Back to Intelligence

Storm-3075 AI Phishing & SilabRAT MaaS: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
June 13, 2026
7 min read

This intelligence brief synthesizes three distinct, high-impact threat campaigns currently active on the OTX platform. Collectively, these pulses indicate a surge in financially motivated operations leveraging social engineering trends (AI hype) and infrastructure vulnerabilities (Cisco SD-WAN) to deploy advanced stealers and Remote Access Trojans (RATs).

The campaigns are orchestrated by disparate actors—Storm-3075, UAT-8616, and o1oo1—but share a common objective: establishing persistent access for credential theft, session hijacking, and financial fraud. Storm-3075 is abusing interest in generative AI (ChatGPT, Claude) to distribute Vidar and Lumma Stealer via Hijack Loader. Simultaneously, UAT-8616 is actively exploiting Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20182, CVE-2026-20128) to drop webshells (Godzilla, Behinder) and cryptocurrency miners. Finally, the SilabRAT MaaS operation by o1oo1 is offering Hidden VNC (HVNC) and browser cloning capabilities for $5,000/month on dark web forums.

Threat Actor / Malware Profile

Storm-3075 (AI Impersonation Campaign)

  • Malware Families: Vidar, Lumma Stealer, Hijack Loader, Oyster, GhostSocks.
  • Distribution: Social engineering via malvertising and SEO poisoning. Impersonates AI brands (ChatGPT, Copilot, DeepSeek) to distribute fake installers.
  • Payload Behavior: Hijack Loader acts as the initial shellcode loader, decrypting and loading Vidar (information stealer) and Lumma Stealer. These target browser cookies, credentials, and cryptocurrency wallets.
  • C2 Communication: Utilizes HTTP/HTTPS to exfiltrate stolen data to C2 servers; evidence suggests use of domain generation algorithms (DGAs) or specific hosting infrastructure (e.g., pan.rongtv.xyz).
  • Persistence: Scheduled tasks or registry run keys established by the loader.

UAT-8616 (Cisco SD-WAN Exploitation)

  • Malware Families: XenShell, Godzilla, Behinder, Sliver, XMRig.
  • Distribution: Exploitation of CVE-2026-20182 (Authentication Bypass) and CVE-2026-20133 in Cisco Catalyst SD-WAN Manager.
  • Payload Behavior: Gains administrative privileges to upload webshells (Godzilla, Behinder) and establishes C2 using Sliver or AdaptixC2. Deploys XMRig for cryptocurrency mining.
  • C2 Communication: Webshells communicate over HTTP/S often mimicking legitimate administrative traffic. Sliver uses mTLS for beaconing.
  • Persistence: Webshell persistence within the web root of the management interface; potential modification of system services for miner persistence.

o1oo1 (SilabRAT MaaS)

  • Malware Families: SilabRAT, HijackLoader, AsmCrypt.
  • Distribution: Sold on dark web forums; delivered via initial access vectors often involving phishing or bundled software.
  • Payload Behavior: SilabRAT features Hidden VNC (HVNC) for invisible remote control and browser profile cloning to bypass 2FA/session protections. Uses AsmCrypt for obfuscation.
  • C2 Communication: Custom protocol over TCP/HTTP; HVNC creates a separate desktop environment distinct from the legitimate user.
  • Persistence: Registry modifications and service creation to ensure survival across reboots.

IOC Analysis

The provided IOCs span multiple categories, requiring multi-layered detection:

  • Network IOCs (Domains/Hostnames/IPs):
    • brokeapt.com, pan.rongtv.xyz, pan.ssffaa19.xyz (Storm-3075 infrastructure)
    • 91.199.163.124 (SilabRAT C2)
    • Action: Block at firewall/proxy. Hunt for historical DNS requests or HTTP connections to these endpoints.
  • File Hashes (SHA256/SHA1/MD5):
    • Multiple hashes associated with loaders, stealers, and webshells.
    • Action: EDR correlation for execution events. Quarantine files matching these hashes.
  • CVEs:
    • CVE-2026-20182, CVE-2026-20128, CVE-2026-20133, CVE-2025-20333, CVE-2025-20362, CVE-2026-20127, CVE-2026-20122.
    • Action: Vulnerability scanning and patch management prioritization. Log analysis for exploitation attempts on Cisco SD-WAN devices.

SOC teams should operationalize these by ingesting the domains into DNS watchlists and the hashes into EDR quarantine policies. The CVEs should trigger immediate configuration audits of SD-WAN appliances.

Detection Engineering

Sigma Rules

YAML
---
title: Potential Storm-3075 AI-Themed Malware Execution
description: Detects execution patterns associated with Hijack Loader or Vidar Stealer, often triggered by fake AI installers.
id: 4829f1a8-9a2b-4b2c-9c8d-1e3f4a5b6c7d
status: experimental
date: 2026/06/13
author: Security Arsenal
references:
  - https://otx.alienvault.com/pulse/6666a9f5e13f2b2228314441
tags:
  - attack.execution
  - attack.t1059.001
  - attack.defense_evasion
  - attack.t1027
logsource:
  category: process_creation
  product: windows
detection:
  selection_img:
    Image|contains:
      - '\AppData\Local\Temp\'
      - '\Downloads\'
  selection_cli:
    CommandLine|contains:
      - 'powershell -noP -c'
      - 'regsvr32.exe /s'
      - 'rundll32.exe'
  context_keywords:
    CommandLine|contains:
      - 'chatgpt'
      - 'deepseek'
      - 'claude'
      - 'copilot'
  condition: all of selection_* and context_keywords
falsepositives:
  - Legitimate AI software installation (rare in Temp paths)
level: high
---
title: Cisco SD-WAN Webshell Activity Detection
description: Detects potential webshell access patterns associated with UAT-8616 exploitation of Cisco Catalyst SD-WAN.
id: 5930g2b9-0b3c-5c3d-0d9e-2f4g5b6c7d8e
status: experimental
date: 2026/06/13
author: Security Arsenal
references:
  - https://otx.alienvault.com/pulse/6667b1g6f24g3c3339425552
tags:
  - attack.initial_access
  - attack.t1190
  - attack.persistence
  - attack.t1505.003
logsource:
  category: web
detection:
  selection_uri:
    cs-uri-query|contains:
      - 'cmd='
      - 'exec='
      - 'cat '
      - 'whoami'
  selection_cve:
    cs-uri-stem|contains:
      - '/vpns'
      - '/dataservice'
  selection_headers:
    cs-user-agent|contains:
      - 'Godzilla'
      - 'Behinder'
  condition: 1 of selection*
falsepositives:
  - Administrative management activity (verify source IP)
level: critical
---
title: SilabRAT MaaS Persistence Mechanism
description: Detects registry modifications and service creation associated with SilabRAT persistence.
id: 6a41h3c0-1c4d-6d4e-1e0f-3g5h6c7d8e9f
status: experimental
date: 2026/06/13
author: Security Arsenal
references:
  - https://otx.alienvault.com/pulse/6666c0h0g35h4d4449536666
tags:
  - attack.persistence
  - attack.t1547.001
  - attack.t1053.003
logsource:
  category: registry_set
  product: windows
detection:
  selection_key:
    TargetObject|contains:
      - 'Software\Microsoft\Windows\CurrentVersion\Run'
      - 'SYSTEM\CurrentControlSet\Services'
  selection_value:
    Details|contains:
      - '.dll'
      - '.exe'
  context_silabrat:
    TargetObject|contains:
      - 'SilabRAT'
      - 'UpdateSvc'
      - 'CoreSystem'
  condition: all of selection_* and context_silabrat
falsepositives:
  - Legitimate software updates
level: high

KQL (Microsoft Sentinel)

Hunts for network connections to the specific IOCs and CVE exploitation attempts.

KQL — Microsoft Sentinel / Defender
// Hunt for Storm-3075 and SilabRAT Network IOCs
let IoC_Domains = dynamic(["brokeapt.com", "pan.rongtv.xyz", "pan.ssffaa19.xyz"]);
let IoC_IPs = dynamic(["91.199.163.124"]);
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (IoC_Domains) or RemoteIP has_any (IoC_IPs)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| extend ThreatActor = iif(RemoteUrl has "rongtv", "Storm-3075", "SilabRAT")

// Hunt for Cisco SD-WAN Exploitation Indicators
let CiscoCVEs = dynamic(["CVE-2026-20182", "CVE-2026-20128", "CVE-2026-20133"]);
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("perl", "python", "php", "java") 
   or ProcessCommandLine contains_any ("vi", "nano", "wget", "curl") 
   or ProcessCommandLine contains "dataservice"
| where DeviceName contains "vManage" or DeviceName contains "Cisco" 
   or ProcessCommandLine contains_any ("/vpns", "/certificate")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName

PowerShell Hunt Script

Checks for the presence of specific file hashes on the system.

PowerShell
# IOC Hunt Script for OTX Pulses 2026-06-13
$TargetHashes = @(    "4f5c5b3ef45cfff7721754487a86aeff9a2e6e32",
    "0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531",
    "25270cc429ada8028b5b33220ed412c47907ecceea7377d608fac5af01bed56a",
    "5455341ed1bbe75a664fca2dd0794c508e1874f75360253a7ff5bc119bc92d80",
    "56d722b0331bf0aaa86bb37483486c6dff6ad9427fc473ed7c3226c21a9bdd23",
    "d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa",
    "d75cb9920d1d3d280518ddccfe4789d2",
    "18821dbb53892d6faa14b1f063517a0302057290",
    "3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b",
    "79f8da9f9fb4ac7c16d9c210f1f6ef418357a3e7bf602b1dd03a490596fa58c5",
    "fb56e66920c84ef9e51db0ea23144f5755daef97cbff8613b05ab56d0dc9d623",
    "fbce30a0c852972fdc24f1b6a7c270512a50ef1a7c6c88c88b92a2dcbdfdd023"
)

Write-Host "[+] Scanning for malicious file hashes..." -ForegroundColor Cyan

$SearchPaths = @("C:\Users\", "C:\Windows\Temp\", "C:\ProgramData\")

foreach ($Path in $SearchPaths) {
    if (Test-Path $Path) {
        Write-Host "Scanning $Path..." -ForegroundColor Yellow
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $FileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($TargetHashes -contains $FileHash) {
                Write-Host "[!] MATCH FOUND: $($_.FullName) (Hash: $FileHash)" -ForegroundColor Red
            }
        }
    }
}

# Check for Suspicious Network Connections to SilabRAT C2
$SuspiciousIP = "91.199.163.124"
Write-Host "[+] Checking for established connections to $SuspiciousIP..." -ForegroundColor Cyan
$Connections = Get-NetTCPConnection -RemoteAddress $SuspiciousIP -ErrorAction SilentlyContinue
if ($Connections) {
    $Connections | ForEach-Object {
        $Process = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
        Write-Host "[!] Suspicious Connection: PID $($_.OwningProcess) - Process: $($Process.ProcessName)" -ForegroundColor Red
    }
} else {
    Write-Host "No active connections found to known C2." -ForegroundColor Green
}

Response Priorities

  • Immediate:
    • Block identified domains (brokeapt.com, pan.rongtv.xyz) and IP (91.199.163.124) at perimeter proxies and firewalls.
    • Isolate endpoints with confirmed file hash matches.
    • Apply patches/mitigations for CVE-2026-20182 and CVE-2026-20128 on Cisco Catalyst SD-WAN infrastructure immediately.
  • 24 Hours:
    • Conduct credential resets for users in Finance, Tech, and Retail sectors who may have interacted with AI-themed phishing lures (Storm-3075).
    • Review Cisco SD-WAN logs for evidence of webshell activity (Godzilla/Behinder signatures).
  • 1 Week:
    • Review and harden SD-WAN segmentation to limit lateral movement from management interfaces.
    • Implement application controls to restrict execution of unsigned binaries in user directories (to counter Hijack Loader).
    • Update browser security policies to detect and block profile cloning attempts (HVNC).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptstorm-3075silabratcisco-sd-wanvidar-stealerlumma-stealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action