Back to Intelligence

KarstoRAT, ClickFix & LofyStealer: Multi-Vector Credential Theft Campaigns — OTX Pulse Analysis

SA
Security Arsenal Team
May 5, 2026
6 min read

Date: 2026-05-06
Source: AlienVault OTX
Intelligence Classification: TLP:WHITE

Threat Summary

Recent OTX pulses indicate a convergence of diverse attack vectors—supply chain compromise, social engineering, and browser extension abuse—all oriented toward credential theft and persistent surveillance. Five distinct pulses highlight active campaigns involving KarstoRAT, the ClickFix campaign (delivering CastleLoader/NetSupport), TeamPCP's malicious PyPI packages, LofyStealer targeting gamers, and malicious GenAI browser extensions. Despite the varied delivery methods, the objective remains consistent: exfiltrating sensitive authentication data, tokens, and financial information.

The adversary set ranges from established groups like TeamPCP and LofyGang to opportunistic actors utilizing novel strains like KarstoRAT. The attack chains typically bypass traditional security controls via fileless execution (reflective loaders), steganography, or abusing native utilities (finger.exe).

Threat Actor / Malware Profile

Threat / MalwareDistribution MethodPayload BehaviorC2 & PersistenceAnti-Analysis
KarstoRATGaming lure pagesKeylogging, webcam surveillance, audio capture, Discord token theft.HTTP communication to 212.227.65[.]132. Uses FodHelper exploit for UAC bypass/persistence.N/A (Emerging strain)
ClickFix (CastleLoader)Fake "BackgroundFix" image tool; Clipboard hijacking.Triggers finger.exe to fetch payload; drops NetSupport RAT and CastleStealer.Domains: trindastal.com, poronto.com, brionter.com.Reflective loading; memory-only execution.
TeamPCPMalicious Telnyx Python SDK on PyPI (Supply Chain).3-stage attack: Trojanized package -> WAV file steganography -> Credential harvester.C2: scan.aquasecurtiy.org.Steganography; obfuscated Python code.
LofyStealer (GrabBot)Minecraft social engineering / Node.js libraries.53.5MB Node.js loader drops 1.4MB in-memory C++ payload; steals browser cookies/passwords/IBANs.IP: 24.152.36.241.Syscalls evasion; in-memory execution.
Malicious AI ExtensionsChrome Web Store / Productivity lures.API interception, DOM observation, HTTPS response decryption, "man-in-the-browser".Proxying traffic via malicious infrastructure.Passive observation; mimics legitimate AI tools.

IOC Analysis

The provided IOCs span multiple infrastructure types indicating a robust operational setup:

  • IP Addresses: Specific C2 IPs like 212.227.65.132 (KarstoRAT), 38.146.28.30 (ClickFix), and 24.152.36.241 (LofyStealer). These should be blocked immediately at the firewall.
  • Domains: Typosquatting and lure domains including trindastal.com (ClickFix), chatgptforchrome.com (Malicious Extension), and aquasecurtiy.org (TeamPCP). SOC teams should sinkhole these DNS requests.
  • File Hashes: A significant volume of SHA256 and MD5 hashes are provided for the payloads. EDR tools should be configured to hunt for these specific hashes, focusing on the Node.js loaders (LofyStealer) and the .NET loaders (ClickFix).
  • CVE: CVE-2025-55182 is referenced in the AI extension pulse, suggesting a specific vulnerability exploitation chain for persistence or privilege escalation.

Detection Engineering

The following detection logic targets the unique behaviors observed in these pulses, including the abuse of native binaries, supply chain execution, and specific C2 patterns.

YAML
title: KarstoRAT FodHelper UAC Bypass and Execution
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
description: Detects KarstoRAT utilizing FodHelper.exe to bypass UAC, often followed by suspicious network activity to known C2 infrastructure.
status: experimental
date: 2026/05/06
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/65229ef9d09e4cbfae326d41c517576c
tags:
    - attack.defense_evasion
    - attack.privilege_escalation
    - car.2019-04-001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\cmd.exe'
        Image|endswith: '\fodhelper.exe'
    condition: selection
falsepositives:
    - Legitimate administrative usage
level: high
---
title: ClickFix Campaign Fake Image Tool and Finger.exe Abuse
id: b2c3d4e5-6789-01bc-def2-3456789012bc
description: Detects the ClickFix social engineering pattern where a fake tool copies commands to the clipboard invoking finger.exe to fetch payloads.
status: experimental
date: 2026/05/06
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/bde21d8be65d31e1c380f2daae2f73c7
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\finger.exe'
    selection_cli:
        CommandLine|contains: 'http'
    filter_legit:
        ParentImage|contains: 'System32'
    condition: selection_img and selection_cli and not filter_legit
falsepositives:
    - Rare legitimate finger usage over HTTP
level: critical
---
title: LofyStealer Node.js Loader Spawning Suspicious Child Processes
id: c3d4e5f6-7890-12cd-ef34-5678901234cd
description: Detects the LofyStealer Node.js loader spawning native Windows processes (powershell, cmd) indicative of post-exploitation activity.
status: experimental
date: 2026/05/06
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/293006cec43c663ccff331795d662c3b
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\node.exe'
    selection_child:
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\rundll32.exe'
    filter_legit_dev:
        CommandLine|contains: 'npm' or ParentCommandLine|contains: 'vscode'
    condition: selection_parent and selection_child and not filter_legit_dev
falsepositives:
    - Legitimate Node.js development scripts
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for ClickFix C2 domains and KarstoRAT IP connections
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in ("trindastal.com", "poronto.com", "brionter.com", "chatgptforchrome.com", "aquasecurtiy.org") 
   or RemoteIP in ("212.227.65.132", "38.146.28.30", "24.152.36.241")
| extend FullURL = strcat(RemoteUrl, ":", RemotePort)
| summarize Count = count(), LastSeen = max(Timestamp) by DeviceName, InitiatingProcessAccountName, RemoteIP, RemoteUrl, ActionType
| order by Count desc

PowerShell (IOC Hunt)

PowerShell
<#
.SYNOPSIS
    Hunt script for KarstoRAT, ClickFix, and LofyStealer IOCs.
.DESCRIPTION
    Checks for the presence of suspicious file hashes, domains in hosts file, 
    and registry modifications associated with recent OTX pulses.
#>

$TargetHashes = @(
    "65229ef9d09e4cbfae326d41c517576cc2143c259fd764f259f3925fc8917c8b",
    "bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92",
    "6cf223aea68b0e8031ff68251e30b6017a0513fe152e235c26f248ba1e15c92a",
    "d21a5d08b4614005c8fcd9d0068f0190",
    "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881"
)

$SuspiciousDomains = @(
    "trindastal.com", "poronto.com", "brionter.com", 
    "aquasecurtiy.org", "chatgptforchrome.com"
)

Write-Host "[+] Checking Hosts file for suspicious domains..."
$HostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
if (Test-Path $HostsPath) {
    $HostsContent = Get-Content $HostsPath
    foreach ($Domain in $SuspiciousDomains) {
        if ($HostsContent -match $Domain) {
            Write-Host "[!] ALERT: Found $Domain in hosts file." -ForegroundColor Red
        }
    }
}

Write-Host "[+] Scanning for recently modified malicious hashes (User Temp & AppData)..."
$PathsToScan = @("$env:TEMP", "$env:APPDATA", "$env:LOCALAPPDATA")

foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | 
        Where-Object { $_.Length -gt 0kb -and $_.LastWriteTime -gt (Get-Date).AddDays(-7) } | 
        ForEach-Object {
            $Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($TargetHashes -contains $Hash) {
                Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

Write-Host "[+] Checking for FodHelper persistence (KarstoRAT)..."
$RegPath = "HKCU:\Software\Classes\ms-settings\shell\open\command"
if (Test-Path $RegPath) {
    Write-Host "[!] ALERT: FodHelper registry key detected. Potential UAC bypass." -ForegroundColor Red
    Get-ItemProperty $RegPath
}

Response Priorities

  • Immediate (0-24h):

    • Network Blocking: Block all IOCs listed above at the perimeter firewall and proxy level.
    • Endpoint Isolation: Isolate hosts matching the SHA256 hashes for LofyStealer or KarstoRAT.
    • Extension Audit: Force-uninstall the specific "Chat AI for Chrome", "Huiyi", and "Supersonic AI" extensions via browser management policies.

  • 24-48h:

    • Credential Reset: If LofyStealer or KarstoRAT is suspected, mandate password resets and token revocation for gaming accounts, Discord, and financial services accessed from infected endpoints.
    • Python Audit: Identify systems that have installed the telnyx Python SDK recently and inspect for the malicious version.

  • 1 Week:

    • Application Control: Implement policies to block finger.exe execution from user directories and restrict unapproved Node.js execution.
    • Supply Chain Security: Enforce requirements for pinned package versions and integrity checks in Python/NPM build pipelines.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialskarstoratclickfixlofystealerteampcpcredential-theft

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action