Back to Intelligence

KarstoRAT, LofyStealer & Malicious AI Extensions: OTX Pulse Analysis — Credential Theft & Supply Chain Threats

SA
Security Arsenal Team
May 4, 2026
6 min read

Threat Summary

Recent OTX pulses indicate a coordinated rise in credential theft campaigns utilizing diverse infection vectors. The data highlights the emergence of KarstoRAT, a surveillance-focused RAT using FodHelper for persistence, alongside the ClickFix campaign delivering CastleLoader and NetSupport RAT via social engineering. Additionally, the LofyStealer campaign targets gamers, while a TeamPCP supply chain attack weaponizes the Telnyx Python SDK. A concerning trend is the proliferation of malicious GenAI browser extensions designed to hijack sessions and intercept API keys.

Threat Actor / Malware Profile

KarstoRAT

  • Distribution: Gaming lure pages masquerading as cheats or mods.
  • Behavior: Conducts webcam surveillance, keylogging, screenshot/audio capture, and Discord token theft.
  • C2 Communication: HTTP traffic to 212.227.65[.]132.
  • Persistence: Utilizes the fodhelper.exe UAC bypass technique via registry modification.
  • Anti-Analysis: Capable of detecting analysis environments (implied by post-compromise capabilities).

CastleLoader / NetSupport RAT (ClickFix Campaign)

  • Distribution: "BackgroundFix" fake image editing tool.
  • Behavior: Uses clipboard hijacking to copy malicious commands into finger.exe, which retrieves payloads. Drops NetSupport RAT (remote access) and CastleStealer (credential theft).
  • Persistence: Reflective loader techniques; scheduled tasks typical of NetSupport.

LofyStealer (LofyGang)

  • Distribution: Social engineering targeting Minecraft players.
  • Behavior: Two-stage attack involving a 53.5MB Node.js loader and a 1.4MB in-memory C++ payload. Targets browser data (cookies, passwords, credit cards).
  • Persistence: Uses "Chromelevator" (browser extension abuse) or registry run keys.

TeamPCP (Telnyx SDK Supply Chain)

  • Distribution: Malicious Python packages on PyPI (typosquatting).
  • Behavior: Steganography used to hide second-stage payloads in WAV files. Deploys a credential harvester.
  • Persistence: Systemd services or scheduled tasks on Linux/Windows.

Malicious AI Extensions

  • Distribution: Chrome Web Store (via social engineering) or sideloaded.
  • Behavior: "Man-in-the-Browser" attacks, API interception, and passive DOM observation. Extensions like "Chat AI for Chrome" and "Huiyi" act as RATs.
  • Persistence: Browser extension installation; background scripts.

IOC Analysis

The provided pulses contain a mix of network and file-based indicators.

  • File Hashes: Multiple SHA256 and MD5 hashes for Node.js loaders, C++ payloads (LofyStealer), and KarstoRAT samples. These should be blocklisted on endpoints.
  • Domains/IPv4: C2 infrastructure includes 212.227.65[.]132 (KarstoRAT), trindastal.com, brionter.com, poronto.com (ClickFix), and 24.152.36.241 (LofyStealer). The TeamPCP campaign uses a typosquatted domain aquasecurtiy.org.
  • CVE: CVE-2025-55182 is referenced in the AI extensions pulse.

Operationalization: SOC teams should immediately import these IOCs into EDR solutions, Firewall blocklists, and SIEM correlation rules. The supply chain domain aquasecurtiy.org indicates a need to audit Python dependency manifests for typosquatting.

Detection Engineering

Sigma Rules

YAML
title: Potential KarstoRAT FodHelper UAC Bypass
id: 0e8c1f8c-1a2b-3c4d-5e6f-7a8b9c0d1e2f
description: Detects registry modification patterns associated with FodHelper.exe used for UAC bypass, often employed by KarstoRAT and similar malware.
status: experimental
author: Security Arsenal
date: 2026/05/04
references:
    - https://otx.alienvault.com/pulse/626f1e1b8f3a2c1b3c4d5e6f
tags:
    - attack.defense_evasion
    - attack.privilege_escalation
    - attack.t1548.002
logsource:
    product: windows
    registry:
        - create
        - set
detection:
    selection:
        TargetObject|contains: 'Software\Classes\ms-settings\Shell\Open\command'
        Details|contains: 'cmd.exe'
    condition: selection
falsepositives:
    - Administrative activity (rare)
level: high

---
title: ClickFix Campaign Suspicious Finger.exe Execution
id: 1f9a2e3b-4c5d-6e7f-8a9b-0c1d2e3f4a5b
description: Detects the execution of finger.exe with suspicious arguments or spawned by an unusual parent, associated with the ClickFix/BackgroundFix campaign.
status: experimental
author: Security Arsenal
date: 2026/05/04
references:
    - https://otx.alienvault.com/pulse/626f1e1b8f3a2c1b3c4d5e6g
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith: '\finger.exe'
        CommandLine|contains:
            - 'http'
            - 'powershell'
            - 'cmd'
    condition: selection
falsepositives:
    - Legitimate use of finger.exe (rare in modern environments)
level: high

---
title: Browser Credential Theft via Unusual Process Access
id: 2a0b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects processes like Node.js or Python accessing Chrome/Edge user data databases, indicative of LofyStealer or AI extension malware behavior.
status: experimental
author: Security Arsenal
date: 2026/05/04
references:
    - https://otx.alienvault.com/pulse/626f1e1b8f3a2c1b3c4d5e6h
tags:
    - attack.credential_access
    - attack.t1003
logsource:
    product: windows
    category: file_access
detection:
    selection:
        TargetFilename|contains:
            - '\Google\Chrome\User Data\Default\'
            - '\Microsoft\Edge\User Data\Default\'
        TargetFilename|contains:
            - 'Cookies'
            - 'Login Data'
            - 'History'
    filter_main_browsers:
        Image|endswith:
            - '\chrome.exe'
            - '\msedge.exe'
    condition: selection and not 1 of filter_main_browsers*
falsepositives:
    - Third-party password managers
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for ClickFix finger.exe activity and connections to known C2
let C2Domains = dynamic(["trindastal.com", "poronto.com", "brionter.com", "chatgptforchrome.com"]);
let C2IPs = dynamic(["212.227.65.132", "38.146.28.30", "24.152.36.241"]);
DeviceNetworkEvents
| where RemoteUrl in (C2Domains) or RemoteIP in (C2IPs)
| extend Timestamp = TimeGenerated, DeviceName = DeviceName, InitiatingProcessFileName = InitiatingProcessFileName, RemoteUrl = RemoteUrl, RemoteIP = RemoteIP
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP
| union (
    DeviceProcessEvents
    | where FileName =~ "finger.exe"
    | extend Timestamp = TimeGenerated, DeviceName = DeviceName, ProcessCommandLine = ProcessCommandLine
    | project Timestamp, DeviceName, "FileName"=FileName, ProcessCommandLine
)

PowerShell

PowerShell
# IOC Hunt Script for KarstoRAT, LofyStealer, and ClickFix Components
# Requires Administrator privileges

$KnownHashes = @(
    "65229ef9d09e4cbfae326d41c517576cc2143c259fd764f259f3925fc8917c8b",
    "bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92",
    "d21a5d08b4614005c8fcd9d0068f0190",
    "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881"
)

# Check File System
Write-Host "Checking for known malicious file hashes..."
Get-ChildItem -Path "C:\", "C:\Users" -Recurse -ErrorAction SilentlyContinue | 
    ForEach-Object {
        $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($hash -in $KnownHashes) {
            Write-Host "WARNING: Malicious file found: $($_.FullName)" -ForegroundColor Red
        }
    }

# Check Registry for FodHelper Persistence (KarstoRAT technique)
Write-Host "Checking Registry for FodHelper UAC Bypass..."
$RegPath = "HKCU:\Software\Classes\ms-settings\Shell\Open\command"
if (Test-Path $RegPath) {
    Write-Host "WARNING: FodHelper persistence registry key detected." -ForegroundColor Red
    Get-Item $RegPath
}

# Check Network Connections for C2 IPs
$C2IPs = @("212.227.65.132", "38.146.28.30", "24.152.36.241")
Write-Host "Checking active network connections..."
Get-NetTCPConnection | 
    Where-Object { $C2IPs -contains $_.RemoteAddress } | 
    ForEach-Object {
        $Process = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
        Write-Host "WARNING: Connection to C2 IP detected: $($_.RemoteAddress) via $($Process.ProcessName)" -ForegroundColor Red
    }

Response Priorities

Immediate

  • Block all listed IOCs (Domains: trindastal.com, chatgptforchrome.com; IPs: 212.227.65.132, 24.152.36.241) at perimeter firewalls and proxies.
  • Execute the PowerShell hunt script on critical endpoints to identify KarstoRAT or LofyStealer artifacts.
  • Isolate systems exhibiting finger.exe execution patterns (ClickFix) or suspicious browser extension activity.

24h

  • Initiate identity verification and credential resets for accounts potentially exposed to LofyStealer (Minecraft players) and AI extension malware (GenAI users).
  • Review Python environment (pip list) for the malicious Telnyx SDK versions or dependencies connecting to aquasecurtiy.org.

1 Week

  • Harden architecture by restricting the execution of unsigned scripts and blocking common LOLBins like finger.exe via Application Allowlisting.
  • Implement strict software supply chain policies, requiring dependency verification (SBOM) for Python packages.
  • Audit and enforce a whitelist policy for browser extensions, specifically targeting the "GenAI" and "Productivity" categories used in these campaigns.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialskarstoratclickfixlofystealersupply-chainai-extensions

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action