Back to Intelligence

SilabRAT, Injective SDK Supply Chain Attack, and Albiriox Android Trojan: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
July 10, 2026
9 min read

Live OTX pulses from July 10, 2026, reveal a coordinated surge in credential theft and financial malware campaigns targeting both enterprise development environments and end-user mobile banking. The intelligence highlights three distinct but financially motivated vectors: the distribution of SilabRAT, a sophisticated Malware-as-a-Service (MaaS) Remote Access Trojan; a supply chain compromise of the Injective Labs TypeScript SDK npm package; and an Albiriox Android banking trojan campaign targeting Italian financial institutions.

Collectively, these campaigns demonstrate a shift towards high-impact credential harvesting. SilabRAT employs advanced techniques like HVNC and browser profile cloning to hijack active sessions, while the npm attack targets developers to exfiltrate wallet keys and mnemonics directly from the build pipeline. Meanwhile, the Albiriox campaign utilizes social engineering and Telegram to deliver mobile banking overlays, directly intercepting 2FA SMS codes. The primary objective across all vectors is the theft of cryptocurrency and financial credentials for immediate monetization.

Threat Actor / Malware Profile

SilabRAT (o1oo1)

  • Type: Remote Access Trojan (RAT) / Infostealer
  • Actor: o1oo1
  • Cost: $5,000/month (MaaS)
  • Distribution: Darkweb forums, likely via phishing or initial access brokers.
  • Payload Behavior: Features Hidden Virtual Network Computing (HVNC) for invisible remote control. It performs browser profile cloning to bypass session protections, stealing active session cookies and credentials.
  • C2 Communication: Standard HTTP/HTTPS C2 beacons (likely encrypted).
  • Persistence: Mechanisms typical of RATs, including registry run keys or scheduled tasks.
  • Anti-Analysis: Uses AsmCrypt for pack obfuscation and HijackLoader for payload loading to evade detection.

Compromised Injective SDK npm Package

  • Type: Supply Chain Attack / Infostealer
  • Actor: Unknown (compromised developer account)
  • Distribution: Public npm registry (@injective/sdk v1.20.21).
  • Payload Behavior: Malicious code is embedded within a legitimate-looking library. It hooks key generation functions to capture cryptocurrency wallet private keys and mnemonic phrases as they are generated or used by the application.
  • C2 Communication: Exfiltrates captured data via HTTP/HTTPS POST requests to a hardcoded C2 server (testnet.archival.chain.grpc-web.injective.network).
  • Persistence: N/A (runs as part of the legitimate application process).
  • Anti-Analysis: Disguised within open-source code, making static analysis difficult without diffing against a known-good version.

Albiriox Android Banking Trojan

  • Type: Android Banking Trojan
  • Actor: Unknown
  • Distribution: Social engineering via a fraudulent banking domain offering rewards, leading users to a Telegram bot that delivers a malicious APK outside official stores.
  • Payload Behavior: Acts as a dropper for the Albiriox payload. Uses overlay attacks to create fake login screens over legitimate banking apps, stealing credentials. Abuses Android Accessibility Services to grant permissions and intercept SMS messages, including 2FA codes.
  • C2 Communication: Receives commands and updates configuration from a C2 server to target specific banking apps.
  • Persistence: Requests battery optimization exclusion and other permissions to remain running in the background.
  • Anti-Analysis: Potentially uses packers/obfuscators for the dropper and payload to evade AV detection.

IOC Analysis

The provided IOCs are primarily file hashes and a few network indicators. SOC teams can operationalize these in several ways:

  • File Hashes (SHA256, MD5): These are high-fidelity indicators for post-compromise detection. Upload them to EDR solutions (e.g., CrowdStrike, SentinelOne, Microsoft Defender) to create custom detections for file creation and execution events. They can also be used to scan forensic images or backups for evidence of compromise.
  • Network Indicators (URL, Hostname): The URL and hostname for the Injective SDK C2 (testnet.archival.chain.grpc-web.injective.network) should be blocked on network perimeter devices (firewalls, secure web gateways) and within internal DNS resolvers. SIEM correlations can be created to alert on any internal hosts attempting to connect to this domain.
  • Tooling: These IOCs can be ingested into threat intelligence platforms (TIPs) like MISP or Anomali, and then pushed to security controls via STIX/TAXII feeds. Tools like yara can generate rules from the file hashes for scanning endpoints and file servers.

Detection Engineering

YAML
---
title: Potential SilabRAT Execution via HijackLoader
id: 46b055f2-8d7e-423a-8209-6b64e14c0f94
status: experimental
description: Detects potential execution patterns associated with SilabRAT, often delivered by HijackLoader. The rule looks for a suspicious child process launched from a signed binary, a common loader technique.
references:
    - https://www.group-ib.com/blog/silabrat-hijackloader-trojan-malware/
author: Security Arsenal
date: 2026/07/10
tags:
    - attack.defense_evasion
    - attack.execution
    - attack.t1204  # User Execution
    - attack.t1059  # Command and Scripting Interpreter
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\mshta.exe'
            - '\rundll32.exe'
            - '\regsvr32.exe'
            - '\powershell.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\wscript.exe'
    filter_legit:
        CommandLine|contains:
            - 'C:\Windows\'
            - 'C:\Program Files'
            - 'C:\Program Files (x86)'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate administrative scripts
level: high
---
title: Injective SDK Malicious Package Exfiltration
id: 1c2b3f4a-5d6e-7890-1a2b-3c4d5e6f7a8b
status: experimental
description: Detects potential exfiltration of data to a known malicious C2 domain associated with the compromised Injective SDK npm package.
references:
    - https://socket.dev/blog/compromised-injective-sdk-npm-package
author: Security Arsenal
date: 2026/07/10
tags:
    - attack.exfiltration
    - attack.command_and_control
    - attack.t1041  # Exfiltration Over C2 Channel
    - attack.t1071  # Application Layer Protocol
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationHostname|contains: 'injective.network'
        DestinationPort: 443
    condition: selection
falsepositives:
    - Legitimate traffic to Injective Labs services (verify hostname)
level: critical
---
title: Albiriox Android Trojan Accessibility Service Abuse
id: 8f7e6d5c-4b3a-2c1d-0e9f-8a7b6c5d4e3f2
status: experimental
description: Detects the suspicious granting of runtime permissions to an Android Accessibility Service, a common technique for banking trojans like Albiriox to perform overlay attacks and steal SMS 2FA codes.
references:
    - https://www.d3lab.net/fake-banking-rewards-telegram-delivery-and-albiriox-anatomy-of-an-android-malware-campaign/
author: Security Arsenal
date: 2026/07/10
tags:
    - attack.privilege_escalation
    - attack.initial_access
    - attack.t1204  # User Execution
logsource:
    product: android
    service: google_play_protect
detection:
    selection:
        EventID: 1103 # Permission granted
        Permission|contains: 'android.permission.BIND_ACCESSIBILITY_SERVICE'
    filter_legit_apps:
        AppPackageName|contains:
            - 'com.google'
            - 'com.android'
            - 'com.samsung'
    condition: selection and not filter_legit_apps
falsepositives:
    - Legitimate accessibility apps for users with disabilities
level: high


kql
// KQL Hunt for Injective SDK Malicious Activity and Network Connections
// Target tables: DeviceNetworkEvents, DeviceProcessEvents, SecurityEvent

// 1. Hunt for network connections to the malicious C2 domain
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl contains "injective.network" or RemoteDomain contains "injective.network"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemotePort, RemoteIP

// 2. Hunt for process execution of node/npm that could be using the compromised package
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessName has "node.exe" or ProcessName has "npm.cmd"
| where ProcessCommandLine has "injective-sdk" or ProcessCommandLine has "@injective"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName

// 3. Hunt for suspicious PowerShell execution, a common SilabRAT delivery mechanism
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessName == "powershell.exe"
| where ProcessCommandLine has "Invoke-Expression" or ProcessCommandLine has "IEX" or ProcessCommandLine has "DownloadString"
| where ProcessCommandLine has "-enc" // Base64 encoded commands, a strong obfuscation indicator
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, SHA256


powershell
# PowerShell IOC Hunt Script for SilabRAT and Injective SDK
# Checks for known file hashes, suspicious processes, and network connections
# Requires Administrator privileges

Write-Host "Starting IOC Hunt for SilabRAT and Injective SDK..." -ForegroundColor Cyan

# Define known malicious file hashes from the pulse
$maliciousHashes = @(
    "3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b",
    "79f8da9f9fb4ac7c16d9c210f1f6ef418357a3e7bf602b1dd03a490596fa58c5",
    "fb56e66920c84ef9e51db0ea23144f5755daef97cbff8613b05ab56d0dc9d623",
    "fbce30a0c852972fdc24f1b6a7c270512a50ef1a7c6c88c88b92a2dcbdfdd023",
    "103c4e6181151c1bcfedc41506cd1815458c38375d08a8fcd9981dbe0b965ce0",
    "9a59eb454f3ca3fe91214136ee5edd417cc47a80e6f169b52099d6561944baf9"
)

# Check for processes with malicious hashes
Write-Host "Checking for running processes with known malicious hashes..." -ForegroundColor Yellow
Get-Process | ForEach-Object {
    $process = $_
    try {
        $fileHash = (Get-FileHash -Path $process.Path -Algorithm SHA256 -ErrorAction Stop).Hash.ToLower()
        if ($maliciousHashes -contains $fileHash) {
            Write-Host "ALERT: Malicious process found!" -ForegroundColor Red
            Write-Host "PID: $($process.Id), Name: $($process.ProcessName), Path: $($process.Path), Hash: $fileHash" -ForegroundColor Red
            # Terminate the malicious process
            $process.Kill()
            Write-Host "Terminated malicious process PID $($process.Id)." -ForegroundColor Green
        }
    } catch {
        # Ignore errors for processes we can't access
    }
}

# Check for suspicious network connections to the Injective C2 domain
Write-Host "Checking for active network connections to the malicious C2 domain..." -ForegroundColor Yellow
Get-NetTCPConnection | ForEach-Object {
    $conn = $_
    try {
        $remoteAddress = (Get-Process -Id $conn.OwningProcess -ErrorAction Stop).ProcessName
        $remoteHostName = [System.Net.Dns]::GetHostEntry($conn.RemoteAddress).HostName
        if ($remoteHostName -like "*injective.network*") {
            Write-Host "ALERT: Suspicious network connection detected!" -ForegroundColor Red
            Write-Host "PID: $($conn.OwningProcess), RemoteAddress: $($conn.RemoteAddress), RemoteHostName: $remoteHostName, State: $($conn.State)" -ForegroundColor Red
        }
    } catch {
        # Ignore errors for connections we can't resolve
    }
}

# Scan common application directories for files with malicious hashes
$scanPaths = @("C:\Program Files", "C:\Program Files (x86)", "$env:USERPROFILE\AppData")
Write-Host "Scanning common directories for files with known malicious hashes..." -ForegroundColor Yellow
foreach ($path in $scanPaths) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $file = $_
            try {
                $fileHash = (Get-FileHash -Path $file.FullName -Algorithm SHA256 -ErrorAction Stop).Hash.ToLower()
                if ($maliciousHashes -contains $fileHash) {
                    Write-Host "ALERT: Malicious file found on disk!" -ForegroundColor Red
                    Write-Host "Path: $($file.FullName), Hash: $fileHash" -ForegroundColor Red
                    # Quarantine the file (move to a safe location)
                    $quarantinePath = "C:\Quarantine\"
                    if (-not (Test-Path $quarantinePath)) { New-Item -ItemType Directory -Path $quarantinePath | Out-Null }
                    Move-Item -Path $file.FullName -Destination "$quarantinePath\$(Split-Path $file.FullName -Leaf)" -Force
                    Write-Host "File quarantined to $quarantinePath." -ForegroundColor Green
                }
            } catch {
                # Ignore errors for files we can't scan
            }
        }
    }
}

Write-Host "IOC hunt complete." -ForegroundColor Cyan

Response Priorities

  • Immediate: Block the identified network IOCs (URLs, hostnames) at the perimeter. Push all malicious file hashes to EDR and antivirus solutions for immediate blocking. Initiate a hunt for the identified processes and files on endpoints.
  • 24h: For organizations using the Injective Labs SDK, conduct an immediate audit to identify usage of the malicious package version (@injective/sdk v1.20.21). Force a reinstall from a clean source if the package is found. Force a password reset for all developers with access to the npm registry. If SilabRAT is suspected, perform identity verification and credential resets for all user accounts on affected systems, prioritizing those with access to financial or cryptocurrency assets.
  • 1 Week: Architect a software supply chain security program, including Software Bill of Materials (SBOM) generation and integrity checks for all third-party libraries. Implement security awareness training focused on identifying phishing and social engineering campaigns, particularly those related to financial rewards and messaging platforms like Telegram. Enforce mobile device management (MDM) policies to prevent installation of apps from untrusted sources.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialssilabratinjective-sdkalbirioxsupply-chain-attackinfostealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.