Back to Intelligence

Storm-3075 & SilabRAT: AI Lures & Supply Chain Worms — OTX Pulse Detection Pack

SA
Security Arsenal Team
June 10, 2026
6 min read

Recent OTX pulses indicate a convergence of credential theft tactics, leveraging both broad social engineering campaigns and sophisticated supply chain attacks. Threat actor Storm-3075 is capitalizing on the AI boom, impersonating brands like ChatGPT and Claude to distribute Vidar and Lumma Stealer via malvertising and SEO poisoning. In parallel, the SilabRAT Malware-as-a-Service (MaaS), developed by actor o1oo1, is being actively marketed on dark web forums for $5,000/month, featuring Hidden VNC (HVNC) and browser profile cloning to bypass MFA. Simultaneously, a supply chain campaign targeting developers utilizes malicious PyPI packages (Mini Shai-Hulud, Miasma) to deliver worms and steal cryptocurrency data. The collective objective across these pulses is financial theft through credential harvesting and session hijacking.

Threat Actor / Malware Profile

Storm-3075

  • Malware: Vidar, Lumma Stealer, Hijack Loader, GhostSocks
  • Distribution: Malvertising campaigns impersonating AI tools; fake download pages for ChatGPT/Copilot.
  • Behavior: Uses Hijack Loader to decrypt and execute payloads. Lumma Stealer targets browser data and cryptocurrency wallets. GhostSocks likely used for C2 proxying.

o1oo1 (SilabRAT)

  • Malware: SilabRAT, HijackLoader, AsmCrypt
  • Distribution: Sold as MaaS; initial access vectors likely phishing or exploit kits.
  • Behavior: Features HVNC for invisible remote control. Clones browser profiles (Chrome/Firefox) to bypass session protections. Focuses heavily on cryptocurrency wallet theft.

Supply Chain Actors (Unknown)

  • Malware: Hades, Mini Shai-Hulud, Miasma
  • Distribution: Typosquatting and package confusion on PyPI and npm. Uses malicious .pth hooks and trojanized .abi3.so files.
  • Behavior: Executes at Python import time. Searches sys.path for propagation. Steals credentials and environment variables.

IOC Analysis

The provided pulses yield critical IOCs for immediate blocking:

  • File Hashes: Multiple SHA256 hashes associated with HijackLoader, SilabRAT, and Lumma Stealer payloads (e.g., 3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b). These indicate final payload stages on disk.
  • Network Infrastructure: C2 IP 91.199.163.124 (SilabRAT) and domains brokeapt.com, rongtv.xyz (Storm-3075). These should be blocked at the firewall and proxy level.
  • Operational Guidance: SOC teams should prioritize the IP 91.199.163.124 as it represents active C2 infrastructure for a high-profile MaaS. File hashes should be loaded into EDR isolation engines. The lack of URLs in some pulses suggests actors are moving to dynamic domains or IP-based C2 to avoid static detection.

Detection Engineering

YAML
title: Potential Lumma Stealer or Vidar Activity
id: 4f5c5b3e-0000-4c5b-8aef-f9a2e6e32aaa
description: Detects suspicious process execution patterns associated with Lumma Stealer and Vidar, often spawned via Hijack Loader or accessing browser credential files.
status: experimental
date: 2026/06/10
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/ai-brands-as-bait
tags:
    - attack.credential_access
    - attack.t1003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\explorer.exe'
            - '\cmd.exe'
            - '\powershell.exe'
        Image|endswith:
            - '\reg.exe'
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - 'copy'
            - 'type'
            - 'export'
    condition: selection
falsepositives:
    - Legitimate administration tasks
level: high
---
title: SilabRAT or HijackLoader Payload Execution
id: 3a6adbe0-1111-2488-0f13-496e92591e0c
description: Detects execution of known SilabRAT or HijackLoader components based on specific file characteristics and common directories.
status: experimental
date: 2026/06/10
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/silabrat-whats-your-powertags:
    - attack.execution
    - attack.t1059
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains:
            - '\AppData\Roaming\'
            - '\AppData\Local\Temp\'
        TargetFilename|endswith:
            - '.exe'
            - '.dll'
    filter:
        Hashes|contains:
            - 'SHA256=3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b'
            - 'SHA256=79f8da9f9fb4ac7c16d9c210f1f6ef418357a3e7bf602b1dd03a490596fa58c5'
    condition: selection and filter
falsepositives:
    - None
level: critical
---
title: Malicious PyPI Package Execution via Startup Hooks
id: 6506d317-2222-9949-8953-bf9705bcf889
description: Detects execution of Python scripts potentially loading malicious .pth files associated with Mini Shai-Hulud or Miasma supply chain attacks.
status: experimental
date: 2026/06/10
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/mini-shai-hulud-miasma
tags:
    - attack.initial_access
    - attack.t1195
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith:
            - '/python'
            - '/python3'
        CommandLine|contains:
            - 'site-packages'
            - '.pth'
            - 'import'    condition: selection
falsepositives:
    - Legitimate Python development
level: high


kql
// Hunt for SilabRAT and Storm-3075 Indicators
// File Hash Hunt
DeviceFileEvents
| where InitiatingProcessSHA256 in ("3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b", "79f8da9f9fb4ac7c16d9c210f1f6ef418357a3e7bf602b1dd03a490596fa58c5", "fb56e66920c84ef9e51db0ea23144f5755daef97cbff8613b05ab56d0dc9d623", "25270cc429ada8028b5b33220ed412c47907ecceea7377d608fac5af01bed56a")
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName, SHA256
;
// Network Connection Hunt (C2 Infrastructure)
DeviceNetworkEvents
| where RemoteIP in ("91.199.163.124") or RemoteUrl has "brokeapt.com" or RemoteUrl has "rongtv.xyz"
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort
;
// Process Hunt for AI-Themed Lures
DeviceProcessEvents
| where ProcessCommandLine contains "ChatGPT" or ProcessCommandLine contains "DeepSeek" or ProcessCommandLine contains "Claude"
| where FileName !in ("chrome.exe", "msedge.exe", "firefox.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName


powershell
# PowerShell Hunt Script for Storm-3075 and SilabRAT Artifacts
# Requires Admin Privileges

$MaliciousHashes = @(
    "3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b",
    "79f8da9f9fb4ac7c16d9c210f1f6ef418357a3e7bf602b1dd03a490596fa58c5",
    "fb56e66920c84ef9e51db0ea23144f5755daef97cbff8613b05ab56d0dc9d623",
    "25270cc429ada8028b5b33220ed412c47907ecceea7377d608fac5af01bed56a",
    "5455341ed1bbe75a664fca2dd0794c508e1874f75360253a7ff5bc119bc92d80"
)

$MaliciousDomains = @(
    "brokeapt.com",
    "rongtv.xyz",
    "ssffaa19.xyz"
)

Write-Host "[+] Hunting for Malicious File Processes..." -ForegroundColor Cyan
Get-Process | Where-Object { $_.Path -ne $null } | ForEach-Object {
    $hash = (Get-FileHash -Path $_.Path -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
    if ($hash -in $MaliciousHashes) {
        Write-Host "[!] MALICIOUS PROCESS FOUND: $($_.ProcessName) (PID: $($_.Id))" -ForegroundColor Red
        Write-Host "    Path: $($_.Path)"
        Write-Host "    Hash: $hash"
    }
}

Write-Host "[+] Checking DNS Cache for Malicious Domains..." -ForegroundColor Cyan
Get-DnsClientCache | Where-Object { $MaliciousDomains -contains $_.Entry } | ForEach-Object {
    Write-Host "[!] MALICIOUS DOMAIN RESOLUTION FOUND: $($_.Entry)" -ForegroundColor Red
    Write-Host "    Data: $($_.Data)"
}

Write-Host "[+] Checking for Suspicious Network Connections (Port 443/80 to 91.199.163.124)..." -ForegroundColor Cyan
Get-NetTCPConnection -State Established | Where-Object { 
    ($_.RemoteAddress -eq "91.199.163.124") -and 
    ($_.RemotePort -eq 443 -or $_.RemotePort -eq 80)
} | ForEach-Object {
    $proc = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
    Write-Host "[!] SUSPICIOUS CONNECTION FOUND: IP 91.199.163.124" -ForegroundColor Red
    Write-Host "    Local Port: $($_.LocalPort), Remote Port: $($_.RemotePort)"
    if ($proc) { Write-Host "    Owning Process: $($proc.ProcessName) (PID: $($proc.Id))" }
}


# Response Priorities

*   **Immediate (0-4h):**
    *   Block the C2 IP `91.199.163.124` and domains `brokeapt.com`, `rongtv.xyz`, `ssffaa19.xyz` at all network egress points.
    *   Isolate any endpoints matching the provided SHA256 file hashes.
    *   Kill processes associated with `HijackLoader` or suspicious Python scripts executing from temp directories.

*   **24 Hours:**
    *   Conduct credential audits for users who may have interacted with "AI" themed downloads or visited the malicious domains.
    *   Verify browser extensions on corporate assets; specifically look for unsanctioned crypto-wallet extensions (MetaMask, Phantom) or "AI Assistant" extensions.
    *   Review PyPI and npm package usage in development environments; block the packages identified in the "Mini Shai-Hulud" pulse.

*   **1 Week:**
    *   Implement application allow-listing to prevent unsigned loaders (HijackLoader variants).
    *   Harden the build pipeline for developers to verify package integrity (checksum verification) before installation.
    *   Enforce MFA re-authentication for sensitive financial applications to disrupt session hijacking attempts used by SilabRAT.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialslumma-stealersilabratsupply-chain-attackvidarai-social-engineering

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action