Threat Summary
Recent OTX pulses indicate a convergence of sophisticated credential theft campaigns utilizing diverse initial access vectors. The landscape features the emergence of KarstoRAT, a surveillance-focused Trojan employing UAC bypasses; the evolution of ClickFix social engineering lures delivering CastleLoader and NetSupport RAT; and a supply chain attack by TeamPCP weaponizing the Telnyx Python SDK via PyPI. Additionally, MioLab is actively expanding its macOS Stealer-as-a-Service empire. Collectively, these adversaries aim to harvest browser credentials, cryptocurrency wallet keys, and session tokens (Discord/Email) for financial gain and persistence.
Threat Actor / Malware Profile
| Family / Actor | Description | Distribution Method | Key Behaviors |
|---|---|---|---|
| KarstoRAT | Novel Remote Access Trojan (2026) focusing on surveillance and data theft. | Gaming lure pages, Discord token distribution. | Uses FodHelper for UAC bypass, HTTP C2 to 212.227.65[.]132, keylogging, webcam/audio capture. |
| ClickFix | Social engineering campaign masquerading as "BackgroundFix" image editor. | Fake browser prompts triggering clipboard copy-paste of malicious commands. | Invokes finger.exe to fetch payloads, deploys CastleLoader (reflective) -> NetSupport RAT -> CastleStealer. |
| TeamPCP | Threat actor targeting software supply chains. | Compromised telnyx Python SDK package on PyPI. | 3-stage attack: Trojanized package -> WAV file steganography payload -> Credential harvester. Uses msbuild.exe for evasion. |
| MioLab (Nova) | Malware-as-a-Service (MaaS) platform specializing in macOS. | Advertised on Russian underground forums. | Exfiltrates browser data and 50+ desktop crypto wallets. Uses bulletproof hosting infrastructure. |
IOC Analysis
The provided pulses consist of 189 total indicators, providing a robust defensive dataset:
- Network Infrastructure: Domains like
trindastal.com(ClickFix) andaquasecurtiy.org(TeamPCP typo-squat) serve as C2 or payload delivery. IP38.146.28.30is associated with CastleLoader operations. - File Hashes: A high volume of SHA256 and MD5 hashes (e.g.,
65229ef9d09e4cbfae326d41c517576cc2143c259fd764f259f3925fc8917c8bfor KarstoRAT) allow for exact match detection on endpoints. - Operationalization: SOC teams should immediately block the listed domains and IPs at the perimeter. File hashes should be uploaded to EDR "blacklist" or "block" policies. The Python package compromise (
telnyx) requires validating dependency versions in development environments.
Detection Engineering
YAML
title: KarstoRAT UAC Bypass via FodHelper
id: 8a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects KarstoRAT utilizing FodHelper.exe to bypass UAC by modifying the registry key associated with the event viewer.
status: experimental
date: 2026/05/06
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/6600000000000000
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains: '\Software\Classes\ms-settings\Shell\Open\command\'
Details|contains: 'fodhelper.exe'
condition: selection
falsepositives:
- Rare administrative activity
level: critical
---
title: ClickFix Attack via Finger.exe Execution
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6e
description: Detects the suspicious execution of finger.exe, a technique used by ClickFix campaigns to download payloads.
status: experimental
date: 2026/05/06
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/6600000000000001
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\finger.exe'
condition: selection
falsepositives:
- Legitimate user finger lookup (rare in modern environments)
level: high
---
title: TeamPCP Steganography Payload Download via MsBuild
id: 9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d
description: Detects msbuild.exe executing with suspicious arguments commonly associated with downloading steganography payloads as seen in TeamPCP attacks.
status: experimental
date: 2026/05/06
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/6600000000000002
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\msbuild.exe'
CommandLine|contains:
- 'raw.icp0.io'
- 'wget'
- 'DownloadString'
condition: selection
falsepositives:
- Developers building projects that fetch external resources (unusual but possible)
level: high
kql
// Hunt for ClickFix and KarstoRAT C2 indicators
// Search for process creations related to ClickFix (finger.exe) and KarstoRAT (fodhelper)
DeviceProcessEvents
| where FileName in ("finger.exe", "fodhelper.exe")
or InitiatingProcessFileName in ("finger.exe", "cmd.exe")
| extend Details = parse_(AdditionalFields)
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, FolderPath
| union (DeviceNetworkEvents
| where RemoteUrl in ("giovettiadv.com", "trindastal.com", "poronto.com", "brionter.com", "aquasecurtiy.org", "tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io")
or RemoteIP in ("38.146.28.30", "212.227.65.132")
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort, LocalPort)
| order by Timestamp desc
powershell
# IOC Hunt Script for ClickFix, KarstoRAT, and MioLab Infrastructure
# Checks Hosts file for persistence and Active Connections for C2 traffic
$MaliciousDomains = @(
"trindastal.com",
"poronto.com",
"brionter.com",
"giovettiadv.com",
"aquasecurtiy.org",
"marinemember.com",
"officerelaxation.com",
"approve-me.com",
"decodecybercrime.com",
"mioisiskwowiwjowuwjwolab.club",
"zynce.org"
)
$KarstoRAT_IP = "212.227.65.132"
$CastleLoader_IP = "38.146.28.30"
# Function to check Hosts file for IOCs
function Check-HostsFile {
$HostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
if (Test-Path $HostsPath) {
$Content = Get-Content $HostsPath
$Found = $false
foreach ($line in $Content) {
foreach ($domain in $MaliciousDomains) {
if ($line -like "*$domain*") {
Write-Host "[ALERT] Malicious domain found in Hosts file: $line" -ForegroundColor Red
$Found = $true
}
}
}
if (-not $Found) { Write-Host "[INFO] No malicious domains found in Hosts file." -ForegroundColor Green }
}
}
# Function to check Active TCP Connections for C2 IPs
function Check-NetworkConnections {
$Connections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue
$Processes = Get-Process -IncludeUserName
foreach ($conn in $Connections) {
if ($conn.RemoteAddress -eq $KarstoRAT_IP -or $conn.RemoteAddress -eq $CastleLoader_IP) {
$Proc = $Processes | Where-Object { $_.Id -eq $conn.OwningProcess }
Write-Host "[ALERT] C2 Connection Detected: $($conn.RemoteAddress):$($conn.RemotePort) by PID $($conn.OwningProcess) ($($Proc.ProcessName))" -ForegroundColor Red
}
}
}
# Execution
Write-Host "Starting IOC Hunt..." -ForegroundColor Cyan
Check-HostsFile
Check-NetworkConnections
Write-Host "Hunt Complete." -ForegroundColor Cyan
Response Priorities
- Immediate: Block all IOCs (Domains
trindastal.com,aquasecurtiy.org; IPs212.227.65.132,38.146.28.30) at the firewall and proxy. Scan endpoints for the listed SHA256 hashes. - 24h: Initiate credential rotation for accounts accessed from devices flagged with the ClickFix
finger.exeexecution or TeamPCP Python package installation. - 1 Week: Audit Python package repositories (
requirements.txt,Pipfile.lock) for the compromisedtelnyxpackage and enforce signing policies for browser extensions to prevent AI-extension malware installation.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-credentialskarstoratclickfixteampcpinfostealersupply-chain
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.