Infostealer Surge: ClickFix, AI Agent Exploitation & PyPI Supply Chain Attacks

Threat Summary

Recent OTX pulse data indicates a convergence of high-risk credential theft campaigns leveraging diverse initial access vectors. Threat actors are aggressively exploiting trust in software supply chains (PyPI), legitimate AI productivity tools (Cursor), and social engineering "ClickFix" techniques. The collective objective is the theft of sensitive data, including cryptocurrency wallets, cloud credentials, and browser sessions, facilitated by malware families such as AMOS, Vidar, Lumma, and GlassWorm. These campaigns demonstrate a shift towards "living-off-the-land" (LotL) and AI-abuse tactics to bypass traditional heuristic defenses.

Threat Actor / Malware Profile

ClickFix Campaigns (Vidar, Lumma, RedLine)

Distribution: Social engineering campaigns ("browser update" or "captchas" required) prompting users to copy-paste malicious commands into PowerShell or Bash.
Payload Behavior: Delivers various loaders (Vidar, Lumma Stealer) and Remote Access Trojans (NetSupport RAT).
Technique: Uses LOLBins to bypass application allow-listing.

GlassWorm

Target: Developers and blockchain enthusiasts.
Distribution: Supply chain attack via compromised code repositories.
C2 Communication: Unique usage of the Solana blockchain for payload fetching, making network detection difficult.
Behavior: Installs fake browser extensions for surveillance and steals crypto wallets.

AMOS Stealer (Cursor AI Vector)

Distribution: Social engineering within Cursor AI agent sessions (Claude Code). Users are tricked into prompting the AI to download malicious scripts.
Payload: Heavily obfuscated AppleScript loaders designed for macOS.
Behavior: Sandbox evasion, credential harvesting, and persistent implant establishment.

PyPI Supply Chain (Xinference)

Distribution: Malicious versions (2.6.0, 2.6.1, 2.6.2) of the xinference AI framework.
Payload: Base64 encoded malicious code in __init__.py.
Objective: Automatic cloud credential theft upon installation or import.

IOC Analysis

The provided indicators cover a broad spectrum of the attack chain:

Domains: Numerous C2 and distribution domains associated with ClickFix (e.g., ustazazharidrus.com) and Keitaro TDS abuse (e.g., ucaboodle.com). These should be blocked at the DNS layer.
File Hashes (MD5/SHA256): Specific hashes for the compromised PyPI packages and AMOS loaders. These are critical for EDR correlation and scanning build environments.
IPs: Specific C2 infrastructure (e.g., 45.94.47.204) associated with the AMOS campaign.
URLs: Distribution endpoints often hidden within Keitaro traffic distribution systems.

SOC teams should ingest these hashes into EDR solutions and block the domains/IPs at perimeter firewalls and proxies.

Detection Engineering

Sigma Rules

YAML

---
title: Potential ClickFix PowerShell Command Execution
id: 9e2b45e0-2e1a-4f3d-8b1a-4c2d3e5f6a7b
description: Detects suspicious PowerShell execution patterns often associated with ClickFix campaigns, specifically involving encoded commands or suspicious domains.
status: experimental
date: 2026/04/27
author: Security Arsenal
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 4688
    NewProcessName|endswith: \'powershell.exe\'
    CommandLine|contains:
      - \'-enc\'
      - \'-encodedcommand\'
  filter_legit:
    ParentProcessName|contains:
      - \'Program Files\\'
      - \'System32\\'
  condition: selection and not filter_legit
falsepositives:
  - Legitimate administrative scripts
level: high
tags:
  - attack.execution
  - attack.t1059.001
  - clickfix
---
title: Malicious PyPI Xinference Package Installation
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
description: Detects the presence of known malicious file hashes associated with the compromised Xinference PyPI versions.
status: experimental
date: 2026/04/27
author: Security Arsenal
logsource:
  product: linux
  service: auditd
detection:
  selection:
    exe|endswith: \'pip\'
    cmdline|contains: \'install\'
  selection_hash:
    sha256_hash:
      - \'077d49fa708f498969d7cdffe701eb64675baaa4968ded9bd97a4936dd56c21c\'
      - \'e1e007ce4eab7774785617179d1c01a9381ae83abfd431aae8dba6f82d3ac127\'
  condition: selection and selection_hash
falsepositives:
  - None (Known malicious hashes)
level: critical
tags:
  - attack.initial_access
  - attack.t1195.002
  - supply-chain
---
title: AMOS Stealer C2 Network Traffic
id: f4e3d2c1-b0a9-4088-9e7e-1a2b3c4d5e6f
description: Detects network connections to known AMOS Stealer C2 infrastructure identified in OTX pulses.
status: experimental
date: 2026/04/27
author: Security Arsenal
logsource:
  category: network_connection
detection:
  selection:
    DestinationIp:
      - \'45.94.47.204\'
      - \'92.246.136.14\'
    DestinationPort:
      - 80
      - 443
  condition: selection
falsepositives:
  - Rare (Direct IP access is uncommon for legit traffic)
level: high
tags:
  - attack.c2
  - attack.t1071.001
  - amos-stealer

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for ClickFix and AMOS related domain connections
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (
    "ustazazharidrus.com", "account-help.info", "quiptly.com", 
    "elive123go.com", "visitbundala.com", "nhacaired88.com", 
    "subsgod.com", "ariciversontile.com", "mpasvw.com", 
    "arkypc.com", "ucaboodle.com", "someotherbox.com", 
    "your-link.online", "linda-makeup.com", "cibcsecurity2fa.com", 
    "rbcdevice-login.com", "yellowusheart.net"
    ) 
    or RemoteIP in ("45.94.47.204", "92.246.136.14")
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| extend AlertInfo = "OTX_Infostealer_IOC_Hit"

PowerShell Hunt Script

PowerShell

# Hunt for presence of malicious PyPI files and persistent AMOS artifacts

$maliciousHashes = @(
    "3ee893ae46530b92e0d26435fb979d82",
    "484067fd6232f7cdd7b664b33857fc2c",
    "971670c10eff28339a085ca50a600e35",
    "9b3257e45b27a6bbe4e240e41a3a306f",
    "c6ce4e25f7fe3e3bb1eea2e9052483bf",
    "e291734d46c313a23d676681499f8846"
)

Write-Host "[+] Scanning for malicious PyPI/Xinference file hashes..."
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
Where-Object { $_.Length -gt 0 } | 
ForEach-Object {
    $hash = (Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
    if ($maliciousHashes -contains $hash) {
        Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName) with MD5: $hash" -ForegroundColor Red
    }
}

Write-Host "[+] Checking for AMOS Stealer persistence (LaunchAgents)..."
$launchAgentsPath = "$env:USERPROFILE\Library\LaunchAgents"
if (Test-Path $launchAgentsPath) {
    Get-ChildItem -Path $launchAgentsPath -Filter *.plist | 
    ForEach-Object {
        $content = Get-Content $_.FullName -Raw
        if ($content -match "arkypc" -or $content -match "mpasvw") {
            Write-Host "[!] SUSPICIOUS LAUNCHAGENT FOUND: $($_.FullName)" -ForegroundColor Yellow
        }
    }
}
Write-Host "[+] Scan complete."

Response Priorities

Immediate: Block all listed domains and IP addresses at the perimeter and proxy. Isolate endpoints showing signs of PowerShell ClickFix execution or connections to arkypc.com.
24h: Conduct a credential audit for any developer or user accounts associated with machines that accessed the malicious PyPI packages or AMOS loaders. Force password resets and rotate API keys.
1 Week: Review software supply chain policies; implement requirements for pinned dependency hashes. Update AI agent usage policies to restrict auto-execution of downloaded code.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub