KarstoRAT, MioLab MaaS & ClickFix Campaigns: OTX Pulse Analysis — Enterprise Detection Pack | Security Arsenal

Threat Summary

Recent OTX pulses indicate a coordinated surge in credential theft activity across diverse vectors, ranging from novel Remote Access Trojans (KarstoRAT) to sophisticated Malware-as-a-Service platforms targeting macOS (MioLab). Adversaries are leveraging social engineering lures like "ClickFix" (masquerading as background fix tools) and supply chain attacks on the Python Package Index (PyPI) via the Telnyx SDK. Additionally, malicious AI-themed browser extensions are proliferating, designed to hijack GenAI interactions and steal session data. The collective objective is to harvest browser credentials, cryptocurrency wallet keys, and session tokens for financial gain.

Threat Actor / Malware Profile

KarstoRAT

Distribution: Gaming lure pages and Discord token stealer campaigns.
Behavior: Comprehensive surveillance including keylogging, webcam access, and audio capture.
C2: Communicates via HTTP to 212.227.65[.]132.
Persistence: Uses FodHelper UAC bypass technique.
Anti-Analysis: Standard obfuscation often found in novel RATs.

ClickFix / CastleLoader

Distribution: Fake image-editing tools ("BackgroundFix") using social engineering to copy malicious commands to the clipboard.
Behavior: Uses Windows finger.exe to retrieve payloads. Drops NetSupport RAT and CastleStealer (.NET infostealer).
Persistence: Reflective loading in memory to avoid disk-based detection.

TeamPCP (Telnyx SDK)

Distribution: Compromised Python SDK on PyPI (telnyx).
Behavior: Three-stage attack. Downloads payloads hidden in WAV files using steganography.
Objective: Credential harvesting and exfiltration.

MioLab (Nova)

Distribution: Advertised on Russian underground forums as MaaS.
Target: macOS environments specifically.
Behavior: Steals browser data (200+ extensions), crypto wallets (50+ desktop apps).
Infrastructure: Uses bulletproof hosting and domains like mioisiskwowiwjowuwjwolab.club.

Malicious AI Extensions

Distribution: Chrome Web Store extensions mimicking productivity tools (e.g., "Chat AI for Chrome").
Behavior: Man-in-the-middle attacks on DOM, API interception for prompts, and traffic proxying.

IOC Analysis

The provided indicators are varied, requiring a multi-layered defense approach:

File Hashes (SHA256/MD5): Payloads for KarstoRAT, CastleLoader, and malicious extensions. These should be loaded into EDR quarantine lists and scanned via YARA rules.
Domains: Infrastructure includes trindastal.com, poronto.com (ClickFix), aquasecurtiy.org (TeamPCP typo-squatting), and chatgptforchrome.com. These must be blocked at DNS resolvers and proxies.
IPs: 38.146.28.30 and 212.227.65[.]132 serve as C2 nodes. Block outbound traffic to these IPs.
CVEs: CVE-2025-55182 is associated with the malicious browser extensions; patch management is critical.

Detection Engineering

Sigma Rules

YAML

---
title: Potential KarstoRAT FodHelper UAC Bypass
id: 45b0e9d6-7d4a-4a9b-9e1c-4f5a6b7c8d9e
status: experimental
description: Detects the usage of FodHelper.exe to bypass UAC, a technique associated with KarstoRAT and other commodity malware.
references:
    - https://www.levelblue.com/hubfs/Web/Library/Documents_pdf/TTR-Spotlight-Novel-KarstoRAT-Malware.pdf
author: Security Arsenal
date: 2026/05/07
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\\fodhelper.exe'
        CommandLine|contains: 'powershell'
    condition: selection
falsepositives:
    - Legitimate administrative usage
level: high
tags:
    - attack.defense_evasion
    - attack.privilege_escalation
    - karstorat
---
title: ClickFix BackgroundFix Suspicious Finger.exe Usage
id: a1b2c3d4-e5f6-4a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects the execution of finger.exe triggered by a background process or script, characteristic of the ClickFix "BackgroundFix" lure loading CastleLoader.
references:
    - https://www.huntress.com/blog/clickfix-castleloader-backgroundfix
author: Security Arsenal
date: 2026/05/07
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\\finger.exe'
    filter:
        ParentImage|endswith: '\\explorer.exe'
    condition: selection and not filter
falsepositives:
    - Rare legitimate usage
level: critical
tags:
    - attack.execution
    - clickfix
    - castleloader
---
title: TeamPCP Telnyx SDK Supply Chain MSBuild Compromise
id: b2c3d4e5-f6a7-4b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects suspicious MSBuild execution patterns often used in Python SDK supply chain attacks to execute code or fetch steganography payloads.
references:
    - https://hexastrike.com/resources/blog/threat-intelligence/ringing-in-chaos-how-teampcp-weaponized-the-telnyx-python-sdk
author: Security Arsenal
date: 2026/05/07
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\\msbuild.exe'
        CommandLine|contains: ['http', 'ftp', 'tmp']
    condition: selection
falsepositives:
    - Legitimate developer builds using external resources
level: high
tags:
    - attack.initial_access
    - attack.supply_chain
    - teampcp

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for ClickFix, KarstoRAT, and TeamPCP Network Artifacts
let MaliciousDomains = dynamic(['trindastal.com', 'poronto.com', 'brionter.com', 'aquasecurtiy.org', 'chatgptforchrome.com', 'giovettiadv.com']);
let MaliciousIPs = dynamic(['38.146.28.30', '212.227.65.132']);
DeviceNetworkEvents
| where RemoteUrl in MaliciousDomains or RemoteIP in MaliciousIPs
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| order by Timestamp desc

PowerShell

<#
    IOC Hunt Script for KarstoRAT, ClickFix, and Malicious Extensions
    Scans for specific file hashes provided in the OTX pulse.
#>

$TargetHashes = @(
    "65229ef9d09e4cbfae326d41c517576cc2143c259fd764f259f3925fc8917c8b",
    "bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92",
    "6cf223aea68b0e8031ff68251e30b6017a0513fe152e235c26f248ba1e15c92a",
    "0cbf101e96f6d5c4146812f07105f8b89bd76dd994f540470cd1c4bc37df37d5",
    "2422f04227fa86a149aed35d82f9a7fc"
)

Write-Host "[*] Starting scan for known malicious hashes..." -ForegroundColor Cyan

$DrivesToScan = @("C:\")

foreach ($Drive in $DrivesToScan) {
    Write-Host "[*] Scanning $Drive..." -ForegroundColor Yellow
    
    Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue | 
    ForEach-Object {
        $FilePath = $_.FullName
        try {
            $Hash = (Get-FileHash -Path $FilePath -Algorithm SHA256 -ErrorAction Stop).Hash
            if ($TargetHashes -contains $Hash) {
                Write-Host "[!] MATCH FOUND: $FilePath (Hash: $Hash)" -ForegroundColor Red
            }
        } catch {
            # Ignore access errors
        }
    }
}

Write-Host "[*] Scan complete." -ForegroundColor Green

Response Priorities

Immediate: Block all listed domains and IPs (38.146.28.30, trindastal.com, etc.) on perimeter firewalls and proxies. Quarantine endpoints matching the provided file hashes.
24h: Conduct a credential audit for users who may have interacted with "BackgroundFix" lures or installed AI browser extensions. Force password resets and token revocation for suspected accounts. Remove unauthorized Python packages (telnyx versions matching TeamPCP).
1 week: Review Python package repository usage and enforce strict supply chain policies (pinned dependencies, signatures). Implement application whitelisting to prevent finger.exe and msbuild.exe abuse from non-dev contexts. Update macOS endpoint detection rules for MioLab persistence mechanisms.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

KarstoRAT, MioLab MaaS & ClickFix Campaigns: OTX Pulse Analysis — Enterprise Detection Pack