Back to Intelligence

KarstoRAT, ClickFix, and Malicious AI Extensions: OTX Pulse Analysis — Credential Theft Surge

SA
Security Arsenal Team
May 5, 2026
6 min read

Threat Summary

Recent OTX pulses indicate a significant surge in multi-vector credential theft campaigns. Threat actors are aggressively deploying novel Remote Access Trojans (RATs) like KarstoRAT, leveraging social engineering lures such as ClickFix (BackgroundFix), and exploiting the supply chain via compromised PyPI packages (TeamPCP). Additionally, a new wave of malicious AI-themed browser extensions has emerged, utilizing API interception to steal sensitive data directly from user sessions. These campaigns collectively target a wide range of sectors, with specific focus on gaming communities (Minecraft) and enterprise users utilizing generative AI tools.

Threat Actor / Malware Profile

KarstoRAT

  • Distribution: Gaming lure pages and social engineering.
  • Behavior: System reconnaissance, keylogging, screenshot/audio capture, webcam surveillance, and Discord token theft.
  • Persistence: Utilizes the FodHelper exploit (UAC bypass) to establish persistence.
  • C2 Communication: HTTP communication with specific C2 infrastructure (e.g., 212.227.65[.]132).

ClickFix / CastleLoader

  • Distribution: Fake image-editing tools (BackgroundFix) prompting users to verify humanity via clipboard commands.
  • Behavior: Uses finger.exe to retrieve payloads. Drops CastleLoader, which subsequently deploys NetSupport RAT and CastleStealer.
  • Persistence: Reflective loader techniques to evade disk-based scanning.

TeamPCP

  • Distribution: Supply chain compromise of the telnyx Python SDK on PyPI.
  • Behavior: Three-stage architecture involving steganography (payloads hidden in WAV files) to deploy credential harvesters.
  • Persistence: Established via malicious Python package installation.

Malicious AI Extensions

  • Distribution: Masquerading as productivity tools (e.g., "Chat AI for Chrome", "Supersonic AI").
  • Behavior: Meddler-in-the-middle attacks, passive DOM observation, traffic proxying, and HTTPS response decryption.

IOC Analysis

The provided pulses offer a mix of network and file-based indicators:

  • Domains & URLs: Key domains include trindastal.com, poronto.com, brionter.com (ClickFix) and chatgptforchrome.com (Malicious AI).
  • IP Addresses: Notable C2 IPs include 212.227.65.132 (KarstoRAT) and 38.146.28.30 (CastleLoader).
  • File Hashes: Numerous SHA256 and MD5 hashes for loaders (Node.js), payloads (C++), and droppers are available for immediate blocklisting and retroactive hunting.

Operational Guidance: SOC teams should immediately block the listed domains and IPs at the perimeter. EDR solutions should be configured to look for the specific file hashes. The use of finger.exe as a parent process for cmd.exe or powershell.exe is a high-fidelity behavioral anomaly for the ClickFix campaign.

Detection Engineering

YAML
---
title: Potential KarstoRAT FodHelper UAC Bypass Activity
id: 4a8f9c2b-1d3e-4f5a-9b6c-7d8e9f0a1b2c
description: Detects the execution of fodhelper.exe with suspicious command line arguments or child processes often associated with KarstoRAT UAC bypass attempts.
status: experimental
date: 2026/05/05
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6623...
tags:
    - attack.defense_evasion
    - attack.privilege_escalation
    - car.2019-04-001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\fodhelper.exe'
    filter:
        ParentImage|endswith:
            - '\explorer.exe'
            - '\cmd.exe'
            - '\powershell.exe'
    condition: selection and not filter
falsepositives:
    - Legitimate use of fodhelper.exe for troubleshooting (rare)
level: high
---
title: Suspicious Finger.exe Execution (ClickFix Indicator)
id: 5b9g0d3c-2e4f-5g6b-0c7d-1e8f2g3h4i5j
description: Detects the execution of finger.exe spawning a shell or making network requests, typical of the ClickFix/BackgroundFix social engineering attack chain.
status: experimental
date: 2026/05/05
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6624...
tags:
    - attack.execution
    - attack.user_execution
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        Image|endswith: '\finger.exe'
    selection_child:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
    condition: selection_parent and selection_child
falsepositives:
    - Legacy network administration (very rare)
level: critical
---
title: Malicious Python Package Execution (TeamPCP)
id: 6c0h1e4d-3f5g-6h7c-1d8e-2f9g3h4i5j6k
description: Detects execution of python.exe loading suspicious DLLs or scripts associated with the TeamPCP supply chain attack on telnyx SDK.
status: experimental
date: 2026/05/05
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6625...
tags:
    - attack.initial_access
    - attack.supply_chain
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\python.exe'
        CommandLine|contains:
            - 'telnyx'
            - 'site-packages'
    condition: selection
falsepositives:
    - Legitimate developer usage of telnyx package (verify parent process)
level: medium


kql
// Hunt for ClickFix network activity and process execution
// Look for finger.exe and connections to known C2s
DeviceProcessEvents
| where Timestamp > ago(7d)
| where (FileName =~ "finger.exe" or ProcessCommandLine has "finger.exe") 
| where InitiatingProcessFileName !in ("explorer.exe", "services.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| union (DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has "trindastal.com" or RemoteUrl has "poronto.com" or RemoteIP in ("212.227.65.132", "38.146.28.30", "24.152.36.241")
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName)


powershell
# IOC Hunt Script for KarstoRAT Persistence and C2 Connections
# Requires Administrator privileges

Write-Host "Checking for KarstoRAT FodHelper Persistence..." -ForegroundColor Yellow

# Check registry for FodHelper bypass technique
$regPath = "HKCU:\Software\Classes\ms-settings\shell\open\command"
if (Test-Path $regPath) {
    $value = Get-ItemProperty -Path $regPath -Name "DelegateExecute" -ErrorAction SilentlyContinue
    $default = Get-ItemProperty -Path $regPath -Name "(default)" -ErrorAction SilentlyContinue
    if ($value -or $default) {
        Write-Host "[!] Potential FodHelper persistence found at $regPath" -ForegroundColor Red
        Get-Item -Path $regPath | Format-List *
    } else {
        Write-Host "[-] No FodHelper persistence detected." -ForegroundColor Green
    }
}

Write-Host "Checking for active connections to known C2 IPs..." -ForegroundColor Yellow

$maliciousIPs = @("212.227.65.132", "38.146.28.30", "24.152.36.241")
$connections = Get-NetTCPConnection -State Established, TimeWait -ErrorAction SilentlyContinue

foreach ($ip in $maliciousIPs) {
    $found = $connections | Where-Object { $_.RemoteAddress -eq $ip }
    if ($found) {
        Write-Host "[!] Active connection detected to $ip" -ForegroundColor Red
        $found | Format-Table LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess
        $process = Get-Process -Id $found.OwningProcess -ErrorAction SilentlyContinue
        if ($process) { Write-Host "Process details:"; $process | Select-Object ProcessName, Path, StartTime }
    }
}

Write-Host "Hunt complete."

Response Priorities

Immediate

  • Block all listed IOCs (Domains trindastal.com, poronto.com, brionter.com, chatgptforchrome.com and IPs 212.227.65.132, 38.146.28.30).
  • Hunt for execution artifacts of finger.exe spawning shells (ClickFix).
  • Scan endpoints for the file hashes provided in the pulses.

24 Hours

  • Initiate credential verification for users potentially affected by infostealers (LofyStealer, KarstoRAT).
  • Review browser extension policies and remove unauthorized AI-themed extensions (e.g., "Chat AI for Chrome", "Supersonic AI").
  • Audit Python environments for the malicious telnyx SDK versions.

1 Week

  • Harden architecture against supply chain attacks (implementing software composition analysis).
  • Update security awareness training to cover "fake background remover" and AI-tool social engineering lures.
  • Review and restrict the use of fodhelper.exe and finger.exe via AppLocker or similar application control mechanisms.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialskarstoratclickfixinfostealermalicious-extensionssupply-chain-attack

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action