Back to Intelligence

Storm-3075 AI Phishing, SilabRAT MaaS & 4BID ProxyShell: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
June 11, 2026
6 min read

Threat Summary

Recent OTX pulses reveal a concurrent surge in financially motivated cybercrime and geopolitical hacktivism. Storm-3075 is actively exploiting the AI hype cycle, using malvertising and SEO poisoning to distribute Vidar and Lumma Stealer via Hijack Loader, targeting the education, finance, and technology sectors. Parallel to this, the SilabRAT MaaS platform (by actor o1oo1) has emerged on the dark web, offering advanced credential theft and cryptocurrency wallet draining capabilities via HVNC. Meanwhile, the hacktivist group 4BID has broadened its scope beyond political motives, exploiting ProxyShell vulnerabilities to deploy post-exploitation frameworks like Sliver and Havoc against government and aerospace entities in Eastern Europe and the Middle East.

Threat Actor / Malware Profile

Storm-3075 (AI Impersonation Campaign)

  • Malware Families: Vidar, Lumma Stealer, Hijack Loader, Oyster, GhostSocks.
  • Distribution: Malvertising and SEO poisoning impersonating AI brands (ChatGPT, Copilot, DeepSeek).
  • Payload Behavior: Hijack Loader injects shellcode to deploy info-stealers. Lumma/Vidar harvest browser data, crypto wallets, and 2FA sessions.
  • C2 Communication: HTTP/HTTPS to specific domains (e.g., brokeapt.com) for data exfiltration.

SilabRAT (MaaS)

  • Actor: o1oo1.
  • Malware Families: SilabRAT, Hijackloader, AsmCrypt.
  • Distribution: Sold on dark web forums for $5,000/month.
  • Payload Behavior: Uses HVNC for hidden remote control, browser profile cloning to bypass session protections, and cryptocurrency wallet theft.
  • Persistence: utilizes Hijackloader and AsmCrypt for evasion and persistence.

4BID (Hacktivist)

  • Malware Families: Sliver, Havoc, Mythic Apollo, BlackReaperRAT.
  • Distribution: Exploitation of ProxyShell vulnerabilities in Microsoft Exchange.
  • Payload Behavior: Deployment of fd.aspx web shells followed by C2 framework establishment (Sliver/Havoc).
  • Persistence: Web shells and scheduled tasks.

IOC Analysis

The provided IOCs span multiple infrastructure types requiring immediate defensive action:

  • Domains & Hostnames (Storm-3075): Indicators like brokeapt.com and *.xyz hostnames serve as C2 or payload delivery nodes. SOC teams should block these at the DNS layer and inspect historical logs for any resolution requests.
  • IPv4 Addresses (SilabRAT/4BID): IPs such as 91.199.163.124 and 185.221.153.121 are associated with C2 infrastructure. Block these on perimeter firewalls and hunt for outbound connections to these endpoints.
  • File Hashes: Numerous SHA256 and MD5 hashes correspond to loaders, stealers, and web shells. EDR solutions should be configured to alert on execution or creation of these files.
  • CVEs: CVE-2023-44976 (and historical ProxyShell chains) highlight the need for immediate Exchange server patching.

Detection Engineering

The following detection logic targets the specific behaviors of Hijack Loader, ProxyShell exploitation, and SilabRAT/C2 frameworks observed in these pulses.

YAML
title: Potential Storm-3075 Hijack Loader Activity
description: Detects suspicious process execution patterns associated with Hijack Loader used to deploy Vidar/Lumma stealers, often involving rundll32 or regsvr32 with uncommon arguments.
author: Security Arsenal
date: 2026/06/12
status: experimental
references:
    - https://otx.alienvault.com/pulse/6656a12f8e0e4a0b9a0b0b0b/
tags:
    - attack.defense_evasion
    - attack.t1055.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\rundll32.exe'
            - '\regsvr32.exe'
    selection_cli:
        CommandLine|contains:
            - '.dll,'
            - 'DllRegisterServer'
    filter_legit:
        CommandLine|contains:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    condition: selection_img and selection_cli and not filter_legit
falsepositives:
    - Legitimate software installation
level: high
---
title: 4BID Hacktivist ProxyShell Exploitation Attempt
description: Detects exploitation attempts against Microsoft Exchange Server indicative of ProxyShell usage, often leading to web shell deployment as seen in 4BID campaigns.
author: Security Arsenal
date: 2026/06/12
status: experimental
references:
    - https://otx.alienvault.com/pulse/6656a12f8e0e4a0b9a0b0b0b/
tags:
    - attack.initial_access
    - attack.t1190
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5156
        DestPort: 443
        DestPort|endswith: '443'
        Application|endswith: '\w3wp.exe'
        LayerName: 'Receive/Accept'
    filter:
        SourceIp|cidr:
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
    condition: selection and not filter
falsepositives:
    - Legitimate Exchange Client Access services
level: critical
---
title: SilabRAT MaaS C2 Beacon Pattern
description: Detects potential network activity characteristic of SilabRAT or similar MaaS RATs communicating with known infrastructure or utilizing specific User-Agent patterns.
author: Security Arsenal
date: 2026/06/12
status: experimental
references:
    - https://otx.alienvault.com/pulse/6656a12f8e0e4a0b9a0b0b0b/
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationPort:
            - 80
            - 443
            - 8080
    filter_iana:
        DestinationHostname|endswith:
            - '.microsoft.com'
            - '.windowsupdate.com'
            - '.azure.com'
    condition: selection and not filter_iana
falsepositives:
    - Legitimate web browsing
level: medium

KQL Hunt Queries (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Storm-3075 C2 Domains and IPs
DeviceNetworkEvents
| where RemoteUrl in~ ("brokeapt.com", "rongtv.xyz", "ssffaa19.xyz") 
   or RemoteIP in ("91.199.163.124", "185.221.153.121", "45.112.194.82", "138.226.236.52")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort

// Hunt for File Hash Execution (Vidar/Lumma/SilabRAT)
DeviceProcessEvents
| where SHA256 in ( 
    "0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531",
    "25270cc429ada8028b5b33220ed412c47907ecceea7377d608fac5af01bed56a",
    "3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b"
)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, AccountName

// Hunt for ProxyShell/Web Shell Indicators (fd.aspx)
DeviceFileEvents
| where FileName =~ "fd.aspx" 
   or SHA256 in ("fb56e66920c84ef9e51db0ea23144f5755daef97cbff8613b05ab56d0dc9d623")
| project Timestamp, DeviceName, FolderPath, ActionType, InitiatingProcessAccountName

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    IOC Hunt Script for Storm-3075, SilabRAT, and 4BID.
.DESCRIPTION
    Scans file system for known malicious hashes and checks for suspicious AI-related file names.
#>

$MaliciousHashes = @( 
    "0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531",
    "25270cc429ada8028b5b33220ed412c47907ecceea7377d608fac5af01bed56a",
    "3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b",
    "fb56e66920c84ef9e51db0ea23144f5755daef97cbff8613b05ab56d0dc9d623"
)

Write-Host "[+] Scanning for known malicious file hashes..." -ForegroundColor Cyan

$DrivesToScan = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root

foreach ($Drive in $DrivesToScan) {
    Write-Host "Scanning $Drive..."
    try {
        Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $FileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($MaliciousHashes -contains $FileHash) {
                Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName) (Hash: $FileHash)" -ForegroundColor Red
            }
        }
    } catch {
        # Ignore access errors
    }
}

Write-Host "[+] Checking for suspicious AI-themed executables in Temp folders..." -ForegroundColor Cyan
$TempFolders = @("$env:TEMP", "$env:LOCALAPPDATA\Temp", "C:\Windows\Temp")
$SuspiciousNames = @("ChatGPT", "DeepSeek", "Claude", "Copilot", "AI_Setup")

foreach ($Folder in $TempFolders) {
    if (Test-Path $Folder) {
        Get-ChildItem -Path $Folder -Filter *.exe -ErrorAction SilentlyContinue | Where-Object { 
            $SuspiciousNames | Where-Object { $_.Name -like "*$($_)*" }
        } | ForEach-Object {
            Write-Host "[!] SUSPICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Yellow
        }
    }
}

Write-Host "Scan complete."

Response Priorities

  • Immediate: Block all identified IOCs (Domains brokeapt.com, IPs 91.199.163.124, etc.) at perimeter firewalls, proxies, and endpoint security controls. Trigger hunting for the specified file hashes.
  • 24h: Conduct identity verification reviews for accounts associated with devices that triggered IOCs, particularly due to the prevalence of credential stealers (Vidar/Lumma) and session hijacking (SilabRAT).
  • 1 week: Patch Microsoft Exchange servers to address ProxyShell vulnerabilities. Review and harden email filtering to detect AI-themed social engineering lures.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptvidar-stealersilabratproxyshellstorm-3075ai-impersonation

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action