Storm-3075 AI Phishing, SilabRAT MaaS, and 4BID ProxyShell Campaigns: OTX Pulse Analysis

Excerpt: Analysis of AI-themed credential theft, SilabRAT MaaS operations, and 4BID ProxyShell attacks targeting critical sectors.

Threat Summary

Recent OTX pulses indicate a convergence of financially motivated and politically driven threat activity leveraging diverse infrastructure. Storm-3075 is actively exploiting the AI hype cycle, impersonating brands like ChatGPT and DeepSeek to distribute information stealers (Vidar, Lumma) via malvertising and SEO poisoning. Simultaneously, the SilabRAT Malware-as-a-Service (MaaS) platform, operated by actor o1oo1, is being marketed on dark web forums for advanced credential theft and cryptocurrency operations, featuring HVNC capabilities. In a separate vector, hacktivist group 4BID has expanded its scope beyond political targets, exploiting ProxyShell vulnerabilities in Microsoft Exchange to deploy post-exploitation frameworks (Sliver, Havoc) against government and critical infrastructure in Eastern Europe and the Middle East.

Collectively, these campaigns highlight a dual threat landscape: widespread credential harvesting targeting the technology and finance sectors, and targeted destructive/exploitative operations leveraging unpatched exchange servers.

Threat Actor / Malware Profile

Storm-3075 (AI Impersonation Campaign)

Objective: Credential theft, financial fraud, and initial access brokerage.
Malware: Vidar Stealer, Lumma Stealer, Hijack Loader.
Distribution: Social engineering via "AI-themed" lures, malvertising, and SEO poisoning.
Behavior: Hijack Loader is used to decrypt and execute shellcode, which then retrieves and injects the payload (Vidar/Lumma) into legitimate processes (e.g., svchost.exe) to harvest browser data and crypto wallets.

o1oo1 / SilabRAT

Objective: Cryptocurrency theft and persistent remote access sold via MaaS.
Malware: SilabRAT, Hijackloader, AsmCrypt.
Distribution: Dark web forums ($5,000/month subscription).
Behavior: Uses AsmCrypt for obfuscation and Hijackloader for execution. Features Hidden VNC (HVNC) for invisible remote control and browser profile cloning to bypass 2FA/session protections.

4BID (Hacktivist Campaign)

Objective: Espionage and disruption of government entities.
Malware: BlackReaperRAT, Sliver, Havoc, Mythic Apollo.
Distribution: Exploitation of CVE-2021-34473 (ProxyShell) on Microsoft Exchange.
Behavior: Deploys fd.aspx web shells for persistence. Uses Sliver and Havoc C2 frameworks for lateral movement and data exfiltration.

IOC Analysis

The provided indicators span multiple infrastructure types:

Domains & Hostnames: brokeapt.com, pan.rongtv.xyz. Used for C2 communication and payload delivery. SOC teams should block these at the perimeter and DNS layer.
IPv4 Addresses: 91.199.163.124 (SilabRAT), 185.221.153.121 (4BID C2). Associated with MaaS infrastructure and hacktivist command servers.
File Hashes: A mix of SHA1, SHA256, and MD5 hashes corresponding to loaders (Hijack Loader), stealers (Vidar/Lumma), and RATs (SilabRAT). These should be loaded into EDR solutions for immediate blocking.
CVE: CVE-2023-44976 is explicitly referenced in the 4BID pulse; however, the primary vector is ProxyShell (CVE-2021-34473).

Detection Engineering

YAML

---
title: Potential ProxyShell Exploitation via Exchange Backend
description: Detects suspicious serialization patterns and backend URLs associated with ProxyShell exploitation leading to webshell deployment.
references:
    - https://www.microsoft.com/security/blog
author: Security Arsenal
date: 2026/06/12
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2021.34473
logsource:
    category: webserver
detection:
    selection:
        c-uri|contains:
            - '/api/rest/'
            - '/mapi/nspi/'
            - '/Xaml/xaml.ashx'
        cs-method: 'POST'
    condition: selection
falsepositives:
    - Unknown
level: high
---
title: Suspicious Process Injection via Hijack Loader Patterns
description: Detects potential execution of Hijack Loader or similar shellcode loaders associated with Vidar and SilabRAT.
references:
    - https://otx.alienvault.com/
author: Security Arsenal
date: 2026/06/12
tags:
    - attack.defense_evasion
    - attack.t1055
logsource:
    category: process_creation
detection:
    selection_img:
        Image|endswith:
            - '\rundll32.exe'
            - '\regsvr32.exe'
            - '\mshta.exe'
    selection_cli:
        CommandLine|contains:
            - 'javascript:'
            - 'DllRegisterServer'
            - '.dat,'
    condition: all of selection_*
falsepositives:
    - Legitimate system administration
level: medium
---
title: Credential Stealer File Creation Patterns
description: Detects creation of files often dropped by Vidar or Lumma stealers in temp directories.
references:
    - https://otx.alienvault.com/
author: Security Arsenal
date: 2026/06/12
tags:
    - attack.collection
    - attack.t1005
logsource:
    category: file_event
detection:
    selection:
        TargetFilename|contains:
            - '\Temp\'
            - '\AppData\Local\Temp\'
        TargetFilename|endswith:
            - '.dll'
            - '.exe'
    filter_legit:
        Image:
            - 'C:\Windows\System32\*'
            - 'C:\Program Files\*'
    condition: selection and not filter_legit
falsepositives:
    - Software installers
level: medium


kql
// Hunt for network connections to known IOCs from Pulse Data
let IOCs = dynamic(["91.199.163.124", "185.221.153.121", "45.112.194.82", "138.226.236.52", "brokeapt.com", "rongtv.xyz"]);
DeviceNetworkEvents
| where RemoteIP in (IOCs) or RemoteUrl has_any (IOCs)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemoteUrl, RemotePort
| order by Timestamp desc

// Hunt for process executions matching file hashes
let Hashes = pack_array("0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531", "3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b");
DeviceProcessEvents
| where SHA256 in (Hashes) or MD5 in (pack_array("008cd423ca45134d3343f66cced1d104"))
| project Timestamp, DeviceName, FileName, ProcessCommandLine, SHA256, MD5
| order by Timestamp desc


powershell
# IOC Hunt Script for Storm-3075 and SilabRAT Activity
# Checks for specific file hashes and suspicious network connections

$TargetHashes = @(
    "0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531",
    "25270cc429ada8028b5b33220ed412c47907ecceea7377d608fac5af01bed56a",
    "3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b"
)

$SuspiciousIPs = @(
    "91.199.163.124",
    "185.221.153.121",
    "45.112.194.82"
)

Write-Host "[+] Scanning for Malicious File Hashes..." -ForegroundColor Cyan

# Scan common download and temp directories
$PathsToScan = @("$env:TEMP", "$env:USERPROFILE\Downloads", "C:\ProgramData")

foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($TargetHashes -contains $Hash) {
                Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

Write-Host "[+] Checking for Active Network Connections to Suspicious IPs..." -ForegroundColor Cyan

$Connections = Get-NetTCPConnection -ErrorAction SilentlyContinue | Where-Object { 
    $SuspiciousIPs -contains $_.RemoteAddress 
}

if ($Connections) {
    foreach ($Conn in $Connections) {
        $Process = Get-Process -Id $Conn.OwningProcess -ErrorAction SilentlyContinue
        Write-Host "[!] SUSPICIOUS CONNECTION: RemoteIP=$($Conn.RemoteAddress), Port=$($Conn.RemotePort), Process=$($Process.ProcessName) (PID=$($Conn.OwningProcess))" -ForegroundColor Red
    }
} else {
    Write-Host "[-] No suspicious connections found." -ForegroundColor Green
}

Response Priorities

Immediate:
- Block all listed IOCs (IPs, Domains) on perimeter firewalls and proxies.
- Scan endpoints for the specific SHA256/MD5 hashes provided in the pulses.
- Isolate hosts showing signs of ProxyShell exploitation (Exchange servers).
24h:
- Initiate credential resets for users potentially affected by Vidar/Lumma stealers, focusing on Finance and Tech departments.
- Review Exchange server logs for fd.aspx creation or Microsoft.Exchange.Management.ControlPanel anomalies.
1 Week:
- Patch Microsoft Exchange servers against ProxyShell vulnerabilities (CVE-2021-34473).
- Conduct user awareness training regarding "AI-powered" phishing lures and malvertising.
- Implement application control to block execution of unsigned binaries in temp directories.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub