Recent OTX pulses indicate a surge in financially motivated cyberactivity targeting cryptocurrency assets and enterprise infrastructure through diverse vectors. A primary concern is the emergence of SilabRAT, a Malware-as-a-Service (MaaS) offering by actor o1oo1 on dark web forums, which utilizes HijackLoader and AsmCrypt to deliver advanced capabilities like HVNC and browser profile cloning.
Simultaneously, the DragonForce ransomware group is actively exploiting CitrixBleed 2 (CVE-2025-5777), a critical memory-overread vulnerability in NetScaler ADC/Gateway appliances, to conduct a standardized seven-step attack chain involving session hijacking and credential theft via Mimikatz.
Additionally, a supply chain attack has been detected targeting the blockchain sector, where a compromised Injective Labs TypeScript SDK (v1.20.21) on npm was weaponized to exfiltrate private wallet keys and mnemonic phrases. Collectively, these pulses represent a high-risk environment for organizations holding crypto-assets or relying on NetScaler infrastructure.
Threat Actor / Malware Profile
SilabRAT (Actor: o1oo1)
- Type: Remote Access Trojan (RAT) / MaaS
- Distribution: Sold on dark web forums for ~$5,000/month; delivered via HijackLoader.
- Capabilities: Hidden Virtual Network Computing (HVNC), browser profile cloning (stealthy session hijacking), cryptocurrency wallet theft.
- Persistence: Uses AsmCrypt for obfuscation and likely registry run keys or scheduled tasks.
DragonForce Ransomware
- Type: Ransomware-as-a-Service / Operations
- Attack Vector: Exploits CVE-2025-5777 (CitrixBleed 2) on NetScaler appliances.
- Tools: Mimikatz (credential dumping), Impacket (lateral movement).
- Objective: Initial access via session token leakage, followed by privilege escalation and encryption.
Injective SDK Supply Chain
- Type: Dependency Confusion / Compromise
- Vector: Malicious npm package
injective-sdkversion 1.20.21 published via compromised developer account. - Behavior: Hooks key generation functions to capture wallet keys/mnemonics and exfiltrates them to remote infrastructure.
IOC Analysis
The provided intelligence consists of FileHash-SHA256, CVE identifiers, domains, and hostnames.
- FileHash-SHA256 (9 Indicators): These are high-confidence indicators for malicious payloads (SilabRAT components, DragonForce tools, and the compromised NPM package). SOC teams should integrate these into EDR quarantine lists and YARA rules.
- CVEs (CVE-2025-5777, CVE-2023-4966, etc.): Critical for vulnerability management. CVE-2025-5777 is the primary vector for Dragonforce; CVE-2023-4966 is the original CitrixBleed, suggesting related infrastructure scanning.
- Domains/Hostnames: Includes
doauthentication.do(a path often abused in Citrix attacks but listed as an IOC here) andtestnet.archival.chain.grpc-web.injective.network. These should be blocked at perimeter proxies and DNS sinks. - Operationalization: Use SIEM correlation to match
DeviceProcessEventsagainst the file hashes. UseDeviceNetworkEventsto hunt for connections to the Injective hostname.
Detection Engineering
---
title: Suspicious File Execution - SilabRAT and DragonForce IOCs
id: 9c5a1b2e-4f3d-4a8e-9b1c-3d5e6f7a8b9c
status: experimental
description: Detects the execution of known malicious file hashes associated with SilabRAT, DragonForce tools, and the compromised Injective SDK.
author: Security Arsenal
date: 2026/07/10
tags:
- attack.execution
- attack.t1204
logsource:
product: windows
category: process_creation
detection:
selection_hash:
Hashes|contains:
- '3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b'
- '79f8da9f9fb4ac7c16d9c210f1f6ef418357a3e7bf602b1dd03a490596fa58c5'
- 'fb56e66920c84ef9e51db0ea23144f5755daef97cbff8613b05ab56d0dc9d623'
- 'fbce30a0c852972fdc24f1b6a7c270512a50ef1a7c6c88c88b92a2dcbdfdd023'
- 'c4fcae3847946173bf0b3cedf5d97a9e3d18090023842f942ba544fa7fda180d'
- 'c84739655ce1af0a0269138263d47567418f69e0f75e249f8e23bc21802209e2'
- 'eb083365dc70d0294e8c4f55a2e78be0edb0f3497f2a06a70c9f474dafab48d8'
- '103c4e6181151c1bcfedc41506cd1815458c38375d08a8fcd9981dbe0b965ce0'
- '9a59eb454f3ca3fe91214136ee5edd417cc47a80e6f169b52099d6561944baf9'
condition: selection_hash
falsepositives:
- Unknown
level: critical
---
title: Network Connection to Malicious Injective Infrastructure
id: a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects outbound network connections to the known malicious infrastructure associated with the compromised Injective SDK supply chain attack.
author: Security Arsenal
date: 2026/07/10
tags:
- attack.exfiltration
- attack.t1041
logsource:
category: network_connection
detection:
selection_host:
DestinationHostname|contains: 'testnet.archival.chain.grpc-web.injective.network'
condition: selection_host
falsepositives:
- Legitimate use of Injective testnet (verify context)
level: high
---
title: Potential CitrixBleed 2 Exploitation Attempt
id: b2c3d4e5-6f7a-8b9c-0d1e-2f3a4b5c6d7e
status: experimental
description: Detects potential exploitation of CitrixBleed 2 (CVE-2025-5777) by identifying HTTP requests to specific endpoints often targeted during memory leakage attacks.
author: Security Arsenal
date: 2026/07/10
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection_uri:
cs-uri-query|contains: '/doauthentication.do'
selection_headers:
cs-header|contains: 'ns_af'
condition: all of selection_*
falsepositives:
- Legitimate Citrix Gateway authentication traffic
level: high
kql
// Hunt for file hashes and network IOCs associated with SilabRAT, DragonForce, and Injective SDK
// Table selection depends on data source configuration; commonly DeviceNetworkEvents and DeviceProcessEvents
union DeviceNetworkEvents, DeviceProcessEvents
| where Timestamp > ago(7d)
| where
// Network IOCs
(RemoteUrl has "testnet.archival.chain.grpc-web.injective.network" or
RemoteUrl has "doauthentication.do") or
// Process/Hash IOCs
(SHA256 in ("3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b",
"79f8da9f9fb4ac7c16d9c210f1f6ef418357a3e7bf602b1dd03a490596fa58c5",
"fb56e66920c84ef9e51db0ea23144f5755daef97cbff8613b05ab56d0dc9d623",
"fbce30a0c852972fdc24f1b6a7c270512a50ef1a7c6c88c88b92a2dcbdfdd023",
"c4fcae3847946173bf0b3cedf5d97a9e3d18090023842f942ba544fa7fda180d",
"c84739655ce1af0a0269138263d47567418f69e0f75e249f8e23bc21802209e2",
"eb083365dc70d0294e8c4f55a2e78be0edb0f3497f2a06a70c9f474dafab48d8",
"103c4e6181151c1bcfedc41506cd1815458c38375d08a8fcd9981dbe0b965ce0",
"9a59eb454f3ca3fe91214136ee5edd417cc47a80e6f169b52099d6561944baf9"))
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessSHA256, RemoteUrl, RemoteIP, ActionType
powershell
# SilabRAT & DragonForce IOC Hunter
# Scans specific paths for the presence of malicious file hashes provided in the OTX Pulse.
$MaliciousHashes = @(
"3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b",
"79f8da9f9fb4ac7c16d9c210f1f6ef418357a3e7bf602b1dd03a490596fa58c5",
"fb56e66920c84ef9e51db0ea23144f5755daef97cbff8613b05ab56d0dc9d623",
"fbce30a0c852972fdc24f1b6a7c270512a50ef1a7c6c88c88b92a2dcbdfdd023",
"c4fcae3847946173bf0b3cedf5d97a9e3d18090023842f942ba544fa7fda180d",
"c84739655ce1af0a0269138263d47567418f69e0f75e249f8e23bc21802209e2",
"eb083365dc70d0294e8c4f55a2e78be0edb0f3497f2a06a70c9f474dafab48d8",
"103c4e6181151c1bcfedc41506cd1815458c38375d08a8fcd9981dbe0b965ce0",
"9a59eb454f3ca3fe91214136ee5edd417cc47a80e6f169b52099d6561944baf9"
)
# Search common download and temp directories
$PathsToScan = @("C:\Users\", "C:\Windows\Temp\", "C:\ProgramData\")
Write-Host "Starting scan for OTX Pulse IOCs..."
foreach ($Path in $PathsToScan) {
if (Test-Path $Path) {
Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
$hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
if ($MaliciousHashes -contains $hash) {
Write-Host "[ALERT] Malicious file found: $($_.FullName) | Hash: $hash" -ForegroundColor Red
}
}
}
}
Write-Host "Scan complete."
Response Priorities
Immediate (0-24 hours):
- Block network access to
testnet.archival.chain.grpc-web.injective.networkand monitor for any attempts to connect todoauthentication.doendpoints. - Run the PowerShell IOC hunter across critical endpoints to identify dropped SilabRAT, DragonForce, or compromised NPM binaries.
- Isolate any devices returning positive matches for the provided SHA256 hashes.
24-48 Hours:
- Identity Verification: If SilabRAT is suspected, force-reset passwords and MFA tokens for users with detected browser profile cloning artifacts.
- Patch Management: Immediately apply patches for CVE-2025-5777 (CitrixBleed 2) on all NetScaler ADC and Gateway appliances.
- Supply Chain Audit: Developers utilizing the
injective-sdknpm package must verify versions (avoid v1.20.21) and rotate any wallet keys potentially exposed during the compromise window.
1 Week:
- Architecture Hardening: Implement network segmentation for NetScaler appliances to restrict lateral movement.
- Developer Hardening: Enforce SBOM (Software Bill of Materials) checks and integrity validation for all internal npm package usage.
- Monitoring Enhancement: Tune EDR rules to detect HVNC activity and suspicious browser process injections characteristic of SilabRAT.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.