'
- '\firefox.exe'
- '\msedge.exe'
- '\iexplore.exe'
CommandLine|contains:
- 'chatgpt'
- 'copilot'
- 'deepseek'
- 'claude'
- 'openai'
filter:
ParentImage|endswith:
- '\explorer.exe'
condition: selection and not filter
falsepositives:
- Legitimate access to AI platforms
level: high
---
title: PyPI Package Supply Chain Attack
id: a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6
description: Detects installation of suspicious PyPI packages identified in supply chain attacks
author: Security Arsenal
date: 2026/06/09
modified: 2026/06/09
references:
- https://socket.dev/blog/mini-shai-hulud-miasma-and-hades-worms-target-bioinformatics-and-mcp-developers-via-malicious
tags:
- attack.initial_access
- attack.supply_chain
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\python.exe'
- '\pip.exe'
CommandLine|contains:
- 'install'
- 'download'
filter_main:
CommandLine|contains:
- '.pth'
- '.abi3.so'
- 'native extensions'
- 'sys.path'
condition: selection and filter_main
falsepositives:
- Legitimate Python package installation
level: high
---
title: COM Hijacking Persistence
id: b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7
description: Detects potential COM hijacking for persistence, as observed in Argamal campaign
author: Security Arsenal
date: 2026/06/09
modified: 2026/06/09
references:
- https://securelist.com/argamal-rat-distributed-with-hentai-games/119999/
tags:
- attack.persistence
- attack.t1546.015
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\InprocServer32'
- '\Windows Color System Calibration Loader'
filter:
Image|endswith:
- '\svchost.exe'
- '\rundll32.exe'
condition: selection and not filter
falsepositives:
- Legitimate system changes
level: high
**KQL (Microsoft Sentinel)**
kql
// Hunt for AI platform impersonation and potential credential theft
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("chatgpt", "copilot", "deepseek", "claude", "openai")
| where InitiatingProcessFileName in ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe")
| extend SuspiciousScore = iff(
RemoteUrl contains ".xyz" or
RemoteUrl contains ".top" or
RemoteUrl contains ".tk",
3, 1)
| where SuspiciousScore >= 2
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, SuspiciousScore
**PowerShell Hunt Script**
powershell
# Credential Theft Malware Hunter
# Based on IOCs from OTX pulses
param(
[switch]$Verbose
)
# Malicious file hashes from OTX pulses
$maliciousHashes = @(
"4f5c5b3ef45cfff7721754487a86aeff9a2e6e32", # SHA1
"0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531", # SHA256
"25270cc429ada8028b5b33220ed412c47907ecceea7377d608fac5af01bed56a", # SHA256
"5455341ed1bbe75a664fca2dd0794c508e1874f75360253a7ff5bc119bc92d80", # SHA256
"56d722b0331bf0aaa86bb37483486c6dff6ad9427fc473ed7c3226c21a9bdd23", # SHA256
"6506d31707a39949f89534bf9705bcf889f1ecae3dbc6f4ff88d67a8be3d01b2", # SHA256
"6d332f814f15f19758d65026bbfd0a8c49671b319ec77b8fa1b27fc48afff7d9", # SHA256
"02819d200d1424882af81cb504b3e8614b32397a", # SHA1
"1405a3c5e0aeb08012484134e16cdec4ab29b4a4", # SHA1
"17f8f8f34dfa737f36182fed7ff9e9814a114058", # SHA1
"2423a5bf0fa7cb9ec09211630a5488629499691b", # SHA1
"29f1d346a6e71774c7dad25b90f446b2974393df", # SHA1
"42add9475e67a1ccc6a6af94b5475d3defc01b85", # SHA1
"6c6cbed6aad96564ed87094785be07a1", # MD5
"55d6238b01a177e25eb7d53c943f3abea64ec073", # SHA1
"197f11a7b0003aa7da58a3302cfa2a96a670de91d39ddebc7a51ac1d9404a7e6", # SHA256
"35af2cf5494181920b8624c7b719d39590e2a5ff5eaa1a2fa1ba86b2b5aa9b43", # SHA256
"61e9d76f07334843df561fe4bac449fb6fdaed5e5eb91480bded225f3d265c5f", # SHA256
"7f80add94ee8107a79c87a9b4ccbd33e39eccd1596748a5b88629dd6ac11b86d", # SHA256
"91a15554ec9e49c00c5ca301f276bd79d346968651d54204743a08a3ca8a5067" # SHA256
)
# Suspicious domains from OTX pulses
$suspiciousDomains = @(
"brokeapt.com",
"rongtv.xyz",
"ssffaa19.xyz",
"asper1.freeddns.org",
"whatsappcenter.com"
)
# Check for malicious files
Write-Host "Checking for malicious files..." -ForegroundColor Cyan
$drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root
$foundFiles = @()
foreach ($drive in $drives) {
try {
$files = Get-ChildItem -Path $drive -Recurse -File -ErrorAction SilentlyContinue |
Where-Object { $_.Length -gt 0 -and $_.Length -lt 500MB }
foreach ($file in $files) {
$hash = Get-FileHash -Path $file.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue
if ($hash.Hash -in $maliciousHashes) {
$foundFiles += $file.FullName
if ($Verbose) {
Write-Host "Found malicious file: $($file.FullName)" -ForegroundColor Red
}
}
}
} catch {
if ($Verbose) {
Write-Host "Error scanning $drive`: $_" -ForegroundColor Yellow
}
}
}
if ($foundFiles.Count -gt 0) {
Write-Host "Found $($foundFiles.Count) malicious files:" -ForegroundColor Red
$foundFiles | ForEach-Object { Write-Host $_ -ForegroundColor Red }
} else {
Write-Host "No malicious files found." -ForegroundColor Green
}
# Check for suspicious DNS entries
Write-Host "`nChecking for suspicious DNS entries..." -ForegroundColor Cyan
$dnsEntries = Get-DnsClientCache | Where-Object {
$suspiciousDomains | Where-Object { $_.Split('.')[0] -eq $_.Name.Split('.')[0] }
}
if ($dnsEntries) {
Write-Host "Found $($dnsEntries.Count) suspicious DNS entries:" -ForegroundColor Red
$dnsEntries | Format-Table Name, Data, EntryType -AutoSize
} else {
Write-Host "No suspicious DNS entries found." -ForegroundColor Green
}
# Check for suspicious registry entries
Write-Host "`nChecking for suspicious registry entries..." -ForegroundColor Cyan
$suspiciousRegKeys = @(
"HKLM:\SOFTWARE\Classes\CLSID\*\InprocServer32",
"HKCU:\SOFTWARE\Classes\CLSID\*\InprocServer32"
)
$foundRegKeys = @()
foreach ($regPath in $suspiciousRegKeys) {
try {
$keys = Get-ItemProperty -Path $regPath -ErrorAction SilentlyContinue
if ($keys) {
$foundRegKeys += $regPath
if ($Verbose) {
Write-Host "Found suspicious registry key: $regPath" -ForegroundColor Yellow
}
}
} catch {
# Expected for non-existent keys
}
}
if ($foundRegKeys.Count -gt 0) {
Write-Host "Found $($foundRegKeys.Count) suspicious registry keys:" -ForegroundColor Yellow
$foundRegKeys | ForEach-Object { Write-Host $_ -ForegroundColor Yellow }
} else {
Write-Host "No suspicious registry keys found." -ForegroundColor Green
}
# Check for suspicious network connections
Write-Host "`nChecking for suspicious network connections..." -ForegroundColor Cyan
$connections = Get-NetTCPConnection | Where-Object {
$suspiciousDomains | Where-Object { $_ -eq $_.RemoteAddress }
}
if ($connections) {
Write-Host "Found $($connections.Count) suspicious network connections:" -ForegroundColor Red
$connections | Format-Table LocalAddress, LocalPort, RemoteAddress, RemotePort, State -AutoSize
} else {
Write-Host "No suspicious network connections found." -ForegroundColor Green
}
Write-Host "`nScan complete." -ForegroundColor Cyan
Response Priorities
Immediate (0-24 hours):
- Block all IOCs (domains, IPs, file hashes) at network perimeter (firewalls, proxies, DNS resolvers)
- Scan all endpoints for malicious file hashes
- Isolate systems with confirmed infections
- Review recent logs for connections to suspicious domains
- Initiate credential rotation for accounts with potential exposure
24 hours:
- Conduct full forensic analysis on compromised systems
- Verify all user identities if credential-stealing malware is detected
- Implement additional monitoring for suspicious activity
- Review and enhance phishing awareness training, especially for AI-themed lures
- Analyze any detected malicious emails or files for patterns and indicators
1 week:
- Conduct a comprehensive security review of software supply chain practices
- Implement stricter code review processes for third-party packages
- Enhance application whitelisting policies
- Review and update incident response procedures based on findings
- Implement behavior-based detection for unusual credential access patterns
- Consider deploying additional deception technologies to detect credential theft attempts
- Review and harden authentication mechanisms, including MFA implementation
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-credentialslumma-stealervidar-stealercredential-theftsupply-chain-attackai-impersonation
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.