Back to Intelligence

TroyDen AI Lures & Vidar Stealer: Multi-Vector Credential Theft and Ransomware Lead-in

SA
Security Arsenal Team
May 13, 2026
6 min read

Security Arsenal analysts have identified a surge in credential theft activity leveraging both traditional social engineering and sophisticated supply chain attacks. Based on the latest OTX pulses, threat actors are aggressively targeting developers and gamers through a coordinated campaign dubbed "TroyDen's Lure Factory." This operation utilizes AI-generated biological taxonomy to disguise malware payloads on GitHub, distributing LuaJIT-based infostealers like Redline and Lumma.

Concurrently, separate campaigns are exploiting the trust in open-source ecosystems. Malicious NuGet packages are typosquatting Chinese UI libraries to deliver Quantum and AgentRacoon, while actors are weaponizing the "Claude Code" leak to distribute Vidar and GhostSocks via trojanized repositories. The end goal for many of these credential theft operations appears to be facilitating access for ransomware crews, specifically evidenced by a transition from EtherRat and TukTuk loaders to "The Gentlemen" ransomware. The collective attack chain relies heavily on abusing legitimate developer tools (Git, NuGet, AutoIt) and blockchain technology (EtherHiding) for C2 obfuscation.

Threat Actor / Malware Profile

Key Malware Families

  • LummaStealer / Redline: Information stealers targeting browser data, crypto wallets, and 2FA sessions. Distributed via TroyDen's GitHub ecosystem.
  • Vidar Stealer: A modular infostealer frequently used as a loader for further payloads (including GhostSocks). Distributed via trojanized Claude Code repositories and AutoIt loaders.
  • EtherRAT / TukTuk: Advanced loaders utilizing Ethereum blockchain transactions (EtherHiding) for C2 configuration. TukTuk employs DLL sideloading for persistence.
  • The Gentlemen Ransomware: The final payload in observed multi-stage intrusions, deployed post-credential theft.

Tactics, Techniques, and Procedures (TTPs)

  • Distribution: Typosquatting on NuGet, GitHub repository spoofing, AI-generated lure documents, and malicious MSI installers disguised as Sysinternals tools.
  • Execution: Two-component payloads, AutoIt scripting abuse, and DLL sideloading via legitimate applications like Greenshot.
  • C2 Communication: Abuse of DNS providers, usage of specific IPv4 ranges for command and control, and dynamic configuration updates via the Ethereum blockchain.
  • Anti-Analysis: Heavy use of .NET Reactor, Prometheus obfuscator, and file masquerading (renaming .dot to .bat).

IOC Analysis

The provided indicators of compromise (IOCs) span multiple infrastructure types:

  • Network Infrastructure (IPv4/Domains): Key C2 servers include 89.169.12.241 and dns-providersa2.com. SOC teams should immediately block these IPs and domains at the perimeter. The use of specific cloudflare tunnels (trycloudflare.com) indicates an effort to bypass IP-based reputation filtering.
  • File Hashes: Numerous SHA256 and MD5 hashes (e.g., 06f63fe3eba5a2d1e2177d49f25721c2bdd90f3c46f19e29740899fa908453bf) correspond to the malicious AutoIt scripts, NuGet packages, and MSI installers. EDR solutions should be configured to alert on execution attempts for these hashes.
  • CVE Exploitation: CVE-2025-55182 is referenced in the context of the EtherRat campaign; vulnerability management teams should prioritize patching associated assets.

Operationalization:

  • SIEM: Ingest the list of 45+ IOCs into your SIEM to correlate against firewall logs and endpoint telemetry.
  • EDR: Create allow-lists for legitimate NuGet/GitHub usage and alert on deviations matching these hashes.

Detection Engineering

YAML
---
title: Suspicious AutoIt Loader and Vidar Stealer Activity
id: 98d2fd12-1a3b-4c5d-9e8f-1a2b3c4d5e6f
description: Detects execution patterns associated with AutoIt loaders leading to Vidar/Arkei stealers, including masqueraded file extensions and MicrosoftToolkit execution.
status: experimental
date: 2026/05/13
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection_loader:
        Image|endswith:
            - '\AutoIt3.exe'
            - '\MicrosoftToolkit.exe'
    selection_masquerading:
        CommandLine|contains:
            - '.dot'
            - '.bat'
        OriginalFilename|contains: 'AutoIt'
    selection_parent:
        ParentImage|endswith:
            - '\explorer.exe'
            - '\cmd.exe'
        Image|endswith: '\powershell.exe'
        CommandLine|contains: 'DownloadString'
    condition: 1 of selection_*
falsepositives:
    - Legitimate AutoIt scripts used by IT administration
level: high
tags:
    - attack.execution
    - attack.defense_evasion
    - attack.t1059.001
---
title: Malicious NuGet Package Supply Chain Attack
id: a1b2c3d4-e5f6-7890-1234-567890abcdef
description: Detects process execution patterns indicative of the malicious NuGet packages impersonating Chinese libraries, involving .NET Reactor protected payloads and suspicious C2 check-ins.
status: experimental
date: 2026/05/13
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection_nuget:
        ParentImage|contains: 'NuGet'
        Image|endswith: '\msbuild.exe' 
    selection_suspicious:
        CommandLine|contains:
            - 'dns-providersa2.com'
            - 'check'
            - 'upload'
    selection_impersonation:
        Image|endswith:
            - '\dotnet.exe'
            - '\csc.exe'
        CommandLine|contains:
            - 'Chinese'
            - 'UI'
            - 'Infrastructure'
    condition: selection_nuget and selection_suspicious
falsepositives:
    - Legitimate build processes referencing external domains (rare)
level: critical
tags:
    - attack.supply_chain
    - attack.initial_access
    - attack.t1195.002
---
title: EtherRat and TukTuk C2 Infrastructure Access
id: 2b3c4d5e-6f78-90ab-cdef-1234567890ab
description: Detects network connections to known C2 infrastructure associated with EtherRat and TukTuk campaigns, including exploitation of Sysinternals tools and Rclone usage.
status: experimental
date: 2026/05/13
author: Security Arsenal
logsource:
    category: network_connection
    product: windows
detection:
    selection_c2_ip:
        DestinationIp|contains:
            - '89.169.12.241'
            - '213.176.73.80'
            - '147.45.197.92'
    selection_c2_domain:
        DestinationHostname|contains:
            - 'g8way.io'
            - 'technicalprorj.xyz'
            - 'cargomanbd.com'
    selection_rclone:
        Image|endswith: '\rclone.exe'
        DestinationPort: 443
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: critical
tags:
    - attack.command_and_control
    - attack.c2
    - attack.t1071.001


kql
// Hunt for indicators and process activity associated with TroyDen, Vidar, and EtherRat
let IOCs = dynamic([
    "89.169.12.241", "213.176.73.80", "217.119.129.121", 
    "dns-providersa2.com", "g8way.io", "technicalprorj.xyz",
    "git.justdotrip.com", "rti.cargomanbd.com"
]);
// Network Connections to C2 Infrastructure
DeviceNetworkEvents
| where RemoteUrl in~ IOCs or RemoteIP in~ IOCs
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| order by Timestamp desc
| extend Alert = "C2 Communication Detected";
// Process Creation for AutoIt and Suspicious Loaders
DeviceProcessEvents  
| where (ProcessVersionInfoOriginalFileName == "AutoIt3.exe" or FileName == "MicrosoftToolkit.exe")
    or (ProcessCommandLine has ".dot" and ProcessCommandLine has ".bat")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc
| extend Alert = "Suspicious Loader Execution";
// File Hash Matches (If available in DeviceFileEvents)
DeviceFileEvents
| where SHA256 in~ ("06f63fe3eba5a2d1e2177d49f25721c2bdd90f3c46f19e29740899fa908453bf", 
                            "7d5e84dd59165422f31a5a0e53aabba657a6fbccc304e8649f72d49e468ae91a")
| project Timestamp, DeviceName, FileName,FolderPath, SHA256
| order by Timestamp desc
| extend Alert = "Malicious File Artifact";


powershell
# PowerShell IOC Hunt Script for TroyDen/Vidar/EtherRat Artifacts
# Requires Administrator privileges

Write-Host "Starting Hunt for Infostealer and Ransomware Precursor Artifacts..." -ForegroundColor Cyan

# 1. Check for Suspicious File Paths/Names (AutoIt loaders, Github lures)
$suspiciousPaths = @("C:\Users\*\Downloads\*.bat", "C:\Users\*\Downloads\*.dot", "C:\Windows\Temp\MicrosoftToolkit.exe")
foreach ($path in $suspiciousPaths) {
    if (Test-Path $path) {
        Write-Host "[!] Found suspicious file artifact: $path" -ForegroundColor Red
        Get-Item $path | Select-Object FullName, Length, LastWriteTime
    }
}

# 2. Check for Specific Malicious File Hashes (Pulse 3 & 5 Samples)
$maliciousHashes = @( 
    "06f63fe3eba5a2d1e2177d49f25721c2bdd90f3c46f19e29740899fa908453bf",
    "7d5e84dd59165422f31a5a0e53aabba657a6fbccc304e8649f72d49e468ae91a",
    "881619a47b62b52305d92640cc4d4845a279c23a5a749413785fc8fcb0fdf7fb"
)

Write-Host "Scanning user profiles for known malicious hashes..." -ForegroundColor Cyan
Get-ChildItem -Path "C:\Users\" -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { $_.Length -gt 0 } | 
    ForEach-Object {
        $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($maliciousHashes -contains $hash) {
            Write-Host "[!] CRITICAL: Malicious file found at $($_.FullName)" -ForegroundColor Red
        }
    }

# 3. Check for Suspicious Network Connections (C2 Domains)
$c2Domains = @("dns-providersa2.com", "g8way.io", "technicalprorj.xyz", "cargomanbd.com")
Write-Host "Checking DNS Cache for C2 domains..." -ForegroundColor Cyan
Get-DnsClientCache | Where-Object { $c2Domains -contains $_.Entry } | 
    Select-Object Entry, Data, TimeToLive | 
    Format-Table -AutoSize

Write-Host "Hunt Complete." -ForegroundColor Green


# Response Priorities

*   **Immediate:** Block all listed IPv4 addresses and domains (`dns-providersa2.com`, `g8way.io`, etc.) at the firewall and proxy. Initiate a hunt for the specific SHA256 hashes provided in the IOC samples across all endpoints.
*   **24 Hours:** Conduct a credential audit for all developer and gaming accounts accessed in the last 30 days. Force password resets for any accounts that may have interacted with the listed GitHub repositories or NuGet packages.
*   **1 Week:** Review and restrict the usage of developer tools (NuGet, GitHub, AutoIt) on non-development workstations. Implement strict allow-listing for MSI installers and script execution policies to prevent similar supply chain and loader attacks.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsvidar-stealerlumma-stealersupply-chain-attacketherratinfostealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action