Back to Intelligence

Storm-3075 AI Impersonation & SilabRAT MaaS Campaign: Multi-Vector Threat Analysis

SA
Security Arsenal Team
June 14, 2026
9 min read

OTX pulses from June 2026 reveal a coordinated convergence of credential-harvesting campaigns exploiting AI hype and darkweb MaaS offerings. Storm-3075 is actively impersonating AI platforms (ChatGPT, Copilot, DeepSeek, Claude) through malvertising and SEO poisoning to deliver Vidar and Lumma Stealer via Hijack Loader. Concurrently, threat actor o1oo1 markets SilabRAT ($5,000/month) featuring HVNC and browser profile cloning—capabilities overlapping with Storm-3075's objectives. The attack chain consistently targets: credential theft → session hijacking → financial exfiltration, with education, finance, technology, and retail sectors as primary victims. A third campaign (UAT-8616) exploiting Cisco SD-WAN CVEs provides initial access for webshell deployment (XenShell, Godzilla), creating secondary entry points for credential theft operations.

Threat Actor / Malware Profile

Storm-3075

  • Distribution: Malvertising campaigns spoofing AI software downloads; SEO manipulation ranking malicious domains for AI-related queries
  • Payload Behavior: Hijack Loader decrypts and executes Vidar Stealer (initial reconnaissance) followed by Lumma Stealer (bulk credential harvesting) and GhostSocks proxy for traffic obfuscation
  • C2 Communication: Domain fronting through brokeapt.com infrastructure; AES-256 encrypted HTTP POST with custom headers mimicking legitimate AI API traffic
  • Persistence: Scheduled tasks via schtasks /create with伪装为AI update services ("C:\\Program Files\\AIUpdate\\updater.exe")
  • Anti-Analysis: Process hollowing into svchost.exe; VM detection via WMI queries for hypervisor signatures; environment key checks (HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory\\ImagePatchProtection)

SilabRAT (MaaS by o1oo1)

  • Distribution: Darkweb forum sales targeting financially motivated actors; initial access via phishing or existing botnet infections
  • Payload Behavior: Browser profile cloning via SQLite injection (cookies.sqlite, logins.); HVNC (Hidden VNC) for invisible remote session hijacking; AsmCrypt payload encryption
  • C2 Communication: Custom TCP protocol over port 443 (91.199.163.124) with TLS self-signed certificates; heartbeat every 60 seconds
  • Persistence: Registry run keys (HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsUpdate) and service creation ("sc create AIUpdateService binPath=...")
  • Anti-Analysis: Dynamic API resolution (GetProcAddress/LoadLibrary); code obfuscation with control flow flattening

UAT-8616

  • Distribution: Exploitation of Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20128, CVE-2026-20133)
  • Payload Behavior: Webshell deployment (XenShell, Godzilla, Behinder) followed by Sliver C2 framework establishment; XMRig cryptocurrency mining
  • C2 Communication: DNS tunneling and gsocket encrypted channels; Sliver beaconing over HTTP/3
  • Persistence: Cron jobs and SD-WAN config modifications; backdoor accounts
  • Anti-Analysis: Process masquerading as legitimate SD-WAN daemons; memory-only execution

IOC Analysis

Indicator Types Present:

  • Domains: brokeapt.com (C2 domain fronting), *.rongtv.xyz, *.ssffaa19.xyz (payload staging)
  • File Hashes: Multiple SHA256/SHA1/MD5 for Vidar, Lumma, Hijack Loader, SilabRAT payloads
  • IPv4: 91.199.163.124 (SilabRAT C2)
  • CVEs: CVE-2026-20128, CVE-2026-20133, CVE-2025-20333, CVE-2025-20362, CVE-2026-20127, CVE-2026-20122

SOC Operationalization:

  1. Threat Intelligence Platforms (TIPs): Import all IOCs into MISP/Anomali for automated enrichment
  2. EDR/XDR Integration: Push SHA256 hashes to SentinelOne, CrowdStrike, Microsoft Defender for real-time execution blocking
  3. Network Controls: Block brokeapt.com and *.xyz subnets at perimeter firewalls (Palo Alto, Cisco ASA)
  4. SIEM Correlation: Create alerts for DNS queries to known C2 domains and process creation with known payload hashes
  5. Vulnerability Management: Prioritize Cisco SD-WAN patching for listed CVEs (CVSS 9.8+)

Detection Engineering

YAML
---
title: Potential Vidar/Lumma Stealer Execution via Hijack Loader
id: 7f8a3c2d-1e4b-4a7f-9c6e-3d5f8a2b1c9d
description: Detects execution patterns associated with Hijack Loader delivering Vidar or Lumma Stealer, often via AI-themed lures
status: experimental
author: Security Arsenal
date: 2026/06/14
references:
    - https://otx.alienvault.com/pulse/ai-brands-as-bait/
tags:
    - attack.credential_access
    - attack.execution
    - attack.t1055
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\\svchost.exe'
            - '\\explorer.exe'
        Image|endswith:
            - '\\\\temp\\'
            - '\\\\appdata\\local\\temp\\'
        CommandLine|contains:
            - '-enc'
            - '-w hidden'
            - 'powershell.exe -nop -w hidden -c'
    selection_loader:
        Image|contains:
            - 'Hijack'
            - 'Loader'
        Company|contains:
            - 'Unknown'
        OriginalFileName|contains:
            - 'hijack'
    condition: 1 of selection*
falsepositives:
    - Legitimate software installers using temp directories
level: high
---
title: SilabRAT Browser Profile Cloning Activity
id: 4e6d1a9c-2f3b-5d8e-7a4f-6c0e9b3d2a1e
description: Detects SQLite database access patterns consistent with browser profile cloning by SilabRAT
status: experimental
author: Security Arsenal
date: 2026/06/14
references:
    - https://otx.alienvault.com/pulse/silabrat-whats-your-power/
tags:
    - attack.credential_access
    - attack.collection
    - attack.t1005
logsource:
    category: file_access
    product: windows
detection:
    selection:
        TargetFilename|contains:
            - '\\cookies.sqlite'
            - '\\logins.'
            - '\\history.sqlite'
            - '\\places.sqlite'
        Image|contains:
            - '\\AppData\\Roaming\\'
            - '\\AppData\\Local\\Temp\\'
    selection_process:
        ProcessName|endswith:
            - '.exe'
        Company:
            - 'Unknown'
        OriginalFileName|contains:
            - 'SilabRAT'
            - 'Hijack'
    filter_legit:
        Image|contains:
            - '\\Mozilla Firefox\\'
            - '\\Google\\Chrome\\'
            - '\\Microsoft\\Edge\\'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate browser backup tools
level: critical
---
title: Cisco SD-WAN Vulnerability Exploitation Indicators
id: 5d7e2b1d-3g4c-6f9d-8b5g-7d1f0c4e3b2f
description: Detects potential exploitation of Cisco Catalyst SD-WAN vulnerabilities by UAT-8616
status: experimental
author: Security Arsenal
date: 2026/06/14
references:
    - https://otx.alienvault.com/pulse/cisco-sd-wan-exploitation/
tags:
    - attack.initial_access
    - attack.exploitation
    - attack.t1190
logsource:
    category: web
    product: firewall
detection:
    selection_cve:
        cs-method|contains:
            - 'POST'
        cs-uri-query|contains:
            - 'vpnportal'
            - 'sdwan'
            - 'vmanage'
    selection_webshell:
        cs-uri-query|contains:
            - 'XenShell'
            - 'Godzilla'
            - 'Behinder'
        sc-status:
            - 200
            - 500
    selection_exploit:
        cs-uri-query|contains:
            - '%2F..%2F'
            - 'path traversal'
            - 'authentication bypass'
    condition: 1 of selection*
falsepositives:
    - Legitimate SD-WAN management access
level: high


kql
// KQL Hunt for AI-themed credential theft activity
let Hashes = pack_array(
    "0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531",
    "25270cc429ada8028b5b33220ed412c47907ecceea7377d608fac5af01bed56a",
    "5455341ed1bbe75a664fca2dd0794c508e1874f75360253a7ff5bc119bc92d80",
    "56d722b0331bf0aaa86bb37483486c6dff6ad9427fc473ed7c3226c21a9bdd23",
    "d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa",
    "3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b",
    "79f8da9f9fb4ac7c16d9c210f1f6ef418357a3e7bf602b1dd03a490596fa58c5",
    "fb56e66920c84ef9e51db0ea23144f5755daef97cbff8613b05ab56d0dc9d623",
    "fbce30a0c852972fdc24f1b6a7c270512a50ef1a7c6c88c88b92a2dcbdfdd023"
);
let C2Domains = pack_array(
    "brokeapt.com",
    "rongtv.xyz",
    "ssffaa19.xyz"
);
let C2IPs = pack_array(
    "91.199.163.124"
);
// Process execution with known hashes
DeviceProcessEvents
| where SHA256 in~ Hashes
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, SHA256, InitiatingProcessFileName
| union (
    // Network connections to C2 infrastructure
    DeviceNetworkEvents
    | where RemoteUrl in~ C2Domains or RemoteIP in~ C2IPs
    | project Timestamp, DeviceName, AccountName, RemoteUrl, RemoteIP, InitiatingProcessFileName
)
| union (
    // File creation related to AI-themed lures
    DeviceFileEvents
    | where FileName contains "AI" or FolderPath contains "AI" or InitiatingProcessFileName contains "AI"
    | project Timestamp, DeviceName, AccountName, FileName, SHA256, InitiatingProcessFileName
)
| order by Timestamp desc


powershell
# PowerShell Hunt Script for Vidar/Lumma Stealer and SilabRAT Indicators
# Run as Administrator

$ErrorActionPreference = "SilentlyContinue"

# Known malicious hashes from OTX pulses
$MaliciousHashes = @(
    "0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531",
    "25270cc429ada8028b5b33220ed412c47907ecceea7377d608fac5af01bed56a",
    "5455341ed1bbe75a664fca2dd0794c508e1874f75360253a7ff5bc119bc92d80",
    "56d722b0331bf0aaa86bb37483486c6dff6ad9427fc473ed7c3226c21a9bdd23",
    "d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa",
    "3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b",
    "79f8da9f9fb4ac7c16d9c210f1f6ef418357a3e7bf602b1dd03a490596fa58c5",
    "fb56e66920c84ef9e51db0ea23144f5755daef97cbff8613b05ab56d0dc9d623",
    "fbce30a0c852972fdc24f1b6a7c270512a50ef1a7c6c88c88b92a2dcbdfdd023"
)

# C2 infrastructure
$MaliciousDomains = @(
    "brokeapt.com",
    "rongtv.xyz",
    "ssffaa19.xyz"
)

$MaliciousIPs = @(
    "91.199.163.124"
)

# Suspicious process paths
$SuspiciousPaths = @(
    "C:\\Program Files\\AIUpdate",
    "$env:APPDATA\\AIUpdate",
    "$env:TEMP\\hijack"
)

# Suspicious scheduled task names
$SuspiciousTasks = @(
    "AIUpdate",
    "WindowsUpdateService"
)

# Registry persistence locations
$PersistenceKeys = @(
    "HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsUpdate",
    "HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\AIUpdate"
)

Write-Host "[+] Starting IOC Hunt for Storm-3075 and SilabRAT Activity..." -ForegroundColor Cyan

# Check for malicious processes
Write-Host "\n[*] Checking for running malicious processes..." -ForegroundColor Yellow
$Processes = Get-Process | Where-Object {$_.Path -ne $null}
$MaliciousProcesses = @()
foreach ($Process in $Processes) {
    $Hash = (Get-FileHash -Path $Process.Path -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
    if ($Hash -in $MaliciousHashes) {
        $MaliciousProcesses += $Process
    }
}

if ($MaliciousProcesses.Count -gt 0) {
    Write-Host "[!] ALERT: Found $($MaliciousProcesses.Count) malicious processes:" -ForegroundColor Red
    $MaliciousProcesses | Format-Table Id, ProcessName, Path -AutoSize
} else {
    Write-Host "[-] No malicious processes found" -ForegroundColor Green
}

# Check for suspicious files
Write-Host "\n[*] Checking for suspicious files..." -ForegroundColor Yellow
$SuspiciousFiles = @()
foreach ($Path in $SuspiciousPaths) {
    if (Test-Path $Path) {
        $Files = Get-ChildItem -Path $Path -Recurse -File -ErrorAction SilentlyContinue
        foreach ($File in $Files) {
            $Hash = (Get-FileHash -Path $File.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($Hash -in $MaliciousHashes) {
                $SuspiciousFiles += $File
            }
        }
    }
}

if ($SuspiciousFiles.Count -gt 0) {
    Write-Host "[!] ALERT: Found $($SuspiciousFiles.Count) suspicious files:" -ForegroundColor Red
    $SuspiciousFiles | Format-Table FullName, Length, LastWriteTime -AutoSize
} else {
    Write-Host "[-] No suspicious files found" -ForegroundColor Green
}

# Check for scheduled tasks
Write-Host "\n[*] Checking for suspicious scheduled tasks..." -ForegroundColor Yellow
$SuspiciousScheduledTasks = Get-ScheduledTask | Where-Object {$SuspiciousTasks -contains $_.TaskName}
if ($SuspiciousScheduledTasks) {
    Write-Host "[!] ALERT: Found suspicious scheduled tasks:" -ForegroundColor Red
    $SuspiciousScheduledTasks | Format-Table TaskName, State, Author -AutoSize
} else {
    Write-Host "[-] No suspicious scheduled tasks found" -ForegroundColor Green
}

# Check registry persistence
Write-Host "\n[*] Checking registry persistence..." -ForegroundColor Yellow
$PersistenceFound = $false
foreach ($Key in $PersistenceKeys) {
    if (Test-Path $Key) {
        $Value = Get-ItemProperty -Path $Key -ErrorAction SilentlyContinue
        if ($Value) {
            Write-Host "[!] ALERT: Persistence key found at $Key" -ForegroundColor Red
            $Value | Format-List
            $PersistenceFound = $true
        }
    }
}
if (-not $PersistenceFound) {
    Write-Host "[-] No registry persistence found" -ForegroundColor Green
}

# Check DNS cache for C2 domains
Write-Host "\n[*] Checking DNS cache for C2 domains..." -ForegroundColor Yellow
$DNSEntries = Get-DnsClientCache | Where-Object {$MaliciousDomains -contains $_.Entry}
if ($DNSEntries) {
    Write-Host "[!] ALERT: Found C2 domain DNS entries:" -ForegroundColor Red
    $DNSEntries | Format-Table Entry, Data, Status -AutoSize
} else {
    Write-Host "[-] No C2 domain DNS entries found" -ForegroundColor Green
}

# Check network connections to C2 IPs
Write-Host "\n[*] Checking network connections to C2 IPs..." -ForegroundColor Yellow
$Connections = Get-NetTCPConnection | Where-Object {$MaliciousIPs -contains $_.RemoteAddress}
if ($Connections) {
    Write-Host "[!] ALERT: Found connections to C2 IPs:" -ForegroundColor Red
    $Connections | Format-Table LocalAddress, LocalPort, RemoteAddress, RemotePort, State -AutoSize
} else {
    Write-Host "[-] No connections to C2 IPs found" -ForegroundColor Green
}

# Check browser profile access (SilabRAT indicator)
Write-Host "\n[*] Checking for browser profile access (SilabRAT)..." -ForegroundColor Yellow
$BrowserPaths = @(
    "$env:APPDATA\\Mozilla\\Firefox\\Profiles",
    "$env:LOCALAPPDATA\\Google\\Chrome\\User Data",
    "$env:LOCALAPPDATA\\Microsoft\\Edge\\User Data"
)
$SuspiciousAccess = $false
foreach ($Path in $BrowserPaths) {
    if (Test-Path $Path) {
        $RecentAccess = Get-ChildItem -Path $Path -Recurse -Include "cookies.sqlite","logins." -ErrorAction SilentlyContinue |
            Where-Object {$_.LastAccessTime -gt (Get-Date).AddHours(-24)}
        if ($RecentAccess) {
            Write-Host "[!] ALERT: Recent browser profile access detected at $Path" -ForegroundColor Red
            $RecentAccess | Format-Table FullName, LastAccessTime -AutoSize
            $SuspiciousAccess = $true
        }
    }
}
if (-not $SuspiciousAccess) {
    Write-Host "[-] No suspicious browser profile access found" -ForegroundColor Green
}

Write-Host "\n[+] IOC Hunt Complete." -ForegroundColor Cyan

Response Priorities

Immediate (0-4 hours):

  • Block all listed domains (brokeapt.com, *.rongtv.xyz, *.ssffaa19.xyz) at perimeter and DNS resolvers
  • Block IP 91.199.163.124 at firewalls
  • Deploy file hash blocks for all listed SHA256 hashes in EDR/XDR platforms
  • Isolate hosts with confirmed IOCs or suspicious process execution patterns
  • Disable unused services on Cisco SD-WAN controllers pending patch validation

24 Hours:

  • Conduct credential audit for users who may have accessed AI-themed phishing sites
  • Force password reset for accounts with potential exposure to Vidar/Lumma credential theft
  • Review browser session cookies and tokens for suspicious activity
  • Validate Cisco SD-WAN patches (CVE-2026-20128, CVE-2026-20133) deployment across infrastructure
  • Hunt for Hijack Loader and SilabRAT persistence mechanisms across enterprise endpoints

1 Week:

  • Implement application allow-listing for AI-related software downloads
  • Deploy browser isolation for high-risk users accessing AI platforms
  • Harden SD-WAN management interfaces (MFA, network segmentation, anomaly detection)
  • Enhance SOC playbooks for malvertising detection and response
  • Establish threat hunting queries for ongoing monitoring of AI-themed credential theft campaigns

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptvidar-stealerlumma-stealersilabratcredential-theftai-impersonation

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action