Excerpt
Active exploitation of Cisco SD-WAN (CVE-2026-20128) and AI-themed campaigns delivering Vidar/SilabRAT. Urgent detection required.
Threat Summary
Recent OTX pulses reveal a disturbing convergence of nation-state-level infrastructure exploitation and financially motivated dark web malware services. The threat landscape is dominated by three distinct but equally critical vectors:
- Infrastructure Takedown (UAT-8616): Active exploitation of critical Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20128, CVE-2026-20133) to deploy webshells (XenShell, Godzilla) and C2 frameworks (Sliver).
- Social Engineering at Scale (Storm-3075): Abuse of "AI Hype" via malvertising and SEO poisoning to distribute info-stealers (Vidar, Lumma) using the Hijack Loader.
- Malware-as-a-Service Evolution (SilabRAT): The emergence of SilabRAT by actor
o1oo1, a $5,000/month service offering HVNC and browser profile cloning, utilizing Hijack Loader and AsmCrypt to evade detection.
Collectively, these campaigns aim to establish persistent remote access (RATs/Webshells) and facilitate immediate financial theft (cryptocurrency wallets, credentials).
Threat Actor / Malware Profile
Storm-3075
- Objective: Credential theft and financial fraud.
- Distribution: Malvertising campaigns impersonating AI brands (ChatGPT, DeepSeek, Claude). SEO manipulation to push malicious domains.
- Payload Chain: Uses Hijack Loader to decrypt and inject payloads.
- Malware: Vidar (info-stealer) and Lumma Stealer.
- Behavior: Harvests browser data, cryptocurrency wallets, and 2FA sessions. Exfiltrates via C2.
UAT-8616
- Objective: Infrastructure compromise and persistence.
- Distribution: Direct exploitation of internet-facing Cisco SD-WAN controllers.
- Tools: XenShell and Godzilla (webshells), Sliver (C2), XMRig (crypto-mining).
- Behavior: Bypasses authentication via CVE-2026-20128 to drop webshells, enabling full administrative control and lateral movement.
SilabRAT (Actor: o1oo1)
- Objective: Long-term access to financial assets via "invisible" control.
- Distribution: Sold on Dark Web forums; delivered via initial access brokers or bundled software.
- Key Features: Hidden VNC (HVNC) for evading user detection, Browser Profile Cloning to bypass MFA/cookies.
- Protection: Encrypted with AsmCrypt and loaded via Hijack Loader.
IOC Analysis
- File Hashes (SHA256/MD5): Multiple samples for Vidar, Lumma, SilabRAT, and webshells. Operationalization: EDR solutions should be configured to block/ quarantine immediately. Focus on the
0a26238f...(Vidar) and3a6adbe...(SilabRAT) hashes. - Domains & Hostnames:
brokeapt.com,pan.rongtv.xyz,pan.ssffaa19.xyz. Operationalization: Sinkhole these domains via DNS Firewall (RPZ). These are likely C2 or payload delivery servers. - IPv4:
91.199.163.124. Operationalization: Block inbound/outbound traffic to this IP at the perimeter firewall; correlate with netflow data for beaconing activity. - CVEs: CVE-2026-20128, CVE-2026-20133. Operationalization: Use vulnerability scanners to identify unpatched Cisco SD-WAN endpoints immediately.
Detection Engineering
Sigma Rules
YAML
---
title: Potential Vidar/Lumma Stealer Execution via Hijack Loader
id: c4c3c4c4-0000-0000-0000-000000000001
description: Detects execution patterns associated with Hijack Loader dropping Vidar or Lumma stealers, characterized by suspicious PowerShell arguments and specific child processes.
status: experimental
date: 2026/06/15
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/618a1f2c00000000
tags:
- attack.credential_access
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\\explorer.exe'
- '\\chrome.exe'
- '\firefox.exe'
- '\\msedge.exe'
- '\\cmd.exe'
selection_loader:
Image|endswith:
- '\
undll32.exe'
- '\
egsvr32.exe'
- '\\powershell.exe'
selection_suspicious_cli:
CommandLine|contains:
- '-encodedcommand'
- '-enc'
- 'brokeapt.com'
- 'pan.rongtv.xyz'
condition: all of selection_*
falsepositives:
- Legitimate administrative scripts
level: high
---
title: Cisco SD-WAN Webshell Creation Detection
id: c4c3c4c4-0000-0000-0000-000000000002
description: Detects potential webshell file creation (Godzilla/XenShell) on systems vulnerable to Cisco SD-WAN exploits CVE-2026-20128.
status: experimental
date: 2026/06/15
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/618a1f2c00000001
tags:
- attack.initial_access
- attack.persistence
logsource:
category: file_event
product: linux
detection:
selection_paths:
TargetFilename|contains:
- '/var/www/html/'
- '/usr/local/tmp/'
- '/opt/'
selection_extensions:
TargetFilename|endswith:
- '.jsp'
- '.php'
- '.aspx'
selection_keywords:
TargetFilename|contains:
- 'shell'
- 'xen'
- 'godzilla'
condition: all of selection_*
falsepositives:
- Legitimate administrative uploads
level: critical
---
title: SilabRAT C2 Network Connection
id: c4c3c4c4-0000-0000-0000-000000000003
description: Detects outbound connection to known SilabRAT infrastructure IP 91.199.163.124 or non-standard ports associated with HVNC.
status: experimental
date: 2026/06/15
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/618a1f2c00000002
tags:
- attack.c2
- attack.command_and_control
logsource:
category: network_connection
product: windows
detection:
selection_ip:
DestinationIp:
- '91.199.163.124'
selection_port:
DestinationPort:
- 4444
- 5555
- 8080
condition: 1 of selection_*
falsepositives:
- Rare legitimate traffic to this IP
level: high
KQL (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for Vidar/Lumma Hashes and C2 Domains
let IOCHashes = pack_array(
\"0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531\",
\"25270cc429ada8028b5b33220ed412c47907ecceea7377d608fac5af01bed56a\",
\"3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b\"
);
let IOCUrls = pack_array(\"brokeapt.com\", \"pan.rongtv.xyz\", \"pan.ssffaa19.xyz\");
DeviceNetworkEvents
| where RemoteUrl has_any (IOCUrls) or RemoteIP == \"91.199.163.124\"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| union DeviceProcessEvents
| where SHA256 in (IOCHashes)
| project Timestamp, DeviceName, FolderPath, SHA256, AccountName
PowerShell Hunt Script
PowerShell
# SilabRAT and Vidar IOC Hunter
# Checks for file presence and registry persistence
$MaliciousHashes = @(
\"0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531\",
\"25270cc429ada8028b5b33220ed412c47907ecceea7377d608fac5af01bed56a\",
\"3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b\"
)
$SuspiciousIPs = @(\"91.199.163.124\")
Write-Host \"[+] Checking for established connections to C2 IPs...\"
$netstat = netstat -ano | Select-String \"$($SuspiciousIPs -join '|')\"
if ($netstat) { $netstat }
Write-Host \"[+] Scanning common malware directories...\"
$paths = @(\"$env:TEMP\", \"$env:APPDATA\", \"$env:LOCALAPPDATA\")
foreach ($p in $paths) {
Get-ChildItem -Path $p -Recurse -ErrorAction SilentlyContinue | Where-Object {
$_.Length -gt 0 -and $_.Extension -match '\\.(exe|dll|ps1)'
} | ForEach-Object {
$hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
if ($hash -in $MaliciousHashes) {
Write-Host \"[!] MALWARE DETECTED: $($_.FullName) | Hash: $hash\" -ForegroundColor Red
}
}
}
Write-Host \"[+] Checking for Run Keys persistence...\"
Get-Item -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -ErrorAction SilentlyContinue |
Get-ItemProperty | Select-Object * -ExcludeProperty PSPath,PSChildName |
Where-Object { $_.PSObject.Properties.Value -match \"brokeapt\" -or $_.PSObject.Properties.Value -match \"pan.rongtv\
darkwebotx-pulsedarkweb-aptvidar-stealersilabratcisco-sd-wanstorm-3075hijack-loader
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.