Recent OTX pulses indicate a surge in multi-vector campaigns focusing on credential theft and surveillance. The KarstoRAT campaign employs gaming-themed lures and the FodHelper UAC bypass to establish persistent access, capturing audio, video, and Discord tokens. Simultaneously, the ClickFix campaign targets users with fake "BackgroundFix" tools, abusing finger.exe to retrieve payloads leading to NetSupport RAT. Finally, TeamPCP has weaponized the software supply chain by uploading a malicious Telnyx Python SDK to PyPI, using steganography to hide credential harvesters in WAV files. Collectively, these adversaries prioritize initial access through social engineering and supply chain manipulation to deploy remote access trojans and stealers.
Threat Actor / Malware Profile
KarstoRAT
- Distribution: Gaming lure pages masquerading as legitimate software or cheats.
- Payload Behavior: Comprehensive surveillance suite including keylogging, screen/audio capture, and webcam monitoring. Specifically targets Discord tokens.
- Persistence: Utilizes the FodHelper exploit (UAC bypass) to execute malicious commands with elevated privileges.
- C2 Communication: HTTP protocol connecting to 212.227.65[.]132.
ClickFix (CastleLoader)
- Distribution: Social engineering via fake image-editing sites ("BackgroundFix"). Users copy malicious commands to clipboard.
- Payload Behavior: Invokes finger.exe (LOLBIN) to fetch remote payloads. Drops CastleLoader (reflective loader), which deploys NetSupport RAT and CastleStealer.
- Persistence: Established via NetSupport RAT installation mechanisms.
TeamPCP
- Distribution: Supply chain compromise of the telnyx Python SDK on PyPI (750k+ downloads).
- Payload Behavior: A multi-stage architecture where a trojanized package triggers a platform-specific loader. The second stage is hidden inside a WAV file using steganography.
- Objective: Credential harvesting from developer environments.
IOC Analysis
The provided IOCs include domains (e.g., trindastal.com, aquasecurtiy.org), IP addresses (e.g., 38.146.28.30), and cryptographic file hashes (SHA256/MD5).
Operationalization:
- Network IOCs: Block the listed domains and IPs at the perimeter firewalls and proxies. Note that TeamPCP uses IC0.io raw endpoints for C2, requiring broad inspection or SSL interception.
- File Hashes: Import the SHA256 and MD5 hashes into EDR solutions to quarantine malicious droppers and loaders.
- Process Behavior: Hunt for unusual executions of
finger.exeandfodhelper.exe, which are not commonly used in daily operations but are critical to these attack chains.
Detection Engineering
YAML
title: Potential KarstoRAT FodHelper UAC Bypass
id: 5f8b5a0e-6c8f-4b9a-8d0d-4b9f9e1c6b1d
description: Detects registry modification associated with KarstoRAT utilizing the FodHelper UAC bypass technique.
status: experimental
date: 2026/05/06
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/660f7c8d5c0e4b4d8c0e4b4d
logsource:
product: windows
registry:
object: *
detection:
selection_key:
TargetObject|contains: 'Software\Classes\ms-settings\Shell\Open\command'
selection_data:
Details|contains: 'fodhelper.exe'
condition: all of selection_*
falsepositives:
- Legitimate system administration (rare)
level: critical
tags:
- attack.privilege_escalation
- attack.t1548.002
- karstorat
---
title: Suspicious Finger.exe Execution (ClickFix)
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
description: Detects the execution of finger.exe, often abused by ClickFix campaigns to fetch payloads.
status: experimental
date: 2026/05/06
author: Security Arsenal
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\finger.exe'
filter_legit:
ParentImage|endswith:
- '\cmd.exe'
- '\powershell.exe'
condition: selection and not filter_legit
falsepositives:
- Rare administrative usage
level: high
tags:
- attack.execution
- attack.t1059.001
- clickfix
---
title: TeamPCP Malicious PyPI Package Activity
id: b2c3d4e5-6789-01bc-def2-345678901234
description: Detects msbuild.exe or python.exe spawning processes associated with steganography or suspicious network connections indicative of the TeamPCP supply chain attack.
status: experimental
date: 2026/05/06
author: Security Arsenal
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\msbuild.exe'
- '\python.exe'
selection_child:
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\certutil.exe'
selection_network:
CommandLine|contains:
- 'aquasecurtiy.org'
- 'raw.icp0.io'
condition: selection_parent and (selection_child or selection_network)
falsepositives:
- Legitimate developer build processes
level: medium
tags:
- attack.initial_access
- attack.t1195.002
- supply-chain
kql
// Hunt for ClickFix Finger.exe activity and TeamPCP network indicators
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl hasAny ("trindastal.com", "poronto.com", "brionter.com", "aquasecurtiy.org", "giovettiadv.com")
or RemoteIP == "38.146.28.30" or RemoteIP == "212.227.65.132"
| extend DeviceCustom = strcat(DeviceName, " : ", InitiatingProcessFileName)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, DeviceCustom
// Hunt for suspicious process creation patterns
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("finger.exe", "fodhelper.exe")
or (InitiatingProcessFileName in~ ("msbuild.exe", "python.exe") and FileName in~ ("powershell.exe", "cmd.exe"))
| project Timestamp, DeviceName, AccountName, FileName, InitiatingProcessFileName, CommandLine
powershell
# KarstoRAT & ClickFix IOC Hunt Script
# Checks for FodHelper registry keys and presence of specific file hashes.
Write-Host "Checking for KarstoRAT FodHelper persistence..."
$regPath = "HKCU:\Software\Classes\ms-settings\Shell\Open\command"
if (Test-Path $regPath) {
$value = Get-ItemProperty -Path $regPath -ErrorAction SilentlyContinue
if ($value) {
Write-Warning "Potential FodHelper UAC Bypass detected at $regPath"
Write-Host $value
}
} else {
Write-Host "No registry persistence found."
}
Write-Host "\nChecking for ClickFix Finger.exe executions in Event Logs..."
$events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} -MaxEvents 1000 -ErrorAction SilentlyContinue |
Where-Object { $_.Message -match 'finger.exe' }
if ($events) {
Write-Warning "Found finger.exe executions."
$events | Select-Object TimeCreated, Message | Format-List
}
Write-Host "\nScanning for KarstoRAT & TeamPCP file hashes (Check C:\Users\Public or Downloads)..."
$hashes = @(
"65229ef9d09e4cbfae326d41c517576cc2143c259fd764f259f3925fc8917c8b",
"bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92",
"6cf223aea68b0e8031ff68251e30b6017a0513fe152e235c26f248ba1e15c92a"
)
foreach ($hash in $hashes) {
$result = Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | Get-FileHash -Algorithm SHA256 -ErrorAction SilentlyContinue | Where-Object { $_.Hash -eq $hash }
if ($result) {
Write-Warning "Malicious file found: $($result.Path) with hash $hash"
}
}
# Response Priorities
* **Immediate:** Block all listed domains and IPs at the network perimeter. Initiate a hunt for `finger.exe` and `fodhelper.exe` execution across endpoints. Quarantine any systems matching the provided file hashes.
* **24h:** Audit developer environments for the malicious Telnyx Python SDK versions. If KarstoRAT is suspected, force reset of Discord tokens and credentials used on infected machines.
* **1 week:** Implement strict allow-listing for Python package repositories (PyPI) in developer pipelines. Review and restrict the use of `finger.exe` and other legacy binaries via AppLocker or SRP.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-aptkarstoratclickfixteampcpsupply-chainapt
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.