Threat Summary
Recent OTX pulses indicate a surge in diverse credential theft campaigns utilizing novel delivery mechanisms. The primary threats include KarstoRAT, a new surveillance-focused RAT utilizing the FodHelper UAC bypass; ClickFix (BackgroundFix), a social engineering campaign delivering CastleLoader and NetSupport RAT; and LofyStealer, targeting the gaming sector. Additionally, TeamPCP is leveraging a compromised Python SDK for supply chain attacks, and malicious AI browser extensions are proliferating. Collectively, these campaigns aim to steal session tokens, browser credentials, and system data via obfuscated execution chains.
Threat Actor / Malware Profile
KarstoRAT (Emergent)
- Distribution: Gaming lure pages, Discord-themed payloads.
- Behavior: Surveillance (webcam, audio, screenshots), keylogging, clipboard monitoring, Discord token theft.
- C2: HTTP communication with
212.227.65[.]132. - Persistence: utilizes FodHelper (UAC bypass) to execute commands with elevated privileges without prompt.
- Anti-Analysis: Standard obfuscation in payload delivery.
ClickFix / CastleLoader (Active)
- Distribution: Fake "BackgroundFix" image editing tools; social engineering prompts users to copy malicious commands to clipboard.
- Behavior: Invokes
finger.exeto retrieve next-stage payload. Drops CastleLoader (Reflective Loader), which in turn deploys NetSupport RAT and CastleStealer (.NET infostealer). - C2: Domains such as
trindastal.com,poronto.com, and IP38.146.28.30. - Persistence: Scheduled tasks or registry Run keys established by NetSupport RAT.
LofyStealer (LofyGang)
- Distribution: Social engineering targeting Minecraft players.
- Behavior: Node.js loader disguising as legitimate libraries; in-memory execution of C++ payload (
GrabBot/Slinky). Steals browser data (cookies, passwords, credit cards) from 8+ browsers. - C2: IP
24.152.36.241. - Techniques: Syscalls evasion, direct memory execution.
TeamPCP
- Distribution: Supply chain compromise of
telnyxPython SDK on PyPI. - Behavior: Steganography-based payload retrieval (WAV files), credential harvesting and exfiltration.
IOC Analysis
- File Hashes: Multiple SHA256 and MD5 hashes provided for loaders and payloads (KarstoRAT, CastleLoader, LofyStealer). High confidence indicators for EDR blocking.
- Network Indicators: Specific C2 IPs (
212.227.65.132,38.146.28.30,24.152.36.241) and domains (chatgptforchrome.com,trindastal.com). SOC teams should immediately block these at the perimeter. - Operationalization: Upload hashes to EDR allowlist/blocklist. Configure SIEM to alert on outbound connections to the listed IPs and domains. Use
finger.exeexecution as a behavioral TTP.
Detection Engineering
Sigma Rules
YAML
title: Potential KarstoRAT FodHelper UAC Bypass Activity
id: 6a7b3c4d-5e6f-7890-1a2b-3c4d5e6f7890
description: Detects the execution of fodhelper.exe with suspicious characteristics often associated with UAC bypass attempts used by KarstoRAT.
references:
- https://otx.alienvault.com/pulse/6627563f0b9d3b2b1b4c5d6d
author: Security Arsenal
date: 2026/05/05
modified: 2026/05/05
tags:
- attack.defense_evasion
- attack.privilege_escalation
- karstorat
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\fodhelper.exe'
CommandLine|contains:
- 'backgroundtaskhost.exe'
condition: selection
falsepositives:
- Legitimate administrative use (rare)
level: high
---
title: ClickFix Campaign Suspicious Finger.exe Execution
id: 7c8d9e0f-1a2b-3c4d-5e6f-7a8b9c0d1e2f
description: Detects the invocation of finger.exe, a legacy protocol client, which is abused in ClickFix campaigns to retrieve malicious payloads.
references:
- https://otx.alienvault.com/pulse/6627564f0b9d3b2b1b4c5d6e
author: Security Arsenal
date: 2026/05/05
modified: 2026/05/05
tags:
- attack.execution
- attack.initial_access
- clickfix
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\finger.exe'
condition: selection
falsepositives:
- Rare legitimate use of finger protocol in legacy environments
level: critical
---
title: LofyStealer Discord Token Theft Activity
id: 8d9e0f1a-2b3c-4d5e-6f7a-8b9c0d1e2f3a
description: Detects processes accessing Discord LevelDB files, a behavior common in infostealers like LofyStealer and KarstoRAT targeting gamers.
references:
- https://otx.alienvault.com/pulse/6627562f0b9d3b2b1b4c5d6c
author: Security Arsenal
date: 2026/05/05
modified: 2026/05/05
tags:
- attack.credential_access
- lofystealer
- infostealer
logsource:
category: file_access
product: windows
detection:
selection:
TargetFilename|contains: '\Local Storage\leveldb'
condition: selection
falsepositives:
- Legitimate Discord client activity (tune based on parent process)
level: medium
KQL (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for ClickFix C2 Domains and KarstoRAT/LofyStealer IPs
DeviceNetworkEvents
| where RemoteIP in ("212.227.65.132", "38.146.28.30", "24.152.36.241")
or RemoteUrl has_any ("trindastal.com", "poronto.com", "brionter.com", "giovettiadv.com", "aquasecurtiy.org", "chatgptforchrome.com")
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort
| order by Timestamp desc
// Hunt for suspicious process execution patterns
union DeviceProcessEvents, DeviceNetworkEvents
| where (ProcessFileName =~ "finger.exe" or ProcessFileName =~ "fodhelper.exe")
or (ProcessCommandLine contains "discord" and ProcessCommandLine contains "token")
| project Timestamp, DeviceName, ProcessFileName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc
PowerShell Hunt Script
PowerShell
<#
.SYNOPSIS
Hunt script for KarstoRAT and ClickFix artifacts.
.DESCRIPTION
Checks for the presence of ClickFix domains in the hosts file,
KarstoRAT C2 connections, and suspicious fodhelper usage.
#>
# Check Hosts file for ClickFix Indicators
$HostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
$BadDomains = @("trindastal.com", "poronto.com", "brionter.com", "chatgptforchrome.com")
if (Test-Path $HostsPath) {
$HostsContent = Get-Content $HostsPath
foreach ($domain in $BadDomains) {
if ($HostsContent -match $domain) {
Write-Host "[THREAT] Found indicator in hosts file: $domain" -ForegroundColor Red
}
}
}
# Check Active Connections for KarstoRAT and LofyStealer C2 IPs
$MaliciousIPs = @("212.227.65.132", "38.146.28.30", "24.152.36.241")
$Connections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue
foreach ($IP in $MaliciousIPs) {
$Found = $Connections | Where-Object { $_.RemoteAddress -eq $IP }
if ($Found) {
Write-Host "[THREAT] Active connection to C2 IP: $IP" -ForegroundColor Red
Write-Host "Process ID: $($Found.OwningProcess)"
}
}
# Check for fodhelper.exe execution in recent event logs
$Events = Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational -FilterXPath "*[System[(EventID=1)]] and *[Data[@Name='Image'] ends with '\\fodhelper.exe']" -MaxEvents 10 -ErrorAction SilentlyContinue
if ($Events) {
Write-Host "[THREAT] Suspicious fodhelper.exe execution detected." -ForegroundColor Yellow
$Events | Select-Object TimeCreated, Message | Format-List
}
Response Priorities
- Immediate: Block all IOCs (IPs, Domains, Hashes) on perimeter firewalls, proxies, and EDR. Investigate processes connecting to
212.227.65.132or38.146.28.30. - 24h: Initiate credential resets for accounts accessed from affected endpoints. Validate Python environment (
telnyxpackage) integrity for development teams. Scan for the presence of "BackgroundFix" or related files. - 1 week: Review supply chain security for Python/PyPI usage. Implement strict application allowlisting for
finger.exeandfodhelper.exe. Conduct user awareness training regarding "fake AI" extensions and "verify you are human" social engineering lures.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-credentialskarstoratclickfixlofystealerinfostealercredential-theft
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.