KarstoRAT Surveillance & ClickFix/CastleLoader Campaigns: OTX Pulse Analysis

Recent OTX pulses highlight a convergence of sophisticated Remote Access Trojans (RATs) and supply chain attacks targeting enterprise environments. The intelligence landscape is dominated by three distinct active threats: KarstoRAT, a novel surveillance-focused Trojan; the ClickFix campaign utilizing social engineering to deliver CastleLoader and NetSupport RAT; and a TeamPCP supply chain attack targeting the Python ecosystem via a compromised Telnyx SDK.

Collectively, these campaigns indicate a shift toward "living-off-the-land" binaries (LOLBins) like finger.exe and fodhelper.exe for evasion, coupled with steganography and typosquatting to bypass static detection. The primary objective across these actors is comprehensive credential harvesting (Discord tokens, system credentials), persistent surveillance, and establishing remote footholds for follow-on exploitation.

Threat Actor / Malware Profile

1. KarstoRAT (Novel Malware)

Distribution: Gaming lure pages and fraudulent software downloads.
Behavior: A full-featured surveillance suite capable of keylogging, screen/audio capture, and webcam monitoring.
C2 Communication: Communicates via HTTP to infrastructure such as 212.227.65[.]132.
Persistence: Abuses the FodHelper exploit to bypass User Account Control (UAC) and establish persistence.
Anti-Analysis: Includes Discord token stealing modules and likely employs obfuscation to hinder reverse engineering.

2. ClickFix / CastleLoader

Distribution: "BackgroundFix" fake image-editing tool employing ClickFix social engineering. Users are tricked into copying malicious commands to their clipboard.
Execution Chain: The copied commands invoke finger.exe (a legacy LOLBin) to retrieve payloads. This drops CastleLoader, a reflective loader.
Payloads: Deploys NetSupport RAT (legitimate remote admin software abused for C2) and a custom .NET stealer (CastleStealer).
Persistence: Established via NetSupport RAT configurations.

3. TeamPCP (Supply Chain)

Vector: Typosquatting and compromise of the Telnyx Python SDK on PyPI (750k+ monthly downloads).
Execution Chain: The trojanized package triggers a platform-specific loader. It downloads a second-stage payload hidden within a WAV file using steganography.
Payload: A credential harvester that encrypts and exfiltrates stolen data.
Infrastructure: Uses domains mimicking legitimate security entities (e.g., aquasecurtiy.org).

IOC Analysis

The provided pulses contain 83 total indicators, requiring immediate operationalization:

File Hashes (SHA256/MD5): High-confidence indicators for KarstoRAT, CastleLoader, and the malicious Python packages. These should be fed into EDR quarantine mechanisms and SIEM correlation rules.
Domains & URLs: Key indicators include typosquatted domains (aquasecurtiy.org, trindastal.com) and specific C2 infrastructure. Immediate DNS blocking is required.
IP Addresses: Specific C2 IPs (e.g., 212.227.65.132, 38.146.28.30) are critical for firewall blacklisting.
Operationalization: SOC teams should prioritize the SHA256 hashes in the "Threat Summary" above all others for endpoint scanning. The domains should be added to RPZ (Response Policy Zone) lists.

Detection Engineering

YAML

title: Potential KarstoRAT UAC Bypass via FodHelper
id: a1b2c3d4-e5f6-4a7b-8c9d-0e1f2a3b4c5d
description: Detects the usage of fodhelper.exe to bypass UAC, a technique observed in the KarstoRAT campaign. Fodhelper is a LOLBin rarely used legitimately by end-users.
status: experimental
date: 2026/05/05
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6262a8f0844f9a5b6c7d8e9f
tags:
    - attack.defense_evasion
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\fodhelper.exe'
    filter:
        ParentImage|endswith:
            - '\explorer.exe'
            - '\cmd.exe'
    condition: selection and not filter
falsepositives:
    - Legitimate administrative use (rare)
level: high
---
title: Suspicious Finger.exe Execution (ClickFix/CastleLoader)
id: b2c3d4e5-f6a7-4b8c-9d0e-1f2a3b4c5d6e
description: Detects the execution of finger.exe making network connections or spawned by cmd/powershell, indicative of the ClickFix campaign using finger.exe to retrieve payloads.
status: experimental
date: 2026/05/05
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6273b9f19550b6c7d8e9f0a
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith: '\finger.exe'
    condition: selection
falsepositives:
    - Legacy network administration tasks (very rare)
level: critical
---
title: Malicious Telnyx SDK Steganography Loader (TeamPCP)
id: c3d4e5f6-a7b8-4c9d-0e1f-2a3b4c5d6e7f
description: Detects execution of msbuild.exe or python.exe loading suspicious WAV files or contacting typosquatted domains associated with the TeamPCP Telnyx SDK supply chain attack.
status: experimental
date: 2026/05/05
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6284c0a20661c7d8e9f0a1b
tags:
    - attack.initial_access
    - attack.t1195.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_msbuild:
        Image|endswith: '\msbuild.exe'
        CommandLine|contains: '.wav'
    selection_python:
        Image|endswith: '\python.exe'
        CommandLine|contains: 'telnyx'
    condition: 1 of selection_*
falsepositives:
    - Legitimate development builds involving audio assets
level: high


kql
// KQL Hunt for KarstoRAT and ClickFix Indicators
// Hunt for specific C2 domains and IPs from the pulses
let IoC_Domains = dynamic(["aquasecurtiy.org", "trindastal.com", "poronto.com", "brionter.com", "giovettiadv.com"]);
let IoC_IPs = dynamic(["212.227.65.132", "38.146.28.30"]);
// Hunt for FodHelper and Finger.exe abuse
let SuspiciousProcesses = dynamic(["fodhelper.exe", "finger.exe"]);
DeviceNetworkEvents
| where RemoteUrl in IoC_Domains or RemoteIP in IoC_IPs
| union (DeviceProcessEvents 
    | where FileName in SuspiciousProcesses 
    | where InitiatingProcessFileName !in~ ("explorer.exe", "services.exe"))
| project Timestamp, DeviceName, ActionType, FileName, RemoteUrl, RemoteIP, InitiatingProcessFileName, SHA256
| order by Timestamp desc


powershell
# PowerShell IOC Hunt Script for KarstoRAT & ClickFix
# Checks for file presence, network connections, and registry persistence

$MaliciousHashes = @(
    "65229ef9d09e4cbfae326d41c517576cc2143c259fd764f259f3925fc8917c8b",
    "bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92",
    "6cf223aea68b0e8031ff68251e30b6017a0513fe152e235c26f248ba1e15c92a"
)

$C2_Domains = @("212.227.65.132", "38.146.28.30", "aquasecurtiy.org")

Write-Host "[+] Hunting for KarstoRAT and ClickFix artifacts..." -ForegroundColor Cyan

# 1. Check for Malicious Files in common temp/appdata directories
Write-Host "[*] Checking for malicious file hashes..." -ForegroundColor Yellow
$PathsToScan = @("$env:TEMP", "$env:APPDATA", "$env:LOCALAPPDATA")

foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($hash -in $MaliciousHashes) {
                Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

# 2. Check Network Connections to C2 Infrastructure
Write-Host "[*] Checking active network connections to known C2..." -ForegroundColor Yellow
Get-NetTCPConnection -ErrorAction SilentlyContinue | Where-Object {
    $C2_Domains -contains $_.RemoteAddress -or 
    ($_.OwningProcess -and (Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).ProcessName -match "(finger|fodhelper)")
} | ForEach-Object {
    $proc = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
    Write-Host "[!] SUSPICIOUS CONNECTION: RemoteIP=$($_.RemoteAddress) Process=$($proc.ProcessName) PID=$($_.OwningProcess)" -ForegroundColor Red
}

# 3. Check Run Keys for Persistence (Common with RATs)
Write-Host "[*] Checking Registry Run Keys for persistence..." -ForegroundColor Yellow
$RunPaths = @(
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
)

foreach ($Path in $RunPaths) {
    if (Test-Path $Path) {
        Get-ItemProperty -Path $Path -ErrorAction SilentlyContinue | ForEach-Object {
            $_.PSObject.Properties | Where-Object {$_.Value -is [string] -and $_.Value -match ".(exe|bat|vbs|ps1)$"} | ForEach-Object {
                # Basic heuristic: check if file exists on disk for signed binaries, or obscure names
                $filePath = $_.Value -replace '^"', '' -replace '"$', ''
                if ($filePath -match "(BackgroundFix|NetSupport|Discord)") {
                    Write-Host "[!] SUSPICIOUS PERSISTENCE: $($_.Name) = $filePath" -ForegroundColor Red
                }
            }
        }
    }
}
Write-Host "[+] Hunt complete." -ForegroundColor Green

Response Priorities

Immediate (0-4 hours): Block all listed domains (aquasecurtiy.org, trindastal.com) and IPs (212.227.65.132, 38.146.28.30) at the perimeter and proxy. Initiate a hunt for the SHA256 file hashes provided in the IOC Analysis on all endpoints.
24 Hours: Conduct a credential audit for users who may have interacted with the "BackgroundFix" lure or installed the Telnyx Python SDK recently. Reset Discord and corporate passwords for affected accounts.
1 Week: Review software development policies regarding PyPI/package usage. Implement application control policies to block finger.exe and fodhelper.exe for standard users. Update YARA/Sigma rules to include the steganography and loader behaviors identified in the TeamPCP pulse.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub