Recent OTX pulses indicate a multi-vector surge in credential theft activity. The primary threat driver is the Vidar Infostealer, observed in two distinct campaigns: a phishing operation targeting Korean entities via malicious attachments and a global malvertising campaign attributed to X3D MINER distributing Vidar alongside XMRig miners. These malware campaigns are complemented by sophisticated platform abuse, including the exploitation of Meta's Business Account Manager for phishing and a coordinated supply chain attack on npm and PyPI repositories targeting developers via typosquatted payment SDKs. Collectively, these threats aim to harvest browser credentials, cryptocurrency wallets, and developer tokens for financial gain.
Threat Actor / Malware Profile
Vidar Infostealer
- Actor: Unknown / X3D MINER
- Distribution: Phishing emails (fake copyright/job apps), Malvertising (cracked software lures).
- Behavior: A Malware-as-a-Service (MaaS) that steals browser data (cookies, passwords), cryptocurrency wallet information, and 2FA sessions (Steam, Telegram). It often acts as a loader for secondary payloads like XMRig.
- C2 & Infrastructure: Utilizes Dead Drop Resolvers to dynamically fetch C2 IP addresses, making takedowns difficult. Uses Go-based packers (Factory-v3 framework) and rogue code-signing certificates to evade detection.
Supply Chain Attack (npm/PyPI)
- Technique: Typosquatting legitimate packages (PaySafe, Skrill, Neteller).
- Behavior: Malicious packages contain scripts to detect analysis environments (sandbox evasion via CPU core checks) and exfiltrate tokens/credentials to C2 servers hosted on ngrok tunnels.
IOC Analysis
The provided indicators span multiple infrastructure types:
- File Hashes (MD5/SHA256): Correspond to packed Go binaries, malicious Python/Node scripts, and payload loaders. These should be blocked in EDR solutions and used to retro-scan endpoint file systems.
- Hostnames/Domains: Include Dead Drop Resolver domains (e.g.,
*.sodstreams.com) and Ngrok tunnels (e.g.,*.ngrok-free.dev). These indicate active C2 infrastructure and should be immediately sinkholed or blocked at the perimeter. - IPv4: Infrastructure hosted on Hetzner (AS24940) suggests the use of bulletproof hosting for resilience.
SOC Guidance: Operationalize these hashes by creating allow/block lists in EDR. For the domains, investigate DNS logs for any internal resolution attempts to the listed Ngrok or Dead Drop Resolver domains. The Ngrok domains are particularly critical as they suggest active data exfiltration from developer workstations.
Detection Engineering
Sigma Rules
title: Potential Vidar Stealer Phishing Execution
id: 4a2f9a8c-5b1d-4f3e-8a7d-1b2c3d4e5f6a
description: Detects potential execution of Vidar stealer via malicious attachments, often masquerading as documents but spawning executables or scripts.
status: experimental
date: 2026/07/09
author: Security Arsenal
references:
- https://otx.alienvault.com/
tags:
- attack.initial_access
- attack.execution
- attack.t1566.001
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\WINWORD.EXE'
- '\excel.exe'
selection_child:
Image|endswith:
- '.exe'
- '.dll'
- '.bat'
- '.ps1'
selection_suspicious:
CommandLine|contains:
- '/c'
- 'powershell'
- 'mshta'
condition: selection_parent and selection_child and selection_suspicious
falsepositives:
- Legitimate macro usage
level: high
---
title: Vidar Stealer X3D MINER C2 Communication
id: b3c0d9e1-6f2a-4e8b-9a0c-2d3e4f5a6b7c
description: Detects network connections to known Dead Drop Resolver domains and suspicious hosting associated with X3D MINER campaigns.
status: experimental
date: 2026/07/09
author: Security Arsenal
references:
- https://otx.alienvault.com/
tags:
- attack.command_and_control
- attack.c2
- attack.t1071.001
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationHostname|contains:
- 'sodstreams.com'
- 'emiraride.com'
- 'syslicense.net'
- 'ngrok-free.dev'
condition: selection
falsepositives:
- Rare legitimate traffic to similar domains
level: critical
---
title: Supply Chain Typosquatting Exfiltration via Ngrok
date: 2026/07/09
author: Security Arsenal
status: experimental
description: Detects processes like node.exe or python.exe connecting to Ngrok tunnels, common in typosquatting supply chain attacks.
logsource:
category: network_connection
product: windows
detection:
selection_dev_tools:
Image|endswith:
- '\node.exe'
- '\python.exe'
- '\npm.cmd'
- '\pip.exe'
selection_tunnel:
DestinationHostname|contains:
- 'ngrok-free.dev'
- 'ngrok.io'
condition: selection_dev_tools and selection_tunnel
falsepositives:
- Developers using local Ngrok for testing
level: high
KQL (Microsoft Sentinel)
// Hunt for Vidar Stealer Indicators and C2 Activity
let IOCs = dynamic([
"lat.sodstreams.com", "gor.emiraride.com", "ctl.it-bd.com", "gre.syslicense.net",
"frr.ambil-disini.web.id", "api.goautolink.com", "aussiecleaningservices.com",
"caliber-spinner-finishing.ngrok-free.dev"
]);
let FileHashes = dynamic([
"0b8af4afd26175ba818c0fdb4622bf14", "1bbf1e83eea55e70d59f0d633789011e",
"2fba9ec34fdf4b1584dd9c69b9ec9393", "d42595b695fc008ef2c56aabd8efd68e",
"1aae8bf580c846f39c71c05898e57e88", "d8b31f8c03e0c76ff245ed05a15ffe6c"
]);
// Network Connection Hunt
DeviceNetworkEvents
| where RemoteUrl in (IOCs) or RemoteIP == "136.243.203.109"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| union (
DeviceProcessEvents
| where SHA256 in ("03e6f4f49cec3af38bbec9ed64c195c7a85a630ec989efb3669f04a2993c1dd7", "6b7ff061eebeb9ead8812c410247768a7ba90786aeeb1bafa6412cc5b08237b5")
or MD5 in (FileHashes)
)
PowerShell Hunt Script
# IOC Hunt Script for Vidar Stealer and Supply Chain Malware
$TargetHashes = @(
"0b8af4afd26175ba818c0fdb4622bf14",
"1bbf1e83eea55e70d59f0d633789011e",
"2fba9ec34fdf4b1584dd9c69b9ec9393",
"d42595b695fc008ef2c56aabd8efd68e",
"1aae8bf580c846f39c71c05898e57e88",
"d8b31f8c03e0c76ff245ed05a15ffe6c",
"03e6f4f49cec3af38bbec9ed64c195c7a85a630ec989efb3669f04a2993c1dd7",
"6b7ff061eebeb9ead8812c410247768a7ba90786aeeb1bafa6412cc5b08237b5"
)
$Drives = @("C:", "D:")
Write-Host "Starting hunt for Vidar and malicious package hashes..." -ForegroundColor Cyan
foreach ($Drive in $Drives) {
if (Test-Path $Drive) {
Write-Host "Scanning $Drive..." -ForegroundColor Yellow
Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue | Get-FileHash -Algorithm MD5, SHA256 -ErrorAction SilentlyContinue | Where-Object {
$TargetHashes -contains $_.Hash -or $TargetHashes -contains $_.Hash.ToLower()
} | ForEach-Object {
Write-Host "[ALERT] Malicious file found: $($_.Path) | Hash: $($_.Hash) | Algorithm: $($_.Algorithm)" -ForegroundColor Red
}
}
}
Write-Host "Hunt complete. Check for suspicious npm/pypi installation folders in AppData." -ForegroundColor Green
Response Priorities
- Immediate: Block all listed IOCs (Domains, IPs, Hashes) at the firewall, proxy, and EDR levels. Isolate any endpoints with positive hash matches.
- 24h: Initiate credential resets for users potentially affected by the Meta Business Manager phishing. Investigate developer workstations for the presence of the typosquatted npm/PyPI packages and rotate any exposed API tokens.
- 1 Week: Implement strict application control to prevent unsigned executates from spawning from Office documents. Review and restrict the use of code-signing certificates within the organization. Audit developer accounts for unauthorized package publishing permissions.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.