Recent OTX pulses indicate a coordinated escalation in credential theft operations, utilizing diverse entry vectors ranging from social engineering to supply chain compromises. Threat actors, specifically Storm-3075 and the developer behind SilabRAT (actor o1oo1), are aggressively targeting sectors drawn to emerging technologies (AI, Bioinformatics) and financial gains (Cryptocurrency).
The campaign ecosystem includes:
- AI-Themed Social Engineering: Impersonation of brands like ChatGPT and Copilot to distribute Vidar and Lumma Stealer.
- Social Media Malware: Use of TikTok and Instagram Reels to spread Vidar via fake PowerShell tutorials.
- Malware-as-a-Service (MaaS): The proliferation of SilabRAT (featuring HVNC and browser cloning) and Needle (modular crypto-stealer).
- Supply Chain Attacks: Targeting Bioinformatics and MCP developers via malicious PyPI packages (Hades, Mini Shai-Hulud, Miasma).
The primary objective across all observed activities is financial theft through credential harvesting, session hijacking, and cryptocurrency wallet draining.
Threat Actor / Malware Profile
| Malware Family / Actor | Description | Behavior & Technique |
|---|---|---|
| Vidar Stealer | Infostealer distributed via malvertising and social media tutorials. | Steals browser data, crypto wallets, 2FA sessions. Often delivered via Hijack Loader. Observed in TikTok campaigns instructing users to run PowerShell commands. |
| SilabRAT | Advanced MaaS RAT sold on darkweb forums ($5k/mo) by actor o1oo1. | Features Hidden VNC (HVNC) for invisible remote control and browser profile cloning to bypass MFA. Uses AsmCrypt for obfuscation. Focuses on cryptocurrency theft. |
| Needle (ThreatNeedle) | Modular crypto-stealing platform targeting browser extensions and desktop wallets. | Spoofer targeting MetaMask, Phantom, Trust Wallet. Rust-based desktop agent impersonating Exodus/Trezor. Uses Phorpiex for distribution. |
| Hades / Miasma | Worms targeting developers via malicious Python packages. | Uses executable .pth hooks and trojanized .abi3.so extensions. Delivered via typosquatting on PyPI/npm. Searches sys.path for propagation. |
| Storm-3075 | Threat actor leveraging AI hype. | Utilizes SEO poisoning and malvertising to distribute payloads like Oyster and GhostSocks alongside Vidar/Lumma. |
IOC Analysis
The provided pulses yield a mix of network and file-based indicators crucial for detection:
- Network (Domains/IPv4): Includes C2 infrastructure like
msget.run(Vidar C2),brokeapt.com(AI malvertising), and91.199.163.124(SilabRAT). SOC teams should immediately block these at the perimeter and DNS resolvers. - File Hashes (SHA1/SHA256): Numerous payloads for the mentioned families. These should be uploaded to EDR solutions for hunting. The high volume of SHA256s for SilabRAT and Vidar suggests active payload rotation.
- Operationalization:
- SIEM: Correlate domain connections against
DeviceNetworkEvents. - EDR: Execute hunts for the specific file hashes to identify infected endpoints.
- Threat Intel: Integrate hashes into threat intelligence platforms (TIP) to automate blocking.
- SIEM: Correlate domain connections against
Detection Engineering
Sigma Rules
YAML
---
title: Suspicious PowerShell Download Executable - Vidar/Lumma Vector
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
description: Detects PowerShell commands downloading executables, often seen in AI-themed lures and TikTok fake tutorials distributing Vidar.
status: experimental
date: 2026/06/11
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/ai-brands-as-bait/
- https://otx.alienvault.com/pulse/fake-software-tutorials-tiktok/
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- 'Invoke-WebRequest'
- 'Invoke-RestMethod'
- 'DownloadFile'
- 'DownloadString'
filter_legit:
CommandLine|contains:
- 'windowsupdate'
- 'microsoft.com'
condition: selection and not filter_legit
falsepositives:
- Legitimate system administration scripts
level: high
---
title: Potential HijackLoader or AsmCrypt Execution Pattern
description: Detects process execution patterns associated with HijackLoader and AsmCrypt often used to load SilabRAT and Vidar.
status: experimental
date: 2026/06/11
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/silabrat/
- https://otx.alienvault.com/pulse/ai-brands-as-bait/
tags:
- attack.defense_evasion
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_parent:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\explorer.exe'
selection_child:
Image|contains:
- '\Temp\'
- '\AppData\Local\Temp\'
CommandLine|contains:
- '/load'
- '-enc'
- 'regsvr32'
condition: selection_parent and selection_child
falsepositives:
- Software installers
level: medium
---
title: Malicious Python Extension Load - Hades/Miasma Supply Chain
description: Detects Python processes loading suspicious native extensions (.so/.pyd) from non-standard paths, indicative of the Hades/Miasma supply chain attack.
status: experimental
date: 2026/06/11
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/mini-shai-hulud-miasma/
tags:
- attack.initial_access
- attack.t1195.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\python.exe'
- '\python3.exe'
CommandLine|contains:
- '.pyd'
- '.so'
- '.dll'
filter_path:
CommandLine|contains:
- '\Program Files\'
- '\ProgramData\'
- '\Anaconda\'
condition: selection and not filter_path
falsepositives:
- Legitimate Python developer environments
level: high
KQL Hunt Queries
KQL — Microsoft Sentinel / Defender
// Hunt for network connections to known IOCs (Domains/IPs)
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (
"msget.run", "d4ug.site", "brokeapt.com", "pan.rongtv.xyz", "pan.ssffaa19.xyz"
) or RemoteIP == "91.199.163.124"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| extend IOCType = iff(RemoteUrl != "", "Domain", "IP")
kql
// Hunt for PowerShell processes potentially related to Vidar tutorials
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("DownloadFile", "Invoke-WebRequest", "iex")
and ProcessCommandLine matches regex @"\.(exe|dll|bat|ps1)"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
PowerShell Hunt Script
PowerShell
# Hunt for specific IOCs found in OTX Pulses
$Hashes = @( "0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531",
"25270cc429ada8028b5b33220ed412c47907ecceea7377d608fac5af01bed56a",
"3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b",
"6506d31707a399498f934bf9705bcf889f1ecae3dbc6f4ff88d67a8be3d01b2",
"6d332f814f15f19758d65026bbfd0a8c49671b319ec77b8fa1b27fc48afff7d9"
)
$SuspectIP = "91.199.163.124"
Write-Host "[+] Scanning for Malicious File Hashes..." -ForegroundColor Cyan
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue |
ForEach-Object {
$hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
if ($Hashes -contains $hash) {
Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
}
}
Write-Host "[+] Checking for active network connections to SilabRAT C2 ($SuspectIP)..." -ForegroundColor Cyan
$connections = Get-NetTCPConnection -RemoteAddress $SuspectIP -ErrorAction SilentlyContinue
if ($connections) {
$connections | ForEach-Object {
$proc = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
Write-Host "[!] SUSPICIOUS CONNECTION: PID $($_.OwningProcess) ($($proc.ProcessName)) connected to $SuspectIP" -ForegroundColor Red
}
} else {
Write-Host "[-] No active connections found to specific C2 IP." -ForegroundColor Green
}
---
# Response Priorities
Immediate (0-24h)
- Block IOCs: Add all listed domains (
msget.run,brokeapt.com), hostnames, and IPs (91.199.163.124) to firewall blocklists and secure web gateways. - Hunt for Compromise: Run the PowerShell hunt script across endpoints to check for the presence of listed SHA256 hashes.
- Isolate Infected Hosts: If the above hunt returns positive matches, isolate the machine from the network immediately to prevent C2 beaconing or data exfiltration.
24-48h
- Credential Reset: Force a password reset for users on devices where artifacts were found. Revoke active sessions for sensitive applications (Email, VPN, Banking).
- Browser Artifact Forensics: On infected machines, analyze browser history and extensions for signs of SilabRAT profile cloning or Needle wallet spoofing.
- Supply Chain Audit: For development teams, audit PyPI and npm package usage. Remove any packages related to
Mini Shai-Hulud,Miasma, orHades.
1 Week
- Policy Hardening: Implement software restriction policies (SRP) or AppLocker to block PowerShell execution for standard users and prevent unsigned binaries from running in user directories (
%APPDATA%,%TEMP%). - Security Awareness: Update security awareness training to include the specific tactics observed: AI-themed phishing and fake software tutorials on social media (TikTok/Instagram).
- Developer Hygiene: Enforce the use of requirements.txt.lock or dependency lockfiles and private package registries to prevent typosquatting supply chain attacks.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-credentialsvidar-stealersilabratneedle-malwaresupply-chain-attackai-impersonation
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.