Back to Intelligence

Storm-3075 AI Brand Impersonation & 4BID ProxyShell Attacks: OTX Pulse Intelligence Briefing

SA
Security Arsenal Team
June 9, 2026
8 min read

Recent OTX pulses indicate a convergence of opportunistic financial theft and politically motivated hacktivism, heavily leveraging current technological trends and unpatched infrastructure.

  • AI-Themed Social Engineering (Storm-3075): Threat actors are aggressively exploiting the generative AI hype cycle. Campaigns impersonate brands like ChatGPT, DeepSeek, and Claude to deliver information stealers (Vidar, Lumma) via malvertising and SEO poisoning. The attack chain utilizes Hijack Loader to deploy payloads like Oyster and GhostSocks, aiming at credential harvesting and financial fraud across Education, Finance, and Retail sectors.

  • AI-Assisted Supply Chain Attacks (TroyDen): A separate operation, "TroyDen's Lure Factory," is targeting developers and gamers. By utilizing AI-generated lure names based on obscure biological taxonomy, attackers are distributing LuaJIT-based payloads (Redline, Lumma) via GitHub repositories. This represents a shift toward precision targeting of technical personnel under the guise of legitimate software libraries.

  • Geopolitical Hacktivism (4BID): Moving beyond purely political motives, groups like 4BID are broadening their scope to cross-border targets (Belarus, Russia, UAE, Egypt). These actors are exploiting critical vulnerabilities in Microsoft Exchange (ProxyShell) to deploy webshells (fd.aspx) and sophisticated post-exploitation frameworks (Sliver, Havoc, Mythic Apollo) against Government and Manufacturing entities.

Collectively, these pulses demonstrate a threat landscape where adversaries blend cutting-edge social engineering (AI) with legacy exploitation (ProxyShell) to achieve diverse objectives ranging from credential theft to persistent access.

Threat Actor / Malware Profile

Storm-3075

  • Objective: Credential theft, financial fraud, and initial access brokerage.
  • Malware Families: Vidar Stealer, Lumma Stealer, Hijack Loader, Oyster, GhostSocks.
  • Distribution: Malvertising campaigns redirecting to typo-squatted or impersonating AI service domains (e.g., brokeapt.com);
  • Behavior: Hijack Loader is often used to decrypt and execute the final payload in memory to evade EDR. Lumma Stealer focuses on cryptocurrency wallets and browser cookies, while GhostSocks provides proxying capabilities for C2 obfuscation.

TroyDen

  • Objective: Intellectual property theft and cryptocurrency theft from developers/gamers.
  • Malware Families: LuaJIT, Redline, LummaStealer.
  • Distribution: GitHub repositories hosting "fake" utilities or game mods. Uses two-component payloads designed to bypass static analysis.
  • Behavior: Uses Prometheus Obfuscator. The use of LuaJIT allows for cross-platform execution and complicates analysis. It targets specific file paths associated with Roblox, crypto wallets, and development environments.

4BID

  • Objective: Disruption, data destruction, and espionage.
  • Malware Families: BlackReaperRAT, Warp RAT, Sliver, Havoc, Mythic Apollo, Blackout Locker.
  • Distribution: Exploitation of on-premise Microsoft Exchange servers via ProxyShell vulnerabilities.
  • Behavior: Deploys fd.aspx webshells for persistence. Utilizes "Bring Your Own Vulnerable Driver" (BYOVD) techniques and custom C2 frameworks (AdaptixC2) to evade detection and maintain long-term access.

IOC Analysis

The provided indicators of compromise (IOCs) reveal a hybrid infrastructure strategy:

  • Domains & Hostnames (Storm-3075): Indicators such as brokeapt.com, pan.rongtv.xyz, and pan.ssffaa19.xyz likely serve as either landing pages for malvertising traffic or C2 servers. SOC teams should immediately block these at the perimeter and DNS layer.
  • IPv4 Addresses (4BID): IPs including 185.221.153.121 and 45.112.194.82 are associated with C2 infrastructure or scanning activity originating from the hacktivist campaigns. These should be blocked, and historical logs queried for any egress connections.
  • File Hashes: A mix of MD5, SHA1, and SHA256 hashes are provided for loaders, stealers, and RAT components.
    • Operationalization: EDR solutions should be configured to alert immediately on execution matches. SIEM solutions should correlate hash hits with the originating process parent to identify the initial infection vector (e.g., browser, PowerShell).
  • CVE (4BID): CVE-2023-44976 is explicitly referenced in the hacktivist pulse alongside ProxyShell tactics. Patch management teams must verify Exchange server security immediately.

Detection Engineering

Sigma Rules

YAML
title: Potential Storm-3075 AI Themed Malvertising Hijack Loader Activity
id: 4f5c5b3e-2026-0001
description: Detects suspicious process execution patterns associated with Hijack Loader and Vidar/Lumma Stealer delivery chains often originating from fake AI software installs.
status: experimental
date: 2026/06/09
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66000000/
tags:
    - attack.defense_evasion
    - attack.execution
    - attack.t1204
logsource:
    category: process_creation
    product: windows
detection:
    selection_loader:
        ParentImage|endswith:
            - '\chrome.exe'
            - '\msedge.exe'
            - '\firefox.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\regsvr32.exe'
        CommandLine|contains:
            - 'brokeapt.com'
            - 'rongtv.xyz'
            - 'ssffaa19.xyz'
    selection_stager:
        Image|endswith:
            - '\powershell.exe'
        CommandLine|contains|all:
            - 'downloadstring'
            - 'iex'
            - '-nop'
    condition: 1 of selection_*
falsepositives:
    - Legitimate software installation (rare with these specific domains)
level: high

---

title: Hacktivist ProxyShell Webshell Access
id: 4f5c5b3e-2026-0002
description: Detects access to known ProxyShell webshell artifacts associated with 4BID and related hacktivist groups targeting Exchange servers.
status: experimental
date: 2026/06/09
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66000002/
tags:
    - attack.initial_access
    - attack.webshell
    - attack.t1505.003
logsource:
    category: webserver
    product: iis
detection:
    selection_uri:
        cs-uri-query|contains:
            - 'fd.aspx'
            - 'X-ANONU-' # Known pattern in some Exchange webshells
    selection_ip:
        c-ip:
            - '185.221.153.121'
            - '45.112.194.82'
            - '138.226.236.52'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: critical

---

title: Suspicious LuaJIT Execution via GitHub (TroyDen)
id: 4f5c5b3e-2026-0003
description: Detects execution of LuaJIT binaries or scripts downloaded from GitHub, indicative of TroyDen lure factory campaigns targeting developers.
status: experimental
date: 2026/06/09
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66000001/
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_luajit:
        Image|contains:
            - 'luajit.exe'
            - 'lua53.exe'
        CommandLine|contains:
            - 'github.com'
    selection_obfuscation:
        ParentImage|endswith:
            - '\git.exe'
            - '\GitHubDesktop.exe'
        Image|endswith:
            - '\cmd.exe'
        CommandLine|re: '.*[A-Za-z]{10,}\.\w{3}.*' # Obfuscated long filenames typical of biological tax lures
    condition: 1 of selection_*
falsepositives:
    - Legitimate developer usage of Lua
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Storm-3075 Network Indicators
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("brokeapt.com", "rongtv.xyz", "ssffaa19.xyz") 
   or RemoteIP in ("185.221.153.121", "45.112.194.82", "138.226.236.52")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| extend ThreatActor = case(
    RemoteUrl has "brokeapt", "Storm-3075",
    RemoteIP in ("185.221.153.121", "45.112.194.82"), "4BID",
    "Unknown")
;

// Hunt for Malware File Hashes
DeviceFileEvents
| where Timestamp > ago(7d)
| where SHA1 in ("4f5c5b3ef45cfff7721754487a86aeff9a2e6e32") or 
   SHA256 in ("0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531", 
              "25270cc429ada8028b5b33220ed412c47907ecceea7377d608fac5af01bed56a", 
              "5455341ed1bbe75a664fca2dd0794c508e1874f75360253a7ff5bc119bc92d80", 
              "56d722b0331bf0aaa86bb37483486c6dff6ad9427fc473ed7c3226c21a9bdd23") or
   MD5 in ("008cd423ca45134d3343f66cced1d104", "038cab0c60c53cf12f048272014024c0", "06bed0a0906e52c764b3b7016d6a4428", "08c069f133ac27cbc02a0ed79e4e87ba")
| project Timestamp, DeviceName, FolderPath, SHA256, InitiatingProcessAccountName, InitiatingProcessCommandLine
| extend ThreatFamily = case(
    SHA256 in ("0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531"), "Vidar/Lumma",
    MD5 in ("008cd423ca45134d3343f66cced1d104"), "BlackReaperRAT/Sliver",
    "Unknown")

PowerShell Hunt Script

PowerShell
# IOC Hunt Script for Storm-3075 and 4BID Activity
# Requires Admin privileges for registry and some file system access

$IOC_Hashes = @{
    "SHA256" = @(
        "0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531",
        "25270cc429ada8028b5b33220ed412c47907ecceea7377d608fac5af01bed56a",
        "5455341ed1bbe75a664fca2dd0794c508e1874f75360253a7ff5bc119bc92d80",
        "56d722b0331bf0aaa86bb37483486c6dff6ad9427fc473ed7c3226c21a9bdd23"
    )
    "MD5" = @(
        "008cd423ca45134d3343f66cced1d104",
        "038cab0c60c53cf12f048272014024c0",
        "06bed0a0906e52c764b3b7016d6a4428",
        "08c069f133ac27cbc02a0ed79e4e87ba"
    )
}

$IOC_Domains = @("brokeapt.com", "rongtv.xyz", "ssffaa19.xyz")
$IOC_IPs = @("185.221.153.121", "45.112.194.82", "138.226.236.52")

Write-Host "[*] Starting IOC Hunt..." -ForegroundColor Cyan

# 1. Check for Malicious Files in Common Temp/Download Paths
Write-Host "[*] Scanning for malicious file hashes..." -ForegroundColor Yellow
$Paths = @("$env:TEMP", "$env:USERPROFILE\Downloads", "C:\ProgramData")

foreach ($Path in $Paths) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | Where-Object { 
            !$_.PSIsContainer -and $_.Length -gt 0kb 
        } | ForEach-Object {
            $Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($IOC_Hashes.SHA256 -contains $Hash) {
                Write-Host "[!] MATCH FOUND (SHA256): $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

# 2. Check Hosts File for Domains associated with Storm-3075
Write-Host "[*] Checking HOSTS file for domain poisoning..." -ForegroundColor Yellow
$HostsPath = "$env:windir\System32\drivers\etc\hosts"
if (Test-Path $HostsPath) {
    $Content = Get-Content $HostsPath
    foreach ($Domain in $IOC_Domains) {
        if ($Content -match $Domain) {
            Write-Host "[!] DOMAIN FOUND IN HOSTS: $Domain" -ForegroundColor Red
        }
    }
}

# 3. Check for suspicious Network Connections (Simulated via Netstat)
# Note: Active scanning requires elevated privileges and might trigger EDR.
Write-Host "[*] Checking active connections for 4BID C2 IPs..." -ForegroundColor Yellow
$Netstat = netstat -ano | Select-String -Pattern "ESTABLISHED"
foreach ($IP in $IOC_IPs) {
    if ($Netstat -match $IP) {
        Write-Host "[!] ACTIVE CONNECTION TO MALICIOUS IP: $IP" -ForegroundColor Red
        # Extract PID for further analysis
        $Matches[0] | Out-String
    }
}

Write-Host "[*] Hunt complete." -ForegroundColor Cyan


# Response Priorities

**Immediate (0-24h):**
*   **Network Blocking:** Block all domains and IPs listed in the IOC Analysis at the firewall and proxy level.
*   **Endpoint Isolation:** Isolate any endpoints returning positive hits for the provided file hashes (Vidar, Lumma, RATs).
*   **Exchange Patching:** For the 4BID threat, immediately verify that Microsoft Exchange servers are patched against ProxyShell (`CVE-2023-44976` and related legacy CVEs) and scan for `fd.aspx` webshells.

**24h:**
*   **Credential Reset:** If infection by Vidar or Lumma is confirmed, force a password reset for affected users and revoke session tokens, particularly for Finance and Technology departments.
*   **Artifact Collection:** Forensically image affected machines to identify the scope of data exfiltration (cookies, crypto wallets) or lateral movement (Sliver/Havoc beacons).

**1 Week:**
*   **Security Awareness:** Update security training modules to include specific examples of AI-themed phishing (DeepSeek, ChatGPT impersonation) as highlighted in the Storm-3075 campaign.
*   **Policy Review:** Review software download policies for developers to mitigate risks from the TroyDen GitHub supply chain attacks.
*   **Vulnerability Management:** Conduct a rescan of external perimeter assets, specifically focusing on Exchange server security and exposure of management interfaces.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptvidar-stealerlumma-stealerproxyshellhacktivismai-social-engineering

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action