KarstoRAT, MioLab & ClickFix Campaigns: Multi-Platform Infostealer Surge

A comprehensive analysis of recent OTX pulses indicates a coordinated surge in credential theft and infostealer activity targeting both Windows and macOS ecosystems. The threat landscape is being driven by three distinct vectors: sophisticated social engineering via "ClickFix" (BackgroundFix) campaigns delivering CastleLoader and NetSupport RAT; the emergence of novel surveillance malware like KarstoRAT targeting gamers and Discord users; and a supply chain attack via the compromised Telnyx Python SDK by TeamPCP. Additionally, the "MioLab" Malware-as-a-Service (MaaS) platform has expanded its operations specifically against macOS, focusing on cryptocurrency wallet exfiltration, while malicious AI-themed browser extensions continue to proliferate, leveraging GenAI hype to deploy browser-based man-in-the-middle attacks.

Threat Actor / Malware Profile

KarstoRAT: A newly identified remote access trojan (RAT) emerging in early 2026. It combines surveillance capabilities (webcam, audio, keylogging) with specific credential theft modules targeting Discord tokens. It utilizes HTTP for C2 communication (observed IP: 212.227.65.132) and employs the FodHelper UAC bypass technique for persistence.
ClickFix / CastleLoader: A social engineering vector masquerading as image-editing tools or "human verification" pages. It manipulates users into copying clipboard commands that invoke finger.exe to retrieve payloads. This leads to the deployment of CastleLoader, which subsequently drops NetSupport RAT and the .NET-based "CastleStealer".
TeamPCP: A threat actor weaponizing the Python supply chain. By uploading malicious versions of the telnyx SDK to PyPI, they use a three-stage architecture involving steganography (hiding payloads in WAV files) to deploy credential harvesters.
MioLab (Nova): A MaaS platform heavily advertised on Russian-speaking forums targeting macOS. It features modules to steal browser credentials, cookies, and data from over 200 crypto extensions and 50+ desktop wallets.
Malicious AI Extensions: Browser extensions posing as productivity tools (e.g., "Chat AI for Chrome", "Huiyi") that perform API interception and passive DOM observation to steal prompts and session data.

IOC Analysis

The provided pulses contain a mix of network and file-based indicators that SOC teams should immediately operationalize:

Domains & URLs:
- ClickFix C2: trindastal.com, poronto.com, brionter.com, giovettiadv.com.
- MioLab Infrastructure: miolab.club, officerelaxation.com, approve-me.com, zynce.org.
- TeamPCP C2: aquasecurtiy.org, tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io.
- Malicious Extension C2: chatgptforchrome.com.
IP Addresses: 38.146.28.30 (ClickFix), 212.227.65.132 (KarstoRAT).
File Hashes: A significant volume of SHA256 and MD5 hashes are associated with the payload droppers and loaders (e.g., bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92 for CastleLoader).

Operationalization: Teams should block the listed domains and IPs at the perimeter. EDR solutions should be configured to alert on the execution of files matching the provided hashes. The domain aquasecurtiy.org is a typo-squat of the legitimate aquasec.com and should be treated as high-priority malicious.

Detection Engineering

The following detection logic targets the specific behaviors, execution chains, and infrastructure identified in the OTX pulses.

YAML

title: Potential KarstoRAT C2 Communication
id: 4a8f9c2b-1d3e-4f5a-9b6c-7d8e9f0a1b2c
description: Detects HTTP connections to known KarstoRAT C2 infrastructure or specific User-Agent patterns associated with the malware.
status: experimental
date: 2026/05/06
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/660f0e3e8f7d9b12e1c0f9e8
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationPort:
            - 80
            - 443
        DestinationIp:
            - '212.227.65.132'
    condition: selection
falsepositives:
    - Legitimate traffic to the specific IP (unlikely if reserved for C2)
level: high
tags:
    - c2
    - infostealer
    - karstorat
---
title: Suspicious Finger.exe Execution (ClickFix Indicator)
id: 5b9g0d3c-2e4f-5g6b-0c7d-8e9f1a2b3c4d
description: Detects the execution of finger.exe, which is rarely used legitimately in modern environments and is a specific indicator for ClickFix/BackgroundFix social engineering campaigns.
status: experimental
date: 2026/05/06
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6610f0e3e8f7d9b12e1c0f9e9
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\\finger.exe'
    condition: selection
falsepositives:
    - Legacy system administration (rare)
level: critical
tags:
    - execution
    - social_engineering
    - clickfix
---
title: Python SDK Supply Chain Compromise (TeamPCP)
id: 6c0h1e4d-3f5g-6h7c-1d8e-9f0a2b3c4d5e
description: Detects Python.exe spawning msbuild.exe or loading suspicious WAV files, indicative of the TeamPCP Telnyx SDK supply chain attack using steganography.
status: experimental
date: 2026/05/06
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6621f0e3e8f7d9b12e1c0f9ea
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        Image|endswith: '\\python.exe'
    selection_child:
        Image|endswith:
            - '\\msbuild.exe'
            - '\\powershell.exe'
            - '\\cmd.exe'
    selection_stego:
        CommandLine|contains: '.wav'
    condition: 1 of selection*
falsepositives:
    - Legitimate developer build environments
level: high
tags:
    - supply_chain
    - execution
    - steganography


kql
// KQL Hunt for ClickFix and KarstoRAT Activity
// Hunt for suspicious process execution and network connections
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("finger.exe", "msbuild.exe", "python.exe") or ProcessCommandLine has_any ("212.227.65.132", "finger.exe", ".wav")
| extend DeviceName = DeviceName, AccountName = InitiatingProcessAccountName
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, FolderPath
| sort by Timestamp desc
;
// Hunt for Network IOCs
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in~ ("trindastal.com", "poronto.com", "brionter.com", "giovettiadv.com", "aquasecurtiy.org", "chatgptforchrome.com", "officerelaxation.com", "approve-me.com") 
   or RemoteIP in~ ("38.146.28.30", "212.227.65.132")
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName
| sort by Timestamp desc


powershell
# PowerShell Hunt Script for Infostealer Artifacts
# Checks for presence of KarstoRAT and ClickFix related file hashes and paths

$TargetHashes = @(
    "bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92",
    "65229ef9d09e4cbfae326d41c517576cc2143c259fd764f259f3925fc8917c8b",
    "ed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9",
    "6cf223aea68b0e8031ff68251e30b6017a0513fe152e235c26f248ba1e15c92a"
)

Write-Host "[+] Hunting for Infostealer Artifacts..." -ForegroundColor Cyan

# Scan User AppData Directories (Common for stealers)
$PathsToScan = @("C:\Users\*\AppData\Roaming\", "C:\Users\*\AppData\Local\Temp\")

foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Write-Host "[+] Scanning $Path..." -ForegroundColor Yellow
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $FileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($FileHash -in $TargetHashes) {
                Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName) (Hash: $FileHash)" -ForegroundColor Red
            }
        }
    }
}

# Check for KarstoRAT C2 Connection indicators in DNS Cache (if accessible)
Write-Host "[+] Checking DNS Cache for KarstoRAT C2..." -ForegroundColor Yellow
Get-DnsClientCache -ErrorAction SilentlyContinue | Where-Object { $_.Data -eq "212.227.65.132" } | ForEach-Object {
    Write-Host "[!] SUSPICIOUS DNS RESOLUTION: $($_.Entry) -> $($_.Data)" -ForegroundColor Red
}

Response Priorities

Immediate (0-24h)

Block IOCs: Implement immediate blocks on all listed domains, IPs, and file hashes across firewalls, proxies, and EDRs.
Hunt for ClickFix: Search endpoint logs for executions of finger.exe. Any instance is highly suspicious and likely indicates a successful social engineering attempt.
Supply Chain Audit: Identify systems utilizing the Python telnyx SDK. Update or revert to known safe versions immediately. Scan for the presence of sysmon.py or unexpected WAV files in Python directories.

Within 24 Hours

Credential Reset: If KarstoRAT or CastleStealer is suspected within the environment, force a password reset for privileged accounts and revoke/regenerate API keys (especially for cloud services and Discord tokens).
Extension Audit: Review browser extension lists across the enterprise for the identified malicious AI extensions (e.g., "Chat AI for Chrome", "Huiyi", "Supersonic AI").

Within 1 Week

macos Hardening: For organizations with macOS endpoints, deploy IOCs related to MioLab and restrict the execution of unsigned binaries or those from unidentified developers.
Python Policy: Enforce strict dependency verification (e.g., using pip-audit or requirements.txt pinning) to prevent future supply chain compromises.
Application Control: Implement application whitelisting to prevent the execution of finger.exe and other legacy binaries not required for business operations.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub