PRISMEX, ValleyRAT, and AMOS Stealer: OTX Pulse Analysis — APT Espionage, Targeted Tax Fraud, and AI-Agent Exploitation | Security Arsenal

Excerpt: Active campaigns: APT28's PRISMEX suite, Silver Fox's ValleyRAT in Japan, and AMOS Stealer via Cursor AI. Urgent detection updates.

Threat Summary

Recent OTX pulses highlight three distinct, high-threat campaigns targeting critical infrastructure, manufacturing, and developer environments.

APT28 (Pawn Storm) is actively leveraging the PRISMEX malware suite against Ukrainian and Western European entities. The group exploits zero-days CVE-2026-21509 and CVE-2026-21513, utilizing advanced steganography and COM hijacking for persistence.
Silver Fox (Void Arachne) is exploiting Japan's tax season with ValleyRAT, targeting manufacturing firms via spearphishing lures related to financial compliance and HR matters.
AMOS Stealer has been observed delivering through a novel vector: Cursor AI agent sessions. By social engineering operators into prompting the AI (Claude Code) to execute AppleScript, attackers steal credentials and cryptocurrency data.

Threat Actor / Malware Profile

APT28 / Pawn Storm (PRISMEX)

Malware Families: PRISMEX (Dropper, Stager, Loader), MiniDoor, NotDoor.
Distribution: Exploitation of zero-days (CVE-2026-21509, CVE-2026-21513).
Behavior: Uses steganography to hide payloads within images. Abuses cloud services (Filen.io) for Command and Control (C2). Employs COM hijacking to establish persistence on targeted systems.

Silver Fox (Void Arachne) (ValleyRAT)

Malware Families: ValleyRAT.
Distribution: Spearphishing emails with tax and HR themes, leveraging the busy fiscal season in Japan.
Behavior: Remote Access Trojan (RAT) capabilities, including keystroke logging, screen capturing, and data exfiltration specifically targeting manufacturing sectors.

AMOS Stealer (Unknown Actor)

Malware Families: AMOS Stealer.
Distribution: Social engineering via AI Agent (Cursor/Claude). Operators are tricked into prompting the AI to download and execute scripts.
Behavior: Heavily obfuscated AppleScript loaders. Performs sandbox evasion checks before harvesting crypto wallets, browser credentials, and system information.

IOC Analysis

The provided IOCs include C2 infrastructure domains (filen.io, arkypc.com, mpasvw.com), IPv4 addresses, and multiple file hashes (MD5, SHA1, SHA256) for droppers and loaders.

Operationalization:
- Network: Blocklisted domains should be immediately added to perimeter firewalls and DNS sinkholes.
- Endpoint: EDR solutions should scan for the SHA256 hashes associated with ValleyRAT and AMOS loaders.
- Tooling: YARA rules can be generated from the file hashes. Network Detection and Response (NDR) tools should flag connections to the gateway.filen.io cluster and arkypc.com.

Detection Engineering

YAML

---
title: Potential PRISMEX C2 Connection
id: 6d9a1234-5678-90ab-cdef-1234567890ab
status: experimental
description: Detects potential network connections to PRISMEX C2 infrastructure (Filen.io domains) as reported in OTX Pulse.
author: Security Arsenal
date: 2026/04/30
references:
    - https://otx.alienvault.com/pulse/662fa6d91e1e4c5c7f8e9b0a
logsource:
    category: network_connection
detection:
    selection:
        DestinationHostname|contains:
            - 'filen.io'
            - 'egest.filen.io'
    condition: selection
falsepositives:
    - Legitimate use of Filen.io cloud storage (rare in targeted enterprise environments)
level: high
tags:
    - attack.command_and_control
    - attack.t1071
---
title: Suspicious AppleScript Execution via Cursor AI
id: 1a2b3c4d-5e6f-7890-1234-567890abcdef
status: experimental
description: Detects execution of obfuscated AppleScript potentially related to AMOS Stealer delivery via Cursor AI sessions.
author: Security Arsenal
date: 2026/04/30
references:
    - https://otx.alienvault.com/pulse/662fa6d91e1e4c5c7f8e9b0c
logsource:
    category: process_creation
    product: macos
detection:
    selection:
        Image|endswith: '/osascript'
        CommandLine|contains:
            - 'curl'
            - 'http://arkypc.com'
            - 'http://mpasvw.com'
    condition: selection
falsepositives:
    - Legitimate administrative scripting
level: critical
tags:
    - attack.execution
    - attack.t1059.002
---
title: PRISMEX Persistence via COM Hijacking
id: abcdef01-2345-6789-abcd-ef0123456789
status: experimental
description: Detects registry modifications indicative of COM Hijacking, a technique used by PRISMEX for persistence.
author: Security Arsenal
date: 2026/04/30
references:
    - https://otx.alienvault.com/pulse/662fa6d91e1e4c5c7f8e9b0a
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: 'Software\Classes\CLSID'
        TargetObject|contains: 'InprocServer32'
        Details|contains: '.dll'
    filter_legit:
        Image|endswith:
            - '\msiexec.exe'
            - '\svchost.exe'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate software installation
level: medium
tags:
    - attack.persistence
    - attack.t1546.015


kql
// Hunt for PRISMEX C2 Infrastructure
DeviceNetworkEvents
| where RemoteUrl has "filen.io" or RemoteUrl has "egest.filen.io"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| order by Timestamp desc
| extend HuntName = "PRISMEX C2 Traffic"
// Hunt for AMOS Stealer Domains
// union is used to hunt across multiple distinct campaigns
union (
    DeviceNetworkEvents
    | where RemoteUrl in ("arkypc.com", "mpasvw.com")
    | project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, InitiatingProcessCommandLine
    | extend HuntName = "AMOS Stealer C2 Traffic"
)
| order by Timestamp desc


powershell
# PowerShell Hunt Script for IOCs
# Checks for active connections to known C2 infrastructure and suspicious file hashes

$C2Domains = @("gateway.filen.io", "egest.filen.io", "arkypc.com", "mpasvw.com")
$MaliciousHashes = @(
    "244a2f4dc256f6d1c3710a2d27656a6bc21ffadca8f3236d63b327ff2f0b33db",
    "8c4386cecc89f5f2dee323f2a1e0d9f42a28905be812de14173ca7ee9fc64e72",
    "312147c0ae0d555a4d50fa627ff7d4f3"
)

Write-Host "Checking for active network connections to C2 domains..." -ForegroundColor Yellow
Get-NetTCPConnection | ForEach-Object {
    $process = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
    if ($process) {
        try {
            $remoteHost = [System.Net.Dns]::GetHostEntry($_.RemoteAddress).HostName
            if ($C2Domains -contains $remoteHost) {
                Write-Host "[ALERT] Connection to C2 Domain detected: $remoteHost (PID: $($process.Id))" -ForegroundColor Red
            }
        } catch {}
    }
}

Write-Host "`nScanning for malicious file hashes in User Temp and Downloads..." -ForegroundColor Yellow
$paths = @("$env:TEMP", "$env:USERPROFILE\Downloads")
foreach ($path in $paths) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -File -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256).Hash.ToLower()
            if ($MaliciousHashes -contains $hash) {
                Write-Host "[ALERT] Malicious file found: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

Response Priorities

Immediate: Block all identified C2 domains (*.filen.io, arkypc.com, mpasvw.com) at the perimeter. Isolate hosts with matching file hashes.
24h: Conduct credential resets for users on affected endpoints, specifically checking for cryptocurrency wallet compromises (AMOS) and espionage exfiltration (PRISMEX).
1 week: Review and patch vulnerabilities CVE-2026-21509 and CVE-2026-21513. Implement strict validation for AI agent prompts and sandboxing for Cursor AI environments.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

PRISMEX, ValleyRAT, and AMOS Stealer: OTX Pulse Analysis — APT Espionage, Targeted Tax Fraud, and AI-Agent Exploitation