SOC Prime Bias: Critical

09 Jun 2026 12:43 UTC
newspaper icon Sekoia.io Blog

STX RAT Supply Chain Attack Hits Wallets and X-VPN

Author Photo
SOC Prime Team linkedin icon Follow
STX RAT Supply Chain Attack Hits Wallets and X-VPN
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

The report outlines a multi-stage loader framework used by the Russian state-backed Gamaredon group to preserve long-term access within Ukrainian government and critical infrastructure environments. The loaders are delivered through legitimate cloud platforms and messaging services, store command-and-control details in the Windows registry, and rely on alternate data streams and scheduled tasks to trigger later payloads.

Investigation

Sekoia.io reconstructed three VBScript-based loader stages that retrieve additional code from dead-drop resolvers hosted on services such as Telegram, Telegraph, and Check-Host. The second stage writes a payload into an ADS under %TEMP% and creates a scheduled task, while the third stage launches a hidden PowerShell process that downloads and runs the final GammaSteel stealer module.

Mitigation

Defenders should monitor for suspicious registry writes under HKCU\Console, unexpected scheduled tasks named DsSvcCleanup, abnormal use of alternate data streams in %TEMP%, and network traffic to known Cloudflare, Telegram, and Check-Host domains. Execution of unsigned VBScript and PowerShell scripts that rely on encoded commands should also be blocked or tightly restricted.

Response

If compromise is detected, isolate the affected hosts immediately, collect the relevant registry keys and scheduled task definitions, preserve ADS-related files, and block the identified command-and-control domains and IP addresses. Perform forensic imaging and hunt for the GammaSteel stealer both in memory and on disk.

"graph TB %% Class Definitions classDef technique fill:#99ccff classDef operator fill:#ff9900 classDef tool fill:#cccccc %% Node definitions initial_driveby["<b>Technique</b> – <b>T1189 Driveu2011by Compromise</b><br/><b>Description</b>: Compromise a website to deliver malicious content when a user visits."] class initial_driveby technique c2_deadDrop["<b>Technique</b> – <b>T1102.001 Web Service Dead Drop Resolver</b><br/><b>Description</b>: Use legitimate web services to exchange command and control data."] class c2_deadDrop technique c2_dynamic["<b>Technique</b> – <b>T1568 Dynamic Resolution</b><br/><b>Description</b>: Resolve C2 addresses dynamically to evade detection."] class c2_dynamic technique execution_vbscript["<b>Technique</b> – <b>T1216.002 System Script Proxy Execution VBScript</b><br/><b>Description</b>: Execute malicious VBScript via system script proxy."] class execution_vbscript technique persistence_task["<b>Technique</b> – <b>T1053.005 Scheduled Task</b><br/><b>Description</b>: Create a scheduled task to maintain persistence."] class persistence_task technique priv_esc_reflect["<b>Technique</b> – <b>T1620 Reflective Code Loading PowerShell</b><br/><b>Description</b>: Load malicious code reflectively in memory using PowerShell."] class priv_esc_reflect technique propagation_usb["<b>Technique</b> – <b>T1091 Replication Through Removable Media</b><br/><b>Description</b>: Copy malicious files to USB drives for propagation."] class propagation_usb technique %% Connections showing attack flow initial_driveby –>|leads to| c2_deadDrop c2_deadDrop –>|uses| c2_dynamic c2_dynamic –>|enables| execution_vbscript execution_vbscript –>|establishes| persistence_task persistence_task –>|facilitates| priv_esc_reflect execution_vbscript –>|enables| propagation_usb "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands:
    The threat actor, having compromised the user’s session, needs to update its C2 endpoint so future beacons reach a fresh server. Gamaredon stores the URL in a well‑known registry key under HKCUConsole. The attacker uses native PowerShell (Set-ItemProperty) to write the new URL, avoiding any third‑party tooling and thereby staying “living‑off‑the‑land”. This action generates a Registry value set event (EventID 13) with the full path, which matches the Sigma rule’s RegistryPath|contains filter.

    # Simulated Gamaredon C2 URL update – writes to a monitored key
$c2Url = "https://c2.gamaredon.example.com/payload"
$targetKey = "HKCU:ConsoleHistoryURL"
New-Item -Path $targetKey -Force | Out-Null
Set-ItemProperty -Path $targetKey -Name "URL" -Value $c2Url

  • Regression Test Script: (PowerShell – self‑contained)

    <#
Simulates Gamaredon C2 URL update in a registry key monitored by the Sigma rule.
#>

# Parameters (adjust as needed)
$c2Url    = "https://c2.gamaredon.example.com/payload"
$regPath  = "HKCU:ConsoleHistoryURL"
$valueName = "URL"

# Ensure the key exists
if (-not (Test-Path $regPath)) {
    New-Item -Path $regPath -Force | Out-Null
}

# Write the malicious C2 URL
Set-ItemProperty -Path $regPath -Name $valueName -Value $c2Url

Write-Host "[*] C2 URL written to $regPath$valueName"

  • Cleanup Commands: (PowerShell)

    # Remove the simulated key/value to leave the system clean
$regPath = "HKCU:ConsoleHistoryURL"
if (Test-Path $regPath) {
    Remove-ItemProperty -Path $regPath -Name "URL" -ErrorAction SilentlyContinue
    # Optionally remove the key entirely
    Remove-Item -Path $regPath -Recurse -Force -ErrorAction SilentlyContinue
    Write-Host "[*] Cleaned up simulated registry artifacts."
}

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free