Back to Intelligence

Storm-3075 AI Impersonation & SilabRAT MaaS: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
June 11, 2026
5 min read

Recent OTX pulses reveal a distinct shift in adversary tactics, blending sophisticated social engineering with advanced MaaS (Malware-as-a-Service) offerings. Storm-3075 is actively exploiting the global AI hype, impersonating brands like ChatGPT and DeepSeek to distribute Vidar and Lumma Stealer via Hijack Loader. These campaigns rely on malvertising and SEO poisoning to trick users across Finance, Tech, and Education sectors.

Simultaneously, the dark web has seen the emergence of SilabRAT by actor o1oo1, a high-end MaaS ($5,000/mo) specifically designed for cryptocurrency theft. It employs HijackLoader for delivery and utilizes Hidden VNC (HVNC) and browser profile cloning to bypass 2FA protections. In a separate vector, hacktivist group 4BID is broadening its geopolitical scope, exploiting ProxyShell vulnerabilities to deploy C2 frameworks like Sliver and Havoc against government and aerospace entities in Eastern Europe and the Middle East.

Threat Actor / Malware Profile

Storm-3075

  • Objective: Credential theft, financial fraud, and initial access brokerage.
  • Distribution: Malvertising campaigns mimicking legitimate AI tools; SEO poisoning to drive traffic to malicious domains.
  • Payload Chain: Lure -> Hijack Loader -> Vidar / Lumma Stealer / Oyster.
  • Behavior: Steals browser cookies, autocomplete data, and crypto wallet information. Uses GhostSocks for proxying traffic.

SilabRAT (o1oo1)

  • Objective: Long-term persistence and cryptocurrency theft.
  • Distribution: Sold via Darkweb forums; likely delivered via phishing or initial access brokers.
  • Payload Behavior: Uses AsmCrypt for obfuscation. Features include HVNC (Hidden Desktop) for manual manipulation, browser profile cloning (copying User Data directories) to hijack sessions without triggering MFA, and direct cryptocurrency wallet interaction.

4BID (Hacktivists)

  • Objective: Disruption, data theft, and cross-border targeting.
  • Vector: Exploitation of ProxyShell (Microsoft Exchange) vulnerabilities.
  • Payloads: Deploys fd.aspx web shells followed by post-exploitation frameworks: Sliver, Havoc, Mythic Apollo, and BlackReaperRAT.

IOC Analysis

  • Domains & Hostnames: Indicators such as brokeapt.com and pan.rongtv.xyz are associated with the Storm-3075 AI-lure campaigns. These should be blocked at the DNS and proxy level.
  • IP Addresses: 91.199.163.124 (SilabRAT C2) and 185.221.153.121 (4BID C2) are critical infrastructure IPs requiring immediate firewall blocking.
  • File Hashes: The pulses provide numerous SHA256 and MD5 hashes for loaders (HijackLoader) and payloads (SilabRAT, Sliver). SOC teams should ingest these into EDR solutions for immediate scanning.
  • CVE: CVE-2023-44976 (referenced in the 4BID pulse) highlights the ongoing need for Exchange patching.

Detection Engineering

Sigma Rules

YAML
---
title: Potential ProxyShell Exchange Exploitation Activity
id: 91b98245-0c97-4c9c-aabc-0c6c91e8a7f4
status: experimental
description: Detects potential exploitation of Microsoft Exchange ProxyShell vulnerabilities via suspicious backend ASPX requests.
references:
    - https://securelist.com/tr/hacktivists-broaden-attack-geography/120115/
author: Security Arsenal
date: 2026/06/11
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2021.34473
    - cve.2021.34523
    - cve.2021.31207
logsource:
    product: windows
    service: iis
detection:
    selection:
        c-uri|contains:
            - '/autodiscover.xml'
            - '/mapi/nspi'
            - '/powershell'
        cs-uri-query|contains:
            - 'X-AnonResource-true'
            - 'X-BEResource'
    selection_fd:
        cs-uri-stem|endswith: '/fd.aspx'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: critical
---
title: Suspicious Browser Profile Cloning Activity
id: 3e8a1c91-b4c9-4d5e-9f8e-1a2b3c4d5e6f
status: experimental
description: Detects processes copying browser profile directories (User Data) which is indicative of infostealers like SilabRAT or Lumma Stealer attempting session hijacking.
references:
    - https://www.group-ib.com/blog/silabrat-hijackloader-trojan-malware/
author: Security Arsenal
date: 2026/06/11
tags:
    - attack.credential_access
    - attack.t1555.003
logsource:
    product: windows
    category: file_access
detection:
    selection:
        TargetFilename|contains:
            - '\Google\Chrome\User Data'
            - '\Mozilla\Firefox\Profiles'
            - '\BraveSoftware\Brave-Browser\User Data'
        InitiatorProcessName|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\wscript.exe'
            - '\cscript.exe'
    condition: selection
falsepositives:
    - Legitimate backup software
level: high
---
title: Hijack Loader Process Injection Pattern
id: 7a9b1c82-d0e1-4f6a-a9b3-2c4d5e6f7a8b
status: experimental
description: Detects execution patterns associated with Hijack Loader, a common loader for Vidar and SilabRAT, often involving suspended processes and shellcode.
references:
    - https://www.microsoft.com/en-us/security/blog/2026/06/08/ai-brands-as-bait-how-threat-actors-are-using-the-ai-hype-in-social-engineering/
author: Security Arsenal
date: 2026/06/11
tags:
    - attack.defense_evasion
    - attack.t1055.004
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\rundll32.exe'
            - '\regsvr32.exe'
    selection_cli:
        CommandLine|contains:
            - 'HeapAlloc'
            - 'VirtualAlloc'
            - 'CreateThread'
    condition: all of selection*
falsepositives:
    - Low
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Storm-3075 and SilabRAT Network Indicators
let IOCs = dynamic(["brokeapt.com", "pan.rongtv.xyz", "pan.ssffaa19.xyz", "91.199.163.124", "185.221.153.121", "45.112.194.82"]);
DeviceNetworkEvents
| where RemoteUrl has_any (IOCs) or RemoteIP has_any (IOCs)
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, RemotePort
| extend MITRE = "Command and Control / Exfiltration"


kql
// Hunt for Malware File Hashes (Vidar, SilabRAT, BlackReaperRAT)
let MalwareHashes = dynamic([
    "0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531",
    "25270cc429ada8028b5b33220ed412c47907ecceea7377d608fac5af01bed56a",
    "3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b",
    "79f8da9f9fb4ac7c16d9c210f1f6ef418357a3e7bf602b1dd03a490596fa58c5"
]);
DeviceProcessEvents
| where SHA256 in (MalwareHashes) or MD5 in (MalwareHashes)
| project Timestamp, DeviceName, FolderPath, ProcessCommandLine, AccountName, SHA256

PowerShell Hunt Script

PowerShell
# IOC Hunter for SilabRAT and Storm-3075 Indicators
$IOC_Hashes = @(
    "0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531",
    "25270cc429ada8028b5b33220ed412c47907ecceea7377d608fac5af01bed56a",
    "5455341ed1bbe75a664fca2dd0794c508e1874f75360253a7ff5bc119bc92d80",
    "56d722b0331bf0aaa86bb37483486c6dff6ad9427fc473ed7c3226c21a9bdd23",
    "3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b",
    "fb56e66920c84ef9e51db0ea23144f5755daef97cbff8613b05ab56d0dc9d623",
    "fbce30a0c852972fdc24f1b6a7c270512a50ef1a7c6c88c88b92a2dcbdfdd023"
)

Write-Host "[+] Scanning for malware file hashes..."

$Drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root

foreach ($Drive in $Drives) {
    Write-Host "[INFO] Scanning drive $Drive"
    Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue | Where-Object {
        -not $_.PSIsContainer -and $_.Length -gt 0
    } | ForEach-Object {
        $FileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($IOC_Hashes -contains $FileHash) {
            Write-Host "[ALERT] Malware found: $($_.FullName)" -ForegroundColor Red
        }
    }
}

Write-Host "[+] Checking for suspicious scheduled tasks (Persistence)..."
Get-ScheduledTask | Where-Object { $_.Actions.Execute -like "*powershell*" -or $_.Actions.Execute -like "*cmd*" } | 
    Where-Object { $_.Actions.Arguments -like "*http*" -or $_.Actions.Arguments -like "*downloadstring*" } | 
    Format-List TaskName, TaskPath, Actions


# Response Priorities

*   **Immediate:**
    *   Block all listed IOCs (Domains `brokeapt.com`, IPs `91.199.163.124`, `185.221.153.121`) at the firewall and proxy level.
    *   Scan endpoints using the provided PowerShell script to identify dropped payloads.

*   **24 Hours:**
    *   Conduct credential resets for accounts with potential exposure to Vidar or Lumma Stealers, specifically targeting finance and admin teams.
    *   Review IIS logs for `fd.aspx` and Exchange server logs for ProxyShell indicators.

*   **1 Week:**
    *   Patch Microsoft Exchange servers to mitigate ProxyShell exploitation.
    *   Implement application awareness to detect unauthorized browser profile copying behavior.
    *   Review and restrict software installation policies to prevent malvertising infection chains.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptstorm-3075silabratproxyshellhijack-loaderlumma-stealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action