Operation AI Bait & Crypto MaaS: Vidar, SilabRAT, and Needle Campaign Analysis — OTX Pulse Intelligence | Security Arsenal

Excerpt: Active infostealer campaigns leveraging AI hype, TikTok, and PyPI to distribute Vidar, SilabRAT, and Needle. High urgency for credential defense.

Threat Summary

Recent OTX pulses indicate a surge in multifaceted credential theft operations targeting both enterprise and consumer sectors. The activity is segmented into distinct but overlapping campaigns:

AI-Themed Social Engineering (Storm-3075): Threat actors are hijacking the AI hype, impersonating brands like ChatGPT and Copilot via SEO poisoning and malvertising to distribute Vidar and Lumma Stealer.
MaaS Proliferation (o1oo1): The SilabRAT toolkit is actively being sold on dark web forums, featuring Hidden VNC (HVNC) and browser profile cloning to bypass session protections.
Supply Chain Compromise: A sophisticated campaign targeting Bioinformatics and MCP developers utilizes typosquatted PyPI packages (Hades, Miasma, Mini Shai-Hulud) to deliver malware via malicious Python wheels.
Social Media Vector: Vidar Stealer is being distributed via fake software tutorials on TikTok and Instagram, tricking users into executing malicious PowerShell commands.
Crypto-Focused Campaigns: The Needle platform is actively targeting cryptocurrency wallets using browser extension spoofers and trojanized desktop applications.

The collective objective is financial theft through credential harvesting, session hijacking, and direct cryptocurrency wallet compromise.

Threat Actor / Malware Profile

Storm-3075 & AI Impersonation

Malware: Vidar, Lumma Stealer, Hijack Loader, GhostSocks.
Distribution: Malvertising, SEO manipulation, phishing pages mimicking AI services.
Targets: Education, Finance, Technology, Retail.
Behavior: Vidar acts as an infostealer and loader, downloading subsequent payloads. Hijack Loader is used to bypass security controls.

SilabRAT (by o1oo1)

Type: Malware-as-a-Service (MaaS).
Cost: $5,000/month.
Capabilities: Hidden VNC (invisible remote control), browser profile cloning (to bypass MFA), session hijacking, and cryptocurrency wallet theft.
Persistence: Uses AsmCrypt and likely registry run keys or scheduled tasks.

PyPI Supply Chain (Hades, Miasma, Mini Shai-Hulud)

Vector: Typosquatting on PyPI and npm.
Mechanism: Malicious .pth startup hooks and trojanized native .abi3.so extensions that execute upon import.
Target: Developers utilizing Python environments for bioinformatics or Model Context Protocol (MCP) work.

Needle / ThreatNeedle

Type: Modular Crypto-Stealing C2.
Components: RustyStealer (desktop agent), Browser Extension Spoofer (MetaMask, Phantom, Trust Wallet).
Behavior: Impersonates legitimate wallet interfaces (Exodus, Ledger) to harvest seed phrases and private keys.

IOC Analysis

The provided indicators of compromise (IOCs) span multiple infrastructure types:

Domains & Hostnames: brokeapt.com, msget.run, d4ug.site, pan.rongtv.xyz, pan.ssffaa19.xyz. These serve as C2 servers or payload distribution points. msget.run and d4ug.site are specifically linked to the TikTok PowerShell campaigns.
IPv4: 91.199.163.124 (Associated with SilabRAT infrastructure).
File Hashes: Numerous SHA256 hashes associated with Vidar, SilabRAT, and Python malware payloads.

Operational Guidance: SOC teams should immediately block these domains and IPs at the perimeter firewall and proxy level. File hashes should be loaded into EDR solutions for immediate quarantine. The PowerShell-related domains (msget.run) should trigger specific script execution alerts.

Detection Engineering

Sigma Rules

YAML

title: Potential Vidar Stealer Download via PowerShell
id: 91a2b3c4-5d6e-7f8g-9h0i-1j2k3l4m5n6o
description: Detects PowerShell commands downloading payloads from domains associated with Vidar Stealer distribution campaigns (TikTok/Social Engineering vectors).
status: experimental
date: 2026/06/13
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6658a2b7c5c2b6176655d6e7
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: process_creation
detection:
    selection_pwsh:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
    selection_dl:
        CommandLine|contains:
            - 'Invoke-WebRequest'
            - 'IEX'
            - 'DownloadString'
    selection_iocs:
        CommandLine|contains:
            - 'msget.run'
            - 'd4ug.site'
            - 'brokeapt.com'
    condition: all of selection_*
falsepositives:
    - Legitimate administration scripts using these specific domains (unlikely)
level: high
---
title: SilabRAT C2 Network Connection
id: a1b2c3d4-e5f6-7890-1234-567890abcdef
description: Detects outbound network connections to known SilabRAT infrastructure IP addresses.
status: experimental
date: 2026/06/13
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6658a2b7c5c2b6176655d6e8
tags:
    - attack.c2
    - attack.t1071.001
logsource:
    product: windows
    category: network_connection
detection:
    selection:
        DestinationIp:
            - '91.199.163.124'
    condition: selection
falsepositives:
    - Legitimate traffic to this IP (unlikely, hosted on specific infrastructure)
level: critical
---
title: Suspicious Python Child Process Execution
id: b2c3d4e5-f6a7-8901-2345-678901bcdefg
description: Detects suspicious child processes spawned by Python, potentially indicating execution of malicious PyPI packages like Hades or Miasma.
status: experimental
date: 2026/06/13
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6658a2b7c5c2b6176655d6e9
tags:
    - attack.execution
    - attack.t1204
techniques:
    - id: T1204
      name: User Execution
logsource:
    product: windows
    category: process_creation
detection:
    selection_parent:
        ParentImage|endswith:
            - '\python.exe'
            - '\python3.exe'
    selection_suspicious_child:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\bash.exe'
            - '\whoami.exe'
            - '\systeminfo.exe'
    condition: all of selection_*
falsepositives:
    - Legitimate developer tools invoking system shells
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for connections to known malicious domains and IPs
DeviceNetworkEvents
| where RemoteUrl in ("brokeapt.com", "msget.run", "d4ug.site", "pan.rongtv.xyz") 
   or RemoteIP == "91.199.163.124"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| extend AlertContext = pack("Action", "Network connection to known C2/Distribution domain")

// Hunt for PowerShell processes associated with the Vidar TikTok campaign
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where ProcessVersionInfoOriginalFileName =~ "powershell.exe" or ProcessVersionInfoOriginalFileName =~ "pwsh.exe"
| where ProcessCommandLine has "msget.run" or ProcessCommandLine has "d4ug.site" or ProcessCommandLine has "IEX"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| extend AlertContext = pack("Action", "Suspicious PowerShell execution with IOC")

PowerShell Hunt Script

PowerShell

# IOC Hunt Script for SilabRAT and Vidar Indicators
# Requires Administrative Privileges

$MaliciousDomains = @(
    "brokeapt.com",
    "msget.run",
    "d4ug.site",
    "pan.rongtv.xyz",
    "pan.ssffaa19.xyz"
)

$MaliciousIP = "91.199.163.124"

Write-Host "[+] Hunting for active network connections to SilabRAT C2 ($MaliciousIP)..." -ForegroundColor Cyan
$netConnections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue
$processes = Get-Process -IncludeUserName

foreach ($conn in $netConnections) {
    if ($conn.RemoteAddress -eq $MaliciousIP) {
        $proc = $processes | Where-Object { $_.Id -eq $conn.OwningProcess }
        Write-Host "[!] ALERT: Connection to $MaliciousIP found. PID: $($conn.OwningProcess), Process: $($proc.ProcessName), User: $($proc.UserName)" -ForegroundColor Red
    }
}

Write-Host "[+] Checking DNS Cache for malicious domains..." -ForegroundColor Cyan
$dnsCache = Get-DnsClientCache -ErrorAction SilentlyContinue
foreach ($domain in $MaliciousDomains) {
    $hits = $dnsCache | Where-Object { $_.Entry -like "*$domain*" }
    if ($hits) {
        Write-Host "[!] ALERT: DNS resolution found for $domain" -ForegroundColor Red
        $hits | Format-Table Entry, Data, TimeToLive
    }
}

Write-Host "[+] Hunt complete. Review alerts for potential infection."


---

Response Priorities

Immediate (0-6 hours):
- Block all listed domains (brokeapt.com, msget.run, etc.) and IP (91.199.163.124) at the firewall, proxy, and DNS levels.
- Scan endpoints for the provided file hashes (SilabRAT, Vidar, Needle) using EDR.
- Isolate any systems showing positive hits for the PowerShell IOC patterns.
24 Hours:
- Initiate credential resets and MFA re-enrollment for accounts identified on potentially compromised endpoints (specifically targeting Finance, Tech, and Education sectors).
- Review Python package repositories (internal PyPI mirrors) for the presence of typosquatted packages mentioned (Hades, Miasma).
1 Week:
- Conduct security awareness training focusing on "AI-themed" phishing and the dangers of executing code from social media tutorials (TikTok/Instagram).
- Implement application whitelisting for Python environments to prevent unauthorized binary execution from .pth or .so hooks.
- Review browser extension policies to block unauthorized extensions (Mitigation for Needle/RustyStealer).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

Operation AI Bait & Crypto MaaS: Vidar, SilabRAT, and Needle Campaign Analysis — OTX Pulse Intelligence