Back to Intelligence

SilabRAT MaaS & Storm-3075 AI Phishing: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
June 12, 2026
6 min read

Threat Summary

Recent intelligence from OTX highlights a convergence of financially motivated advanced persistent threats (APTs) and politically motivated hacktivism. Storm-3075 is actively leveraging global interest in generative AI to distribute Vidar and Lumma Stealer via malvertising and SEO poisoning. Simultaneously, the threat actor o1oo1 has commercialized the SilabRAT trojan on the dark web as a Malware-as-a-Service (MaaS) offering, featuring Hidden VNC (HVNC) for stealthy cryptocurrency theft. On the geopolitical front, the hacktivist group 4BID has expanded its operations beyond Russia and Belarus, targeting critical infrastructure in the UAE and Egypt by exploiting ProxyShell vulnerabilities to deploy C2 frameworks like Sliver and Havoc.

Collectively, these campaigns indicate a shift toward "cradle-to-grave" criminal services: from initial access (AI-themed social engineering) to specialized tooling (SilabRAT) and ideological disruption (4BID).

Threat Actor / Malware Profile

Storm-3075 (Financially Motivated)

  • Malware Families: Vidar, Lumma Stealer, Hijack Loader, Oyster.
  • Distribution: SEO poisoning and malvertising impersonating AI brands (ChatGPT, DeepSeek).
  • Behavior: Hijack Loader acts as a shellcode loader to decrypt and execute payloads. Vidar and Lumma focus on exfiltrating browser cookies, passwords, and cryptocurrency wallet data.
  • C2: Uses GhostSocks for traffic obfuscation.

o1oo1 / SilabRAT (Dark Web MaaS)

  • Malware Families: SilabRAT, AsmCrypt.
  • Distribution: Sold on dark web forums for $5,000/month.
  • Behavior: Features HVNC to allow operators to interact with a victim's desktop invisibly. Performs browser profile cloning to bypass 2FA and session protections.
  • Persistence: Uses sophisticated mechanisms including scheduled tasks and registry modifications managed by HijackLoader.

4BID (Hacktivist)

  • Malware Families: BlackReaperRAT, Sliver, Havoc, Mythic Apollo.
  • Distribution: Exploitation of Microsoft Exchange ProxyShell vulnerabilities (CVE-2023-44976).
  • Behavior: Deploys web shells (fd.aspx) for persistence, followed by post-exploitation frameworks (Sliver/Havoc) for lateral movement and data exfiltration.
  • Targeting: Expanding from CIS regions to Aerospace and Government sectors in Egypt, Syria, and UAE.

IOC Analysis

The provided IOCs reflect a multi-vector threat landscape:

  • Network Infrastructure: IP addresses like 91.199.163.124 (SilabRAT) and 185.221.153.121 (4BID) indicate active C2 nodes. SOC teams should immediately block these ranges and firewall any egress traffic to them.
  • File Hashes: Numerous SHA256 hashes associated with Vidar, Lumma, and SilabRAT loaders. These should be uploaded to EDR solutions as "deny" lists.
  • Domains: brokeapt.com and related hostnames serve as delivery infrastructure for the AI-themed campaigns.
  • CVE: CVE-2023-44976 is a critical vulnerability for the 4BID campaign; patch status must be verified immediately.

Detection Engineering

Sigma Rules

YAML
title: Potential SilabRAT or Stealer Browser Data Access
id: 52c7a3e8-8842-4b1e-9e3f-a9b1c2d3e4f5
description: Detects suspicious processes accessing browser credential databases, common to Vidar, Lumma, and SilabRAT.
status: experimental
date: 2026/06/12
author: Security Arsenal
logsource:
    category: file_access
    product: windows
detection:
    selection:
        TargetFilename|contains:
            - '\AppData\Local\Google\Chrome\User Data\Default\Login Data'
            - '\AppData\Local\Microsoft\Edge\User Data\Default\Login Data'
            - '\AppData\Roaming\Mozilla\Firefox\Profiles\'
            - '\AppData\Local\Opera Software\Opera Stable\Login Data'
    filter:
        Image|endswith:
            - '\chrome.exe'
            - '\msedge.exe'
            - '\firefox.exe'
            - '\opera.exe'
    condition: selection and not filter
falsepositives:
    - Legitimate backup software
    - Password managers
level: high
tags:
    - attack.credential_access
    - attack.t1003
    - malware.storm-3075
    - malware.silabrat
---
title: ProxyShell Webshell Activity Indicator
description: Detects the creation or access of fd.aspx web shells associated with 4BID hacktivist ProxyShell exploitation.
id: 88a1b2c3-d4e5-4f6a-9b8c-1d2e3f4a5b6c
status: experimental
date: 2026/06/12
author: Security Arsenal
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5140
        ShareName|contains: 'C$\inetpub\wwwroot'
        RelativeTargetName|contains: 'fd.aspx'
    condition: selection
falsepositives:
    - Administrative file maintenance
level: critical
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2023.44976
    - actor.4bid
---
title: Hijack Loader Shellcode Execution Pattern
description: Detects process hollowing or suspicious rundll32 execution patterns typical of Hijack Loader used by Storm-3075.
id: 99b2c3d4-e5f6-4a7b-8c9d-2e3f4a5b6c7d
status: experimental
date: 2026/06/12
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\rundll32.exe'
            - '\regsvr32.exe'
        CommandLine|contains:
            - 'javascript:'
            - 'SetupAPI'
    condition: selection
falsepositives:
    - Rare administrative scripts
level: medium
tags:
    - attack.defense_evasion
    - attack.t1055
    - malware.hijack-loader

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for SilabRAT and 4BID Network IOCs
let IOCs = pack_array("91.199.163.124", "185.221.153.121", "45.112.194.82", "138.226.236.52");
DeviceNetworkEvents
| where RemoteIP in (IOCs) or RemoteUrl has "brokeapt.com"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemoteUrl, Action
| extend ThreatIntel = "OTX Pulse Match: SilabRAT or 4BID"

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    Hunts for SilabRAT, Vidar, and 4BID artifacts on endpoints.
.DESCRIPTION
    Checks for specific file hashes, malicious IP connections, and ProxyShell webshell artifacts.
#>

$MaliciousHashes = @(
    "0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531",
    "3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b",
    "fb56e66920c84ef9e51db0ea23144f5755daef97cbff8613b05ab56d0dc9d623"
)

$MaliciousIPs = @("91.199.163.124", "185.221.153.121", "45.112.194.82")

Write-Host "[*] Scanning for known malicious file hashes..." -ForegroundColor Cyan
$PathsToScan = @("$env:TEMP", "$env:USERPROFILE\Downloads", "C:\ProgramData")

foreach ($path in $PathsToScan) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($MaliciousHashes -contains $hash) {
                Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

Write-Host "[*] Checking for active network connections to SilabRAT/4BID IPs..." -ForegroundColor Cyan
$connections = Get-NetTCPConnection -ErrorAction SilentlyContinue | Where-Object { $_.State -eq 'Established' }
foreach ($ip in $MaliciousIPs) {
    $match = $connections | Where-Object { $_.RemoteAddress -eq $ip }
    if ($match) {
        Write-Host "[!] ALERT: Active connection to $ip detected (PID: $($match.OwningProcess))" -ForegroundColor Red
        Get-Process -Id $match.OwningProcess | Select-Object ProcessName, Path
    }
}

Write-Host "[*] Scanning IIS directories for fd.aspx webshell..." -ForegroundColor Cyan
$inetpub = "C:\inetpub\wwwroot"
if (Test-Path $inetpub) {
    Get-ChildItem -Path $inetpub -Recurse -Filter "fd.aspx" -ErrorAction SilentlyContinue | ForEach-Object {
        Write-Host "[!] WEB SHELL INDICATOR FOUND: $($_.FullName)" -ForegroundColor Red
    }
}

Response Priorities

Immediate (0-24h)

  1. Block IOCs: Implement immediate blocks on domains (brokeapt.com), IPs (91.199.163.124, 185.221.153.121), and file hashes provided in the pulse.
  2. Patch Exchange: Verify and patch CVE-2023-44976 (ProxyShell) on all Microsoft Exchange servers.
  3. Hunt Webshells: Scan C:\inetpub for fd.aspx and other anomalous ASPX files.

24h - 48h

  1. Credential Reset: If infection by Vidar or Lumma is suspected, force-reset credentials for sessions active during the infection window, particularly for finance and admin accounts.
  2. Session Review: Analyze logs for "Impossible Travel" or concurrent sessions, indicative of browser profile cloning used by SilabRAT.

1 Week

  1. Architecture Hardening: Implement strict EDR policies to block unsigned loaders (Hijack Loader) and restrict PowerShell execution to constrained language mode.
  2. Awareness Training: Update security awareness training to include specific examples of "AI-powered" phishing scams (fake ChatGPT/Copilot tools).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptsilabratvidar-stealerproxyshellhacktivismstorm-3075

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action