Back to Intelligence

Rise of AI-Themed Credential Theft & Sophisticated Infostealers: Gremlin, Lumma, SilabRAT Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
June 15, 2026
8 min read

Recent OTX pulses highlight a concerning convergence of tactics: financially motivated actors are leveraging the "AI hype cycle" for initial access while simultaneously deploying increasingly sophisticated obfuscation techniques to evade detection. The intelligence points to three primary vectors of concern:

  1. AI-Themed Social Engineering (Storm-3075): Actors are aggressively impersonating platforms like ChatGPT, DeepSeek, and Claude via SEO poisoning and malvertising to distribute Vidar and Lumma Stealers.
  2. Resource-Based Obfuscation (Gremlin Stealer): A technical evolution in hiding payloads within application resource files and utilizing custom virtual machines (instruction virtualization) to bypass static analysis.
  3. New MaaS Offerings (SilabRAT): The emergence of a high-end ($5k/mo) Malware-as-a-Service tool specifically designed for credential theft and cryptocurrency manipulation, featuring HVNC (Hidden VNC) for stealthy remote control.

Collectively, these campaigns aim to harvest browser sessions, cryptocurrency wallets, and corporate credentials, often facilitated by loaders like HijackLoader and GuLoader. The objective is clear: financial gain through direct theft, fraud, or selling access on dark web forums.

Threat Actor / Malware Profile

Malware Families

  • Gremlin Stealer:
    • Distribution: Phishing emails, malicious attachments.
    • Payload Behavior: Siphons payment card details, browser data, and session tokens. Uses embedded resource files to hide malicious payloads.
    • Obfuscation: Employs commercial packing utilities with instruction virtualization, transforming code into custom bytecode executed by a private VM to thwart emulation and analysis.
  • Lumma Stealer (via Storm-3075):
    • Distribution: Malvertising, SEO poisoning, fake AI software downloads.
    • Payload Behavior: Information stealer targeting browser data, crypto wallets, and 2FA session cookies.
    • Loader: Delivered via Hijack Loader to bypass security controls.
  • SilabRAT (by o1oo1):
    • Distribution: Sold on dark web forums, delivered by HijackLoader.
    • Payload Behavior: Advanced RAT with HVNC for invisible remote control. Features browser profile cloning to bypass session protection mechanisms.
    • Persistence: Uses AsmCrypt for encryption and likely registry run keys or scheduled tasks.

Adversaries

  • Storm-3075: A financially motivated group leveraging AI brands to trick users into downloading malware like Vidar and Lumma Stealer.
  • o1oo1: The developer of SilabRAT, operating a MaaS model targeting high-value credential theft and crypto assets.
  • UAT-5616: While focused on Cisco vulnerabilities, the use of webshells (Behinder, Godzilla) and loaders (Sliver) indicates an overlap in tooling with credential theft actors looking for persistence.

IOC Analysis

The provided pulses include a diverse set of indicators:

  • File Hashes (SHA256, SHA1, MD5): Crucial for EDR correlation. Many samples are packed, so hash-based detection may be limited to the dropper. Operationalization involves blocking these hashes at the endpoint and scanning historical logs for execution attempts.
  • Domains & Hostnames (e.g., brokeapt.com, rongtv.xyz): Likely C2 or payload delivery infrastructure. These should be immediately sinkholed or blocked at the network perimeter (DNS/Proxy).
  • CVEs (e.g., CVE-2026-20128): While direct IOCs are limited, these provide context on exploitation attempts. Network traffic targeting specific paths associated with these CVEs on Cisco SD-WAN devices should be flagged.

Operational Guidance: SOC teams should prioritize the domain blocks and use the file hashes to query EDR telemetry for any execution history. The prevalence of loaders (HijackLoader, GuLoader) suggests that behavioral detection (process chains) will be more effective than static IOCs alone.

Detection Engineering

Sigma Rules

YAML
---
title: Potential Gremlin Stealer Execution via Resource Access
id: 42f8c1c2-1e0b-4b3a-8f9d-1a2b3c4d5e6f
description: Detects suspicious processes accessing resources in other executables, a technique used by Gremlin Stealer to hide payloads.
status: experimental
date: 2026/06/15
author: Security Arsenal
references:
    - https://otx.alienvault.com/
tags:
    - attack.defense_evasion
    - attack.t1027
    - attack.t1055
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\rundll32.exe'
            - '\powershell.exe'
            - '\cmd.exe'
            - '\regsvr32.exe'
    filter_legit:
        CommandLine|contains:
            - 'windows'
            - 'system32'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate software installers
level: high
---
title: AI-Themed Malware Distribution Suspicious Process Chain
id: 51f9d2d3-2f1c-5c4b-0g0e-2b3c4d5e6f7a
description: Detects process chains often associated with malvertising leading to AI-themed malware drops, involving specific loaders like HijackLoader.
status: experimental
date: 2026/06/15
author: Security Arsenal
references:
    - https://otx.alienvault.com/
tags:
    - attack.initial_access
    - attack.t1566
    - attack.t1204
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        Image|endswith:
            - '\mshta.exe'
            - '\wscript.exe'
            - '\cscript.exe'
    selection_child:
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
    selection_keyword:
        CommandLine|contains:
            - 'ChatGPT'
            - 'DeepSeek'
            - 'Claude'
            - 'AI'
            - 'Copilot'
    condition: all of selection_*
falsepositives:
    - Legitimate AI software installation (rare via these vectors)
level: critical
---
title: SilabRAT HVNC or Browser Profile Cloning Activity
id: 62g0e3e4-3g2d-6d5c-1h0f-3c4d5e6f7g8b
description: Detects potential Remote Access Trojan activity associated with browser profile cloning or HVNC used by SilabRAT.
status: experimental
date: 2026/06/15
author: Security Arsenal
references:
    - https://otx.alienvault.com/
tags:
    - attack.credential_access
    - attack.t1056
    - attack.t1219
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains:
            - '\Software\Microsoft\Windows\CurrentVersion\Run'
            - '\Software\Microsoft\Windows\CurrentVersion\RunOnce'
        Details|contains:
            - '-hvnc'
            - '-clone'
            - 'browser'
    condition: selection
falsepositives:
    - Unknown
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for AI-themed malvertising and potential Stealer execution
// Focus on processes spawned by common scripting hosts or downloaders
letSuspiciousProcesses = materialize(
    DeviceProcessEvents
    | where Timestamp > ago(7d)
    | where InitiatingProcessFileName in~ ("mshta.exe", "wscript.exe", "cscript.exe", "powershell.exe", "cmd.exe", "regsvr32.exe")
    | where ProcessCommandLine has_any ("ChatGPT", "DeepSeek", "Claude", "Copilot", "AI", "discord", "telegram", "steam") 
    | project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, ProcessFileName, ProcessCommandLine, SHA256
);
// Correlate with network connections to known C2 infrastructure or suspicious domains
let NetworkConnections = 
    DeviceNetworkEvents
    | where Timestamp > ago(7d)
    | where RemoteUrl in~ ("brokeapt.com", "rongtv.xyz", "ssffaa19.xyz") or RemoteIP == "91.199.163.124"
    | project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessSHA256;
// Join process creation with network connections
SuspiciousProcesses
| join kind=inner (NetworkConnections) on $left.DeviceName == $right.DeviceName
| project Timestamp, DeviceName, AccountName, ProcessFileName, ProcessCommandLine, SHA256, RemoteUrl, RemoteIP
| order by Timestamp desc

PowerShell IOC Hunt Script

PowerShell
# SilabRAT & Stealer IOC Hunt Script
# Scans for file presence, suspicious registry run keys, and network connections

Write-Host "Starting SilabRAT & Stealer IOC Hunt..." -ForegroundColor Cyan

# 1. Check for specific File Hashes (Gremlin Stealer, SilabRAT samples)
$TargetHashes = @(
    "1bd0a200528c82c6488b4f48dd6dbc818d48782a2e25ccd22781c5718c3f62f5",
    "2172dae9a5a695e00e0e4609e7db0207d8566d225f7e815fada246ae995c0f9b",
    "3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b",
    "79f8da9f9fb4ac7c16d9c210f1f6ef418357a3e7bf602b1dd03a490596fa58c5",
    "fb56e66920c84ef9e51db0ea23144f5755daef97cbff8613b05ab56d0dc9d623",
    "fbce30a0c852972fdc24f1b6a7c270512a50ef1a7c6c88c88b92a2dcbdfdd023"
)

$FoundFiles = @()
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
    if ($_.Length -gt 0) {
        $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($hash -in $TargetHashes) {
            $FoundFiles += $_.FullName
            Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName) (Hash: $hash)" -ForegroundColor Red
        }
    }
}

if ($FoundFiles.Count -eq 0) { Write-Host "No files with known malicious hashes found." -ForegroundColor Green }

# 2. Check for suspicious persistence in Registry (Run keys for SilabRAT/Stealers)
$RunPaths = @(
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce",
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
)

Write-Host "Checking Registry Run Keys for suspicious persistence..." -ForegroundColor Cyan
foreach ($Path in $RunPaths) {
    if (Test-Path $Path) {
        Get-Item -Path $Path -ErrorAction SilentlyContinue | ForEach-Object {
            $_.Property | ForEach-Object {
                $Value = (Get-ItemProperty -Path $Path -ErrorAction SilentlyContinue).$_
                # Basic heuristics for suspicious entries (e.g., powershell, cmd, obscure paths)
                if ($Value -match "powershell|cmd.exe|/c| -enc| -w hidden|discord|steam|telegram") {
                    Write-Host "[!] SUSPICIOUS REGISTRY VALUE: $Path - Property: $_ - Value: $Value" -ForegroundColor Yellow
                }
            }
        }
    }
}

# 3. Check for active network connections to known bad IPs/domains
$BadDomains = @("brokeapt.com", "rongtv.xyz", "ssffaa19.xyz")
$BadIP = "91.199.163.124"

Write-Host "Checking active network connections to known C2 infrastructure..." -ForegroundColor Cyan
$Connections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue | 
    Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess

foreach ($Conn in $Connections) {
    $ProcessName = (Get-Process -Id $Conn.OwningProcess -ErrorAction SilentlyContinue).ProcessName
    $RemoteHostName = Resolve-DnsName -Name $Conn.RemoteAddress -DnsOnly -ErrorAction SilentlyContinue | Select-Object -ExpandProperty NameHost -ErrorAction SilentlyContinue
    
    if ($BadDomains -contains $RemoteHostName -or $Conn.RemoteAddress -eq $BadIP) {
        Write-Host "[!] C2 CONNECTION DETECTED: Remote IP: $($Conn.RemoteAddress) ($RemoteHostName), Process: $ProcessName" -ForegroundColor Red
    }
}

Write-Host "Hunt complete." -ForegroundColor Cyan

Response Priorities

  • Immediate:

    • Block IOCs: Immediately block all listed domains (brokeapt.com, rongtv.xyz, ssffaa19.xyz) and IPs (91.199.163.124) at the perimeter firewall and proxy.
    • Hunt for Execution: Use the PowerShell script and EDR queries to hunt for the presence of the file hashes and suspicious process chains identified above. Isolate any confirmed infected endpoints.

  • 24 Hours:

    • Identity Verification: If credential-stealing malware (Lumma, Vidar, Gremlin, SilabRAT) is confirmed to have executed, assume credentials for browsers, email, and crypto wallets are compromised. Initiate forced password resets and MFA re-enrollment for affected accounts, focusing on users with potential AI-software download history.
    • Review Access Logs: Correlate the timeline of potential infection with access logs for critical systems to identify any lateral movement or data exfiltration attempts.

  • 1 Week:

    • Architecture Hardening: Implement application allow-listing (e.g., AppLocker) to prevent execution of unauthorized binaries and scripts. Restrict the use of scripting engines (PowerShell, WSH) to only necessary administrative accounts.
    • User Awareness: Deploy security awareness training specifically focusing on identifying AI-themed social engineering and malvertising. Warn users against downloading "AI" software from unofficial sources.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealermalware-as-a-servicecredential-harvestingsocial-engineeringsupply-chain-attack

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action