Back to Intelligence

Storm-3075, SilabRAT, and AI-Themed Infostealers: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
June 12, 2026
5 min read

Threat Summary

Recent OTX pulses reveal a coordinated surge in credential theft campaigns utilizing diverse vectors including AI-themed social engineering, supply chain compromises, and social media distribution. Threat actors are aggressively targeting the cryptocurrency sector and developer communities. Key campaigns include Storm-3075 leveraging "AI hype" (ChatGPT/DeepSeek) to distribute Vidar and Lumma Stealers, and the MaaS operator o1oo1 selling SilabRAT for browser profile cloning. Additionally, a sophisticated supply chain attack is targeting Bioinformatics and MCP developers via malicious PyPI packages (Hades, Mini Shai-Hulud) to achieve persistence and credential theft.

Threat Actor / Malware Profile

  • Storm-3075: Utilizing "AI-brands-as-bait," this actor employs SEO poisoning and malvertising to distribute Vidar, Lumma Stealer, and GhostSocks. The attack chain often involves impersonating legitimate AI interfaces to trick users into downloading malicious payloads.
  • SilabRAT (o1oo1): A $5,000/month MaaS offering featuring Hidden VNC (HVNC) for invisible remote control. It uses HijackLoader and AsmCrypt to steal browser sessions and cryptocurrency wallets, specifically targeting browser profile data to bypass 2FA protections.
  • Supply Chain Attackers (Unknown): Distributing Hades, Mini Shai-Hulud, and Miasma via typosquatting on PyPI and npm. These payloads use trojanized native extensions (.abi3.so) and .pth startup hooks to execute stealthily upon import.
  • Social Media Distributors: Threat actors using TikTok and Instagram Reels to spread Vidar Stealer via fake software tutorials, instructing users to execute PowerShell commands.
  • Needle C2: A modular crypto-stealing platform (RustyStealer) targeting browser extensions (MetaMask, Phantom) and desktop crypto wallets via spoofer applications.

IOC Analysis

  • Domains & Hostnames: Several C2 domains and distribution nodes were identified, including brokeapt.com (Vidar), pan.rongtv.xyz (C2), and msget.run (TikTok campaign). These should be blocked immediately at the DNS layer.
  • IP Addresses: 91.199.163.124 was identified as a SilabRAT C2 node.
  • File Hashes: Multiple SHA256 hashes correlate to Vidar, SilabRAT, and Python wheel payloads. SOC teams should scan endpoint historical data for these specific hashes.
  • Operationalization: IOCs should be ingested into EDR solutions for immediate scanning. The PowerShell command patterns found in the TikTok campaign provide high-fidelity behavioral detection opportunities.

Detection Engineering

YAML
---
title: Potential Vidar Stealer Execution via PowerShell Suspicious Download
id: 827e1c1e-1234-5678-9abc-def123456789
description: Detects PowerShell commands downloading payloads from domains associated with Vidar Stealer distribution campaigns (TikTok/Social Engineering).
status: experimental
author: Security Arsenal
date: 2026/06/12
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
    CommandLine|contains:
      - 'msget.run'
      - 'd4ug.site'
      - 'Invoke-WebRequest'
      - 'IEX'
  condition: selection
falsepositives:
  - Legitimate software installation scripts (unlikely for these TLDs)
level: high

---
title: SilabRAT Browser Profile Cloning Activity
id: 736d2f0d-9876-5432-10dc-fab987654321
description: Detects non-browser processes accessing browser profile directories, a behavior associated with SilabRAT and other infostealers for session hijacking.
status: experimental
author: Security Arsenal
date: 2026/06/12
tags:
  - attack.credential_access
  - attack.t1555.003
logsource:
  category: file_access
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - '\Google\Chrome\User Data\Default\'
      - '\Mozilla\Firefox\Profiles\'
      - '\BraveSoftware\Brave-Browser\User Data\Default\'
  filter_legit_browsers:
    Image|endswith:
      - '\chrome.exe'
      - '\firefox.exe'
      - '\brave.exe'
      - '\msedge.exe'
  condition: selection and not filter_legit_browsers
falsepositives:
  - Backup software accessing profile data
  - Browser extensions update processes
level: medium

---
title: Malicious PyPI/NPM Supply Chain Execution
id: 625c1b0a-8765-4321-09ed-dce876543210
description: Detects execution of suspicious native extensions or hooks often used in Python supply chain attacks like Hades or Miasma.
status: experimental
author: Security Arsenal
date: 2026/06/12
tags:
  - attack.initial_access
  - attack.t1195.002
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\python.exe'
    CommandLine|contains:
      - '.pth'
      - '.abi3.so'
      - '.pyd'
  condition: selection
falsepositives:
  - Legitimate Python development workflows
level: high


kql
// Hunt for network connections to known malicious domains/IPs
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (
    "brokeapt.com",
    "pan.rongtv.xyz",
    "pan.ssffaa19.xyz",
    "msget.run",
    "d4ug.site"
) or RemoteIP == "91.199.163.124"
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| order by Timestamp desc

// Hunt for PowerShell execution with suspicious TLDs
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (".run", ".site", "brokeapt.com")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc


powershell
<#
.SYNOPSIS
IOC Hunt Script for Storm-3075, SilabRAT, and associated Malware.
Checks Hosts file and traces recent network connections for known IOCs.
#>

$MaliciousDomains = @(
    "brokeapt.com",
    "pan.rongtv.xyz",
    "pan.ssffaa19.xyz",
    "msget.run",
    "d4ug.site"
)

$MaliciousIPs = @(
    "91.199.163.124"
)

# 1. Check Hosts File
$HostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
if (Test-Path $HostsPath) {
    $HostsContent = Get-Content $HostsPath
    foreach ($domain in $MaliciousDomains) {
        if ($HostsContent -match $domain) {
            Write-Host "[ALERT] Found malicious domain in hosts file: $domain" -ForegroundColor Red
        }
    }
}

# 2. Check Active Connections (requires Admin)
Write-Host "`nChecking active network connections..."
try {
    $ActiveConnections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue | 
                         Select-Object LocalAddress, RemoteAddress, RemotePort, OwningProcess
    
    foreach ($conn in $ActiveConnections) {
        # Check Remote IP
        if ($MaliciousIPs -contains $conn.RemoteAddress) {
            $Proc = Get-Process -Id $conn.OwningProcess -ErrorAction SilentlyContinue
            Write-Host "[ALERT] Connection to malicious IP: $($conn.RemoteAddress) by PID $($conn.OwningProcess) ($($Proc.ProcessName))" -ForegroundColor Red
        }
    }
} catch {
    Write-Host "Could not retrieve network connections (Admin privileges required)." -ForegroundColor Yellow
}

# 3. Check for File Hashes (Optional - scanning common download folders)
Write-Host "`nScanning Downloads folder for known SHA256 hashes (this may take a moment)..."
$UserDownloads = "$env:USERPROFILE\Downloads"
if (Test-Path $UserDownloads) {
    $KnownHashes = @(
        "0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531",
        "25270cc429ada8028b5b33220ed412c47907ecceea7377d608fac5af01bed56a",
        "5455341ed1bbe75a664fca2dd0794c508e1874f75360253a7ff5bc119bc92d80",
        "56d722b0331bf0aaa86bb37483486c6dff6ad9427fc473ed7c3226c21a9bdd23"
    )

    Get-ChildItem -Path $UserDownloads -File -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
        $hash = Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue
        if ($KnownHashes -contains $hash.Hash) {
            Write-Host "[CRITICAL] Known malware file found: $($_.FullName)" -ForegroundColor Red
        }
    }
}

Response Priorities

  • Immediate: Block all listed domains (msget.run, brokeapt.com, d4ug.site) and IP (91.199.163.124) at the perimeter. Initiate hunts for Vidar and SilabRAT file hashes on endpoints.
  • 24h: Conduct identity verification checks for users with potential exposure to AI-themed phishing or TikTok tutorials. Force password resets for high-privilege accounts if session hijacking is suspected.
  • 1 Week: Review and harden CI/CD pipelines (PyPI/NPM) against typosquatting and supply chain attacks. Update security awareness training to cover AI-impersonation and social media malware vectors.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealervidarsilabratsupply-chain-attackcredential-theft

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action