Back to Intelligence

PRISMEX, ValleyRAT & AMOS Stealer: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
April 29, 2026
6 min read

Threat Summary

Recent OTX pulses highlight three distinct but equally concerning threats: a renewed cyber-espionage campaign by APT28 (Pawn Storm) utilizing the PRISMEX malware suite against critical infrastructure; a targeted campaign by the threat actor "Void Arachne" (Silver Fox) using ValleyRAT to exploit Japanese tax season; and a novel delivery mechanism for AMOS Stealer via AI agent sessions. Collectively, these pulses reveal a diverse threat landscape where state-sponsored actors target geopolitical interests, financially motivated actors exploit seasonal events, and commodity malware developers pioneer initial access vectors via emerging technologies.

Threat Actor / Malware Profile

APT28 / Pawn Storm (PRISMEX)

  • Adversary: Russian-aligned APT28 (Fancy Bear).
  • Malware: PRISMEX Suite (Dropper, Stager, Loader, MiniDoor).
  • Distribution: Spear-phishing and exploitation of CVE-2026-21509 & CVE-2026-21513.
  • Behavior: The PRISMEX suite employs advanced steganography to hide payloads, COM hijacking for persistence, and abuses cloud services for C2, making detection difficult. The ultimate objective is espionage and data theft from government and critical infrastructure sectors.

Void Arachne / Silver Fox (ValleyRAT)

  • Adversary: Void Arachne, financially motivated group.
  • Malware: ValleyRAT.
  • Distribution: Spearphishing emails with financial, HR, and tax-related lures targeting Japanese manufacturing firms during the tax season.
  • Behavior: ValleyRAT is a Remote Access Trojan (RAT) that provides the threat actor with full control over the infected machine. Its primary functions include credential harvesting, keylogging, and data exfiltration for financial gain.

Unknown (AMOS Stealer)

  • Adversary: Unknown (likely an initial access broker or commodity malware developer).
  • Malware: AMOS Stealer (a macOS-focused infostealer).
  • Distribution: A novel social engineering campaign targeting developers using the "Cursor" AI agent. It tricks operators into prompting the AI to download and execute a malicious AppleScript.
  • Behavior: The delivered AppleScript is heavily obfuscated and performs sandbox evasion checks before loading the AMOS Stealer payload. Once executed, AMOS Stealer harvests and exfiltrates sensitive data, including cryptocurrency wallet keys and saved browser credentials.

IOC Analysis

The provided IOCs span multiple categories, requiring a multi-layered detection approach:

  • Hostnames: APT28's C2 infrastructure leverages domains like gateway.filen.io and egest.filen.io. These are used for C2 communication and should be blocked at the network perimeter.
  • File Hashes: The Silver Fox campaign provides numerous MD5, SHA1, and SHA256 hashes for ValleyRAT droppers and loaders. These hashes are critical for EDR/HIPS detection and can be used to hunt for existing infections on endpoints.
  • IP Addresses: The AMOS Stealer campaign lists IP addresses (45.94.47.204, 92.246.136.14) used for payload delivery and C2. Blocking these IPs is an immediate containment action.
  • Domains & URLs: Domains like mpasvw.com, arkypc.com, and URLs like https://arkypc.com/n8n/update are associated with the AMOS Stealer delivery infrastructure and should be blocked.

SOC teams should operationalize these indicators by importing them into their SIEM, EDR, and firewall systems. Automated playbooks should be configured to isolate endpoints that communicate with these indicators or match the provided file hashes.

Detection Engineering

Sigma Rules

YAML
---
title: PRISMEX Malware C2 Communication
id: 9b6c1d8b-7f8e-4a3d-9b1c-8d7e6a5b4c3a
description: Detects potential network communication with known PRISMEX C2 infrastructure based on provided hostnames.
author: Security Arsenal
date: 2026/04/29
modified: 2026/04/29
status: stable
tags:
  - attack.command_and_control
  - attack.t1071.001
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationHostname|contains:
      - 'filen.io'
      - 'filen-1.net'
      - 'filen-2.net'
      - 'filen-3.net'
      - 'filen-4.net'
      - 'filen-5.net'
  condition: selection
falsepositives:
  - Legitimate use of Filen cloud storage service (rare in targeted environments)
level: high
---
title: ValleyRAT Process Creation
id: a7d2e9f0-5c4b-4e1a-8a3d-7e6b9a5c4d3b
description: Detects the execution of a process with a command line indicative of ValleyRAT activity, based on observed campaign hashes.
author: Security Arsenal
date: 2026/04/29
modified: 2026/04/29
status: experimental
tags:
  - attack.execution
  - attack.t1204
logsource:
  category: process_creation
  product: windows
detection:
  selection_hashes:
    Hashes|contains:
      - '1af5b25acd2df31f44a54fc8dcd85287'
      - '244a2f4dc256f6d1c3710a2d27656a6bc21ffadca8f3236d63b327ff2f0b33db'
      - '8c4386cecc89f5f2dee323f2a1e0d9f42a28905be812de14173ca7ee9fc64e72'
      - '55b99f0d438800cad8288d81d2808728ce1bec8c22c5346a38a513dc6728b4ba'
      - '12a0d942652609bce7319be6bf0135bb'
      - '21d9a30074d65babfef9e9e9684c6f5a'
      - '4f481a449ad050fea9ca3900118e5676'
  selection_parent:
    ParentImage|endswith:
      - '\\explorer.exe'
      - '\\winword.exe'
      - '\\\\excel.exe'
  condition: all of selection*
falsepositives:
  - Rare, unless a legitimate binary has the same hash (impossible)
level: critical
---
title: AMOS Stealer Suspicious macOS Script Execution
id: 1e3f4a5b-6d7c-8e9a-0b1c-2d3e4f5a6b7c
description: Detects the execution of osascript with arguments consistent with the AMOS Stealer loader delivered via Cursor AI.
author: Security Arsenal
date: 2026/04/29
modified: 2026/04/29
status: experimental
tags:
  - attack.execution
  - attack.t1059.002
logsource:
  category: process_creation
  product: macos
detection:
  selection:
    Image|endswith:
      - '/osascript'
    CommandLine|contains:
      - '-e'
      - 'tell application'
  selection_network:
    DestinationHostname|contains:
      - 'mpasvw.com'
      - 'arkypc.com'
  condition: 1 of selection*
falsepositives:
  - Legitimate use of osascript by users or admins
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for PRISMEX C2 traffic
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("filen.io", "filen-1.net", "filen-2.net", "filen-3.net", "filen-4.net", "filen-5.net")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| extend FullUrl = RemoteUrl
| summarize count() by DeviceName, FullUrl, RemoteIP
| order by count_ desc


kql
// Hunt for AMOS Stealer loader file creation
DeviceFileEvents
| where Timestamp > ago(7d)
| where SHA256 has_any ("244a2f4dc256f6d1c3710a2d27656a6bc21ffadca8f3236d63b327ff2f0b33db", "8c4386cecc89f5f2dee323f2a1e0d9f42a28905be812de14173ca7ee9fc64e72") or FileName =~ "*.applescript" or FileName =~ "*.scpt"
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, FolderPath, SHA256
| order by Timestamp desc

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    Hunt script for AMOS Stealer artifacts on macOS endpoints.
.DESCRIPTION
    This script checks for known file hashes, suspicious filenames, and network connections associated with the AMOS Stealer campaign.
#>

$KnownHashes = @(
    "312147c0ae0d555a4d50fa627ff7d4f3",
    "c54620dd3745fdeaff5ccc0db4132f11"
)

$SuspiciousDomains = @(
    "mpasvw.com",
    "arkypc.com"
)

# Check for files with known hashes
Write-Host "Hunting for files with known AMOS Stealer hashes..."
Get-ChildItem -Path / -Recurse -ErrorAction SilentlyContinue | Where-Object { $_.Length -gt 0 -and $KnownHashes -contains (Get-FileHash -Path $_.FullName -Algorithm MD5).Hash } | ForEach-Object { Write-Host "Suspicious file found: $($_.FullName)" }

# Check for suspicious network connections (requires lsof)
Write-Host "Hunting for network connections to suspicious domains..."
foreach ($domain in $SuspiciousDomains) {
    $connections = lsof -i :80,443 -n | Select-String $domain
    if ($connections) {
        Write-Host "Suspicious connection to $domain found:"
        $connections | ForEach-Object { Write-Host $_ }
    }
}

Response Priorities

  • Immediate:
    • Block all listed IOCs (hostnames, domains, IP addresses) at network perimeter devices (firewalls, proxies).
    • Initiate a hunt for the provided file hashes across all endpoints using EDR/siem capabilities.
    • Isolate any endpoints with confirmed detections.
  • 24 Hours:
    • Conduct credential verification and forced password resets for accounts that may have been compromised by the AMOS Stealer or ValleyRAT campaigns.
    • Analyze the phishing emails related to the Silver Fox campaign to identify any other potential targets within the organization.
  • 1 Week:
    • Patch systems vulnerable to CVE-2026-21509 and CVE-2026-21513 to mitigate the PRISMEX attack vector.
    • Review and harden AI agent configurations (e.g., Cursor) to prevent social engineering-based code execution.
    • Conduct security awareness training focused on identifying spearphishing emails, particularly those related to financial and tax topics.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwareprismexvalleyratamos-stealerapt28apt

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action