SilabRAT MaaS & AI-Themed Infostealer Operations: Storm-3075 & o1oo1 Analysis

Threat Summary

Recent OTX pulses indicate a coordinated surge in cybercriminal activity leveraging the artificial intelligence hype cycle to distribute advanced information stealers and Remote Access Trojans (RATs). Threat actors Storm-3075 and TroyDen are utilizing AI-themed social engineering lures (impersonating ChatGPT, DeepSeek, Copilot) and poisoned GitHub repositories to deliver payloads like Vidar, Lumma Stealer, and Redline. Concurrently, the actor o1oo1 is marketing SilabRAT, a sophisticated MaaS offering featuring Hidden VNC (HVNC) and browser profile cloning, specifically targeting cryptocurrency wallets and session hijacking. The collective objective is financial theft via credential harvesting and session takeover across the Finance, Technology, and Retail sectors.

Threat Actor / Malware Profile

Adversaries:

Storm-3075: A financially motivated group employing malvertising and SEO poisoning to impersonate AI brands. They utilize complex attack chains involving "Hijack Loader" to deploy payloads like Vidar and Lumma Stealer.
o1oo1: The developer behind SilabRAT, operating a Malware-as-a-Service model on dark web forums ($5,000/month subscription). Focuses on stealth and persistent access.
TroyDen: A threat actor using AI-generated lures on GitHub to distribute LuaJIT-based infostealers to developers and gamers.

Malware Families:

SilabRAT: An advanced RAT featuring HVNC for invisible remote control, browser profile cloning to bypass MFA/session protections, and automated cryptocurrency wallet theft. It uses Hijack Loader and AsmCrypt for obfuscation.
Lumma Stealer / Vidar / Redline: Information stealers designed to exfiltrate browser cookies, passwords, cryptocurrency wallet data, and 2FA session tokens. Often distributed via loader malware.
Hijack Loader: A shellcode-based loader used to decrypt and execute subsequent payloads (like SilabRAT or Lumma) in memory to evade disk-based scanning.

Distribution Methods:

AI-Themed Phishing: Fake websites mimicking popular AI tools distributed via search engine optimization (SEO) poisoning and malvertising.
GitHub Repositories: TroyDen utilizes AI-generated lure names (using biological taxonomy) to trick developers into downloading malicious packages containing LuaJIT-based malware.
Dark Web Forums: SilabRAT is sold directly to other criminals, expanding its reach.

IOC Analysis

The provided indicators of compromise (IOCs) reveal a multi-stage attack infrastructure:

Domains/Hostnames (e.g., brokeapt.com, rongtv.xyz): Likely used for phishing landing pages, malvertising redirectors, or Command and Control (C2) communication for initial loaders.
IPv4 (91.199.163.124): A dedicated C2 server IP associated with the SilabRAT infrastructure.
File Hashes (SHA256): Multiple samples corresponding to the payload executables (SilabRAT, Stealers) and loaders.

Operationalization: SOC teams should immediately block the listed domains and IP addresses at the perimeter (Firewall/DNS/Web Proxy). File hashes should be uploaded to EDR solutions for quarantine hunts. The hostnames suggest potential Dynamic DNS usage, indicating network detection for suspicious DNS queries to .xyz TLDs or similar non-corporate resolvers is recommended.

Detection Engineering

YAML

---
title: Potential Hijack Loader Shellcode Execution
id: 9b08e3a4-5a3d-4b21-8f1c-6e7d8f9a0b1c
description: Detects process execution patterns often associated with Hijack Loader loading shellcode via control panel applets or rundll32.
status: experimental
date: 2026/06/10
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/666666666666
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\\rundll32.exe'
            - '\\regsvr32.exe'
            - '\\control.exe'
        CommandLine|contains:
            - '.cpl'
            - '.dll'
    filter_legit:
        Signed: 'true'
        Publisher: 'Microsoft*'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate system administration
level: high
---
title: SilabRAT Browser Profile Cloning Activity
id: c7d2e5f8-9a4b-4c3d-8e6f-1a2b3c4d5e6f
description: Detects non-browser processes accessing browser profile directories (User Data, Local Storage), a behavior indicative of SilabRAT and stealers.
status: experimental
date: 2026/06/10
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/666666666667
tags:
    - attack.credential_access
    - attack.t1005
logsource:
    category: file_access
    product: windows
detection:
    selection:
        TargetFilename|contains:
            - '\\Google\\Chrome\\User Data\\Default\\'
            - '\\Mozilla\\Firefox\\Profiles\\'
            - '\\BraveSoftware\\Brave-Browser\\User Data\\Default\\'
    filter_browser:
        Image|endswith:
            - '\\chrome.exe'
            - '\\firefox.exe'
            - '\\brave.exe'
            - '\\msedge.exe'
    condition: selection and not filter_browser
falsepositives:
    - Backup software
    - Legitimate browser sync utilities
level: high
---
title: AI-Themed Phishing Lure Execution
id: d1e2f3a4-5b6c-7d8e-9f0a-1b2c3d4e5f6a
description: Detects execution of suspicious processes with arguments containing AI branding (ChatGPT, Copilot, etc.) often used in Storm-3075 campaigns.
status: experimental
date: 2026/06/10
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/666666666665
tags:
    - attack.initial_access
    - attack.t1566.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'ChatGPT'
            - 'DeepSeek'
            - 'Claude'
            - 'Copilot'
    filter_legit:
        Image|endswith:
            - '\\chrome.exe'
            - '\\msedge.exe'
            - '\\Code.exe' # VS Code referencing AI extensions
    condition: selection and not filter_legit
falsepositives:
    - Legitimate AI software installers
level: medium

KQL Hunt Query

KQL — Microsoft Sentinel / Defender

// Hunt for network connections to known C2 infrastructure and suspicious domains
let IOCs = dynamic(["brokeapt.com", "rongtv.xyz", "ssffaa19.xyz", "91.199.163.124"]);
DeviceNetworkEvents
| where RemoteUrl has_any (IOCs) or RemoteIP in (IOCs)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| order by Timestamp desc
// Hunt for file creation events matching known malware hashes
let MalwareHashes = dynamic([
    "4f5c5b3ef45cfff7721754487a86aeff9a2e6e32",
    "0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531",
    "3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b"
]);
DeviceFileEvents
| where SHA1 in (MalwareHashes) or SHA256 in (MalwareHashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName
| order by Timestamp desc

PowerShell Hunt Script

PowerShell

# Script to scan for SilabRAT and Stealer artifacts (File hashes and Processes)
# Requires Administrator Privileges

$TargetHashes = @(
    "0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531",
    "25270cc429ada8028b5b33220ed412c47907ecceea7377d608fac5af01bed56a",
    "5455341ed1bbe75a664fca2dd0794c508e1874f75360253a7ff5bc119bc92d80",
    "56d722b0331bf0aaa86bb37483486c6dff6ad9427fc473ed7c3226c21a9bdd23",
    "3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b",
    "79f8da9f9fb4ac7c16d9c210f1f6ef418357a3e7bf602b1dd03a490596fa58c5",
    "fb56e66920c84ef9e51db0ea23144f5755daef97cbff8613b05ab56d0dc9d623",
    "fbce30a0c852972fdc24f1b6a7c270512a50ef1a7c6c88c88b92a2dcbdfdd023"
)

Write-Host "[+] Scanning for known malicious file hashes..."

# Get all fixed drives
$Drives = Get-PSDrive -PSProvider FileSystem | Where-Object { $_.Used -gt 0 }

foreach ($Drive in $Drives) {
    Write-Host "[*] Scanning drive $($Drive.Root)..."
    try {
        # Scan recursively, limit depth to 3 for performance in hunt scenario
        Get-ChildItem -Path $Drive.Root -Recurse -ErrorAction SilentlyContinue | 
            Get-FileHash -Algorithm SHA256 -ErrorAction SilentlyContinue | 
            Where-Object { $TargetHashes -contains $_.Hash } | 
            ForEach-Object {
                Write-Host "[!] MALICIOUS FILE FOUND: $($_.Path) | Hash: $($_.Hash)" -ForegroundColor Red
            }
    } catch {
        # Ignore access errors
    }
}

Write-Host "[+] Checking for suspicious network connections to SilabRAT C2 IP..."
$C2IP = "91.199.163.124"
$Connections = Get-NetTCPConnection -RemoteAddress $C2IP -ErrorAction SilentlyContinue
if ($Connections) {
    Write-Host "[!] ACTIVE CONNECTION TO C2 DETECTED!" -ForegroundColor Red
    $Connections | Format-Table LocalAddress, LocalPort, RemoteAddress, RemotePort, State, OwningProcess
} else {
    Write-Host "[-] No active connections to known C2 IP found."
}

Response Priorities

Immediate:
- Block all listed IOCs (Domains, IPs, Hashes) on perimeter firewalls, proxies, and EDR systems.
- Initiate a hunt for the specific file hashes provided in the pulses across all endpoints.
- Isolate any endpoints showing positive matches for the malware or C2 connections.
24 Hours:
- Perform credential audits for users who may have interacted with AI-themed phishing or downloaded suspicious GitHub repositories.
- Reset passwords and invalidate sessions for accounts identified on compromised endpoints (especially those with access to Finance or Crypto wallets).
1 Week:
- Implement stricter URL filtering for AI-related "free" or "cracked" software sites.
- Deploy application control policies to block execution of unsigned binaries often associated with Hijack Loader and LuaJIT in non-development environments.
- Conduct security awareness training focused on the risks of AI-themed social engineering and verifying software sources.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub