Analysis of the 2026-05-04 OTX pulse data reveals a convergence of sophisticated credential theft campaigns targeting both end-users and developers. Threat actors are aggressively leveraging trending topics—generative AI, gaming (Minecraft), and free utilities—to distribute Remote Access Trojans (RATs) and stealers.
The campaigns observed include:
- KarstoRAT: A novel surveillance-focused RAT utilizing the FodHelper UAC bypass to establish persistence.
- ClickFix (BackgroundFix): A social engineering campaign delivering CastleLoader and NetSupport RAT via clipboard manipulation of the
finger.exeutility. - TeamPCP: A supply chain attack compromising the Python Package Index (PyPI) to deliver credential harvesters hidden via steganography.
- LofyStealer: A modular infostealer targeting the gaming ecosystem using a Node.js loader and C++ memory-resident payload.
- Malicious AI Extensions: Browser extensions posing as GenAI productivity tools to conduct Man-in-the-Middle (MitM) attacks on browser sessions.
The collective objective of these campaigns is the exfiltration of sensitive credentials, session tokens, and financial data, often facilitated by in-memory execution to evade traditional disk-based scanning.
Threat Actor / Malware Profile
| Malware Family / Actor | Distribution Method | Payload Behavior | C2 / Infrastructure | Persistence / Evasion |
|---|---|---|---|---|
| KarstoRAT | Gaming lure pages, fake software | System recon, keylogging, screen/audio capture, token theft | HTTP (212.227.65[.]132) | FodHelper UAC bypass, DLL side-loading (implied) |
| ClickFix / CastleLoader | Fake image editor (BackgroundFix) | Drops NetSupport RAT & CastleStealer (.NET) | Domains: trindastal.com, poronto.com; IP: 38.146.28.30 | Uses legitimate finger.exe to proxy payload execution (Living-off-the-Land) |
| TeamPCP | Compromised PyPI package (telnyx) | Steals credentials, encrypts & exfiltrates via obscure DNS/HTTP | Hostnames: aquasecurtiy.org, raw.icp0.io | Steganography (payloads hidden in WAV files), multi-stage loader |
| LofyStealer (LofyGang) | Social engineering (Minecraft) | Browser data theft (cookies, passwords, credit cards) | IP: 24.152.36.241 | Node.js loader (53.5MB), C++ in-memory payload (1.4MB), syscalls evasion |
| Malicious AI Extensions | Web stores / Phishing | API interception, DOM scraping, HTTPS response decryption | Various (e.g., chatgptforchrome.com) | Extension persistence, Meddler-in-the-Browser (MitB) |
IOC Analysis
The provided IOCs offer immediate detection value but also reveal actor infrastructure trends:
- Domains & IPs: SOC teams should immediately block the KarstoRAT C2 (
212.227.65.132), ClickFix infrastructure (38.146.28.30), and LofyStealer C2 (24.152.36.241). The TeamPCP campaign leverages typosquatting (aquasecurtiy.org) which requires broad DNS monitoring. - File Hashes: Numerous SHA256 and MD5 hashes are provided for the loaders and payloads. These should be ingested into EDR detection rules and SIEM correlation engines.
- Operationalizing: The
finger.exeusage in ClickFix is a high-fidelity behavioral anomaly. The Python SDK compromise requires checking installed Python environments against the compromised version hashes.
Detection Engineering
YAML
---
title: Potential KarstoRAT UAC Bypass via FodHelper
id: 6c7b1d20-91a0-4f1e-8c2b-1234567890ab
description: Detects registry modification associated with FodHelper UAC bypass, often used by KarstoRAT for privilege escalation.
status: experimental
date: 2026/05/04
author: Security Arsenal
references:
- https://www.levelblue.com/hubfs/Web/Library/Documents_pdf/TTR-Spotlight-Novel-KarstoRAT-Malware.pdf
tags:
- attack.privilege_escalation
- attack.t1548.002
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains: 'Software\\Classes\\ms-settings\\shell\\open\\command'
Details|contains: 'cmd.exe'
condition: selection
falsepositives:
- Unknown
level: critical
---
title: Suspicious ClickFix Activity via Finger.exe
id: d8e4c21a-55b3-4a9d-9c1e-9876543210ab
description: Detects the execution of finger.exe which is abused in ClickFix campaigns to download malicious payloads via clipboard commands.
status: experimental
date: 2026/05/04
author: Security Arsenal
references:
- https://www.huntress.com/blog/clickfix-castleloader-backgroundfix
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\\finger.exe'
CommandLine|contains:
- 'http'
- 'powershell'
- 'cmd'
condition: selection
falsepositives:
- Legitimate administrator usage of finger.exe (rare)
level: high
---
title: LofyStealer Node.js Loader Activity
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
description: Detects Node.js processes initiating network connections, consistent with LofyStealer's Node.js loader communicating with C2.
status: experimental
date: 2026/05/04
author: Security Arsenal
references:
- https://zenox.ai/en/lofystealer-malware-mirando-jogadores-de-minecraft
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
product: windows
category: network_connection
detection:
selection:
Image|endswith: '\\node.exe'
Initiated: 'true'
filter:
DestinationPort:
- 80
- 443
condition: selection and not filter
falsepositives:
- Legitimate Node.js development servers
level: medium
kql
// Hunt for ClickFix and KarstoRAT Network IOCs
// Look for connections to known C2 infrastructure and suspicious domains
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIP in ("212.227.65.132", "38.146.28.30", "24.152.36.241")
or RemoteUrl has_any ("trindastal.com", "poronto.com", "brionter.com", "aquasecurtiy.org", "chatgptforchrome.com")
| extend ThreatIntel = case(
RemoteIP == "212.227.65.132", "KarstoRAT",
RemoteIP == "38.146.28.30", "ClickFix/CastleLoader",
RemoteIP == "24.152.36.241", "LofyStealer",
RemoteUrl has "aquasecurtiy.org", "TeamPCP Supply Chain",
RemoteUrl has "chatgptforchrome.com", "Malicious AI Extension",
"Unknown"
)
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteIP, RemoteUrl, ThreatIntel
powershell
# IOC Hunter Script: KarstoRAT, ClickFix, and LofyStealer Artifacts
# Requires Administrative Privileges
Write-Host "[+] Starting Dark Web IOC Hunt..." -ForegroundColor Cyan
# 1. Check for Active Network Connections to Malicious IPs
$maliciousIPs = @("212.227.65.132", "38.146.28.30", "24.152.36.241")
$activeConnections = Get-NetTCPConnection -State Established |
Where-Object { $maliciousIPs -contains $_.RemoteAddress }
if ($activeConnections) {
Write-Host "[!] ALERT: Found active connections to known C2 IPs!" -ForegroundColor Red
$activeConnections | Format-Table LocalAddress, RemoteAddress, State, OwningProcess -AutoSize
} else {
Write-Host "[-] No active connections to C2 IPs found." -ForegroundColor Green
}
# 2. Check for Suspicious Processes (ClickFix vector: finger.exe)
$suspiciousProcesses = @("finger.exe")
$processList = Get-Process
foreach ($proc in $suspiciousProcesses) {
$found = $processList | Where-Object { $_.ProcessName -eq $proc.Trim(".exe") }
if ($found) {
Write-Host "[!] ALERT: Suspicious process '$proc' detected (Potential ClickFix Activity)." -ForegroundColor Red
$found | Select-Object Id, ProcessName, Path, StartTime
}
}
# 3. Check for KarstoRAT UAC Bypass Registry Keys
$registryPath = "Registry::HKEY_CURRENT_USER\Software\Classes\ms-settings\shell\open\command"
if (Test-Path $registryPath) {
Write-Host "[!] ALERT: FodHelper UAC Bypass Registry Key Detected (Potential KarstoRAT)." -ForegroundColor Red
Get-Item $registryPath
} else {
Write-Host "[-] No FodHelper bypass registry key found." -ForegroundColor Green
}
Write-Host "[+] Hunt Complete." -ForegroundColor Cyan
Response Priorities
-
Immediate:
- Block all listed IOCs (IPs, Domains, Hashes) at the perimeter and endpoints.
- Isolate hosts exhibiting
finger.exespawning processes or connecting to38.146.28.30. - Kill processes associated with the provided SHA256 hashes.
-
24 Hours:
- Identity Audit: Force password resets for accounts accessed from devices flagged with LofyStealer or Malicious AI Extensions. Revoke session tokens stored in browsers.
- Supply Chain Check: Audit developer workstations for the presence of the malicious
telnyxPython SDK versions identified by TeamPCP.
-
1 Week:
- Policy Update: Restrict the use of
finger.exeand other legacy utilities via Application Control (AppLocker). - Browser Security: Review and enforce enterprise browser extension policies to block unauthorized GenAI tools.
- Developer Hardening: Implement signed repository verification for internal PyPI/NPM usage.
- Policy Update: Restrict the use of
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-credentialsinfostealerkarstoratclickfixlofystealersupply-chain
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.