Back to Intelligence

Rhysida, INC RaaS, and SmartRAT: OTX Pulse Analysis — Multi-Vector Credential Theft Ecosystem

SA
Security Arsenal Team
June 17, 2026
5 min read

A significant convergence of ransomware and infostealer campaigns has been identified via OTX Pulse data. Key adversaries including INC Ransomware, Rhysida (Hive0163), and DragonForce are actively evolving their TTPs, leveraging novel delivery vectors such as weaponized Microsoft Teams relays, trojanized Steam Workshop content, and AI-generated typosquatting sites. The primary objective across these campaigns is credential theft for initial access, followed by deployment of Rust-based encryptors (INC, Rhysida) or persistent backdoors (SmartRAT, InterlockRAT).

Threat Actor & Malware Profile

Adversaries

  • INC Ransomware: A top-tier RaaS operation utilizing Rust-based cross-platform encryptors for Windows and Linux/ESXi. They exploit critical CVEs (e.g., CVE-2025-5777) for initial access and specialize in double-extortion.
  • Hive0163 / Rhysida: A sophisticated nexus utilizing custom malware like NodeSnake (Linux), InterlockRAT, and JunkFiction. They leverage a complex supply chain involving downloaders like MintLoader and crypters like Tomb.
  • DragonForce: A group weaponizing Microsoft Teams infrastructure. They use a custom Go-based RAT, Backdoor.Turn, to tunnel C2 traffic through legitimate MS Teams TURN relays, bypassing network inspection.
  • Unknown (SmartRAT/Steam): Campaigns targeting specific sectors (Finance in Brazil, Gamers globally) using commodity loaders like GhostLoader and trojanized game mods.

Malware Families

  • SmartRAT / GhostLoader: PowerShell-based banking trojans delivered via "ClickFix" fake CAPTCHA campaigns. GhostLoader acts as a shellcode loader to evade detection.
  • Lumma / Vidar / DarkComet: Information stealers distributed via malicious wallpapers on Steam Workshop, targeting browser sessions and crypto-wallets.
  • NodeSnake: A Linux trojan linked to Hive0163, used for establishing persistence on Unix-like systems prior to ransomware deployment.

IOC Analysis

Indicator Types

  • Domains: Typosquatted domains mimicking legitimate infrastructure (e.g., windowsupdate-cdn.com) and banking targets (crefisa.online). Onion domains associated with INC ransomware leak sites.
  • File Hashes: Numerous MD5, SHA1, and SHA256 hashes for loaders (MintLoader, GhostLoader), payloads (SmartRAT, DarkComet), and ransomware binaries.
  • CVEs: Identification of exploited vulnerabilities (CVE-2023-36036, CVE-2025-5777) used for foothold.
  • URLs: Direct download links from cloud storage (Dropbox, Google Drive) used in Steam Workshop attacks.

Operationalization

SOC teams should immediately:

  1. Blocklist: Add all domains and IPs to perimeter firewalls and secure web gateways (SWG).
  2. EDR Telemetry: Import SHA256 hashes into EDR solutions for immediate scanning of C:\Windows\Temp, user download folders, and startup directories.
  3. Vulnerability Management: Prioritize patching for CVE-2023-36036 and CVE-2025-5777 identified in the pulse data.

Detection Engineering

YAML
---
title: Suspicious Process Spawn via Steam Wallpaper Engine
id: 48399c8b-1a3d-4e2f-9a5b-6c8d7e9f0a1b
description: Detects potential malware execution spawned by Wallpaper Engine or Steam processes, related to DarkComet/Lumma distribution.
status: experimental
date: 2026/06/17
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|contains:
      - '\Steam\'
      - 'WallpaperEngine.exe'
  selection_suspicious:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\rundll32.exe'
      - '\regsvr32.exe'
    CommandLine|contains:
      - '-enc'
      - 'downloadstring'
      - 'iex'
  condition: selection and selection_suspicious
falsepositives:
  - Legitimate wallpaper scripts (rare)
level: high
tags:
  - attack.initial_access
  - attack.t1195
  - attack.execution
---
title: Microsoft Teams Spawning Uncommon Shells
id: 59111d9c-2b4e-5f3g-0b6c-7d9e0f1a2b3c
description: Detects Microsoft Teams spawning command shells or PowerShell, indicative of DragonForce Backdoor.Turn exploitation or side-loading.
status: experimental
date: 2026/06/17
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: '\Teams.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\wscript.exe'
      - '\cscript.exe'
  filter:
    CommandLine|contains: 'Update.exe' # Known update mechanism
  condition: selection and not filter
falsepositives:
  - Administrative troubleshooting via Teams
level: high
tags:
  - attack.execution
  - attack.t1059
  - attack.persistence
---
title: PowerShell Encoded Command from Browser (ClickFix)
id: 6a222e0d-3c5f-6g4h-1c7d-8e0f1g2h3i4j
description: Detects suspicious encoded PowerShell commands launched by browsers, typical of ClickFix campaigns delivering SmartRAT.
status: experimental
date: 2026/06/17
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|contains:
      - '\chrome.exe'
      - '\msedge.exe'
      - '\firefox.exe'
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - ' -e '
      - ' -Enc '
      - 'FromBase64String'
  condition: selection
falsepositives:
  - Legitimate web applications launching local utilities
level: critical
tags:
  - attack.initial_access
  - attack.t1566
  - attack.execution


kql
// Hunt for network connections to known malicious domains from DragonForce/INC campaigns
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in~ (
    "crefisa.online",
    "windowsupdate-cdn.com",
    "incblog.su"
)
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP

// Hunt for file hashes associated with Interlock/Steam malware
DeviceProcessEvents
| where Timestamp > ago(7d)
| where SHA256 in~ (
    "333903c7d22a27098e45fc64b77a264aa220605cfbd3e329c200d7e4b42c881c",
    "6cd349eda0fa6c8b274a0920852c68f8b727afea1fdbc69ad183cef05d9cf141",
    "fc586cad94e5a10dd5be6a6ae6096bd02dfbfd094365bec87e788ed0798d6f67"
)
| project Timestamp, DeviceName, FolderPath, FileName, SHA256, InitiatingProcessAccountName


powershell
# IOC Hunt Script: Steam Workshop Malware & Persistence
# Checks for suspicious files in Steam Workshop directories and common persistence paths.

$WorkshopPaths = @("$env:ProgramFiles (x86)\Steam\steamapps\workshop", "$env:ProgramFiles\Steam\steamapps\workshop")
$MaliciousExtensions = @(".rar", ".zip", ".bat", ".cmd", ".vbs", ".js")
$SuspiciousHashes = @(
    "18dedc0009f0927cba6425c84cce9883",
    "5620f01284329f561b1839a36be55355",
    "74414ed4b63aadec039b603c32762b80"
)

Write-Host "[+] Scanning Steam Workshop Directories for suspicious archives/scripts..."
foreach ($Path in $WorkshopPaths) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | Where-Object {
            $MaliciousExtensions -contains $_.Extension
        } | ForEach-Object {
            Write-Host "[!] Suspicious file found: $($_.FullName)"
        }
    }
}

Write-Host "[+] Scanning Downloads folder for known IOCs..."
$DownloadsPath = "$env:USERPROFILE\Downloads"
if (Test-Path $DownloadsPath) {
    Get-ChildItem -Path $DownloadsPath -File -ErrorAction SilentlyContinue | ForEach-Object {
        $hash = (Get-FileHash -Path $_.FullName -Algorithm MD5).Hash.ToLower()
        if ($SuspiciousHashes -contains $hash) {
            Write-Host "[CRITICAL] Known malware sample found: $($_.FullName) with hash $hash"
        }
    }
}


# Response Priorities

Immediate

  • Block Indicators: Push all listed domains and IPs to NGFW and proxy blocklists.
  • Artifact Hunting: Run the PowerShell hunt script on endpoints associated with high-risk users (Finance, DevOps) to identify Steam Workshop malware.

24 Hours

  • Identity Audit: Review Active Directory logs for impossible travel logins or mass authentication failures, indicative of credential dumping by Vidar or SmartRAT.
  • Vulnerability Scan: Verify patch status for CVE-2023-36036 (Exchange) and CVE-2025-5777 within the environment.

1 Week

  • Application Control: Implement strict allow-listing for Microsoft Teams to prevent DLL side-loading and unauthorized child processes.
  • User Awareness: Release specific security bulletins regarding "Fake CAPTCHA" (ClickFix) and Steam Workshop risks.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsrhysidainc-ransomwaresmartratsteam-malwarecredential-theft

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action