Threat Summary
Recent intelligence pulses indicate a surge in diverse attack vectors ranging from novel Remote Access Trojans (RATs) to sophisticated supply chain compromises. The primary threats identified include KarstoRAT, a new surveillance-focused malware using gaming lures; ClickFix, a social engineering campaign distributing CastleLoader and NetSupport RAT via fake image-editing tools; and TeamPCP, a threat actor weaponizing the legitimate Telnyx Python SDK on PyPI to deliver credential harvesters via steganography. Collectively, these campaigns emphasize a shift toward multi-stage payloads designed for extensive credential theft, token hijacking, and persistent surveillance.
Threat Actor / Malware Profile
KarstoRAT
- Distribution: Disguised as gaming lure pages targeting gamers and general users.
- Capabilities: Performs system reconnaissance, keylogging, screen/audio capture, and webcam monitoring. Notably, it targets Discord tokens and utilizes the FodHelper exploit for UAC bypass.
- C2 Communication: Communicates via HTTP with the infrastructure
212.227.65[.]132.
ClickFix (CastleLoader/NetSupport RAT)
- Distribution: "BackgroundFix" fake image-editing tool utilizing social engineering. Victims copy clipboard commands invoking
finger.exeto fetch payloads. - Payload Behavior: Uses a reflective loader (CastleLoader) to drop NetSupport RAT and CastleStealer (.NET stealer).
- Persistence: Established via NetSupport RAT's standard persistence mechanisms and reflective loading.
TeamPCP (Telnyx SDK Compromise)
- Distribution: Supply chain attack via malicious versions of the
telnyxPython SDK on PyPI (750k monthly downloads). - Payload Behavior: A 3-stage architecture where the trojanized package triggers a loader, which downloads a second-stage payload hidden inside a WAV file using steganography. Final stage includes a credential harvester.
- Infrastructure: Uses spoofed domains like
aquasecurtiy.org(typo-squatting) and raw GitHub content delivery.
IOC Analysis
The provided intelligence includes a mix of network and file-based indicators:
- Domains & IPs: SOC teams should immediately block
212.227.65.132(KarstoRAT C2),38.146.28.30(ClickFix), and associated domains includingtrindastal.com,poronto.com,brionter.com, andaquasecurtiy.org. - File Hashes: A significant volume of SHA256 and MD5 hashes are provided for the payloads (KarstoRAT, CastleLoader, TeamPCP harvesters). These should be uploaded to EDR allowlists/denylists immediately.
- Operationalization: Network IOCs should be enforced at the firewall and proxy level. File IOCs should be used to initiate retrospective hunts across endpoints using EDR or SIEM correlation.
Detection Engineering
YAML
---
title: Potential KarstoRAT UAC Bypass via FodHelper
id: 6678b9d1-8a3c-4c2b-9d5e-1f2a3b4c5d6e
description: Detects execution of fodhelper.exe to bypass UAC, a technique observed in KarstoRAT campaigns.
status: experimental
date: 2026/05/06
author: Security Arsenal
references:
- https://otx.alienvault.com/
tags:
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\fodhelper.exe'
condition: selection
falsepositives:
- Legitimate administrative activity
level: high
---
title: Suspicious Finger.exe Execution (ClickFix Campaign)
id: 7778c9e2-9b4d-5d3c-0e6f-2g3b4c5d6e7f
description: Detects execution of finger.exe, which is abused in ClickFix campaigns to retrieve malicious payloads via clipboard commands.
status: experimental
date: 2026/05/06
author: Security Arsenal
references:
- https://otx.alienvault.com/
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\finger.exe'
condition: selection
falsepositives:
- Very rare in modern environments
level: high
---
title: Python Spawning MSBuild (TeamPCP Supply Chain)
id: 8889d0f3-0c5e-6e4d-1f7g-3h4c5d6e7f8g
description: Detects python.exe spawning msbuild.exe, a technique observed in the TeamPCP PyPI supply chain attack.
status: experimental
date: 2026/05/06
author: Security Arsenal
references:
- https://otx.alienvault.com/
tags:
- attack.execution
- attack.t1127.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\python.exe'
Image|endswith: '\msbuild.exe'
condition: selection
falsepositives:
- Legitimate build scripts by developers
level: medium
KQL (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for malicious domains and IPs associated with KarstoRAT, ClickFix, and TeamPCP
DeviceNetworkEvents
| where RemoteUrl in~ ("trindastal.com", "poronto.com", "brionter.com", "aquasecurtiy.org")
or RemoteIP in ("212.227.65.132", "38.146.28.30")
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP
| extend IOCLookup = "Network Traffic"
kql
// Hunt for suspicious process execution chains (finger.exe, fodhelper.exe, python->msbuild)
DeviceProcessEvents
| where FileName in~ ("finger.exe", "fodhelper.exe")
or (FileName == "msbuild.exe" and InitiatingProcessFileName == "python.exe")
| project Timestamp, DeviceName, FileName, CommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| extend Tactic = "Execution/Evasion"
PowerShell Hunt Script
PowerShell
<#
.SYNOPSIS
Hunt script for KarstoRAT, ClickFix, and TeamPCP indicators.
.DESCRIPTION
Checks DNS cache for malicious domains, active connections for C2 IPs, and suspicious processes.
#>
# Malicious IOCs from Pulses
$MaliciousDomains = @("trindastal.com", "poronto.com", "brionter.com", "aquasecurtiy.org")
$MaliciousIPs = @("212.227.65.132", "38.146.28.30")
$SuspiciousProcs = @("finger.exe", "fodhelper.exe", "msbuild.exe")
Write-Host "[+] Checking DNS Cache for Malicious Domains..."
$DnsCache = Get-DnsClientCache -ErrorAction SilentlyContinue
if ($DnsCache) {
foreach ($Domain in $MaliciousDomains) {
$Match = $DnsCache | Where-Object { $_.Entry -like "*$Domain*" }
if ($Match) {
Write-Host "[!] ALERT: Found malicious domain entry in DNS cache: $Domain" -ForegroundColor Red
}
}
}
Write-Host "[+] Checking Active TCP Connections for C2 IPs..."
$TCPConnections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue
if ($TCPConnections) {
foreach ($IP in $MaliciousIPs) {
$Match = $TCPConnections | Where-Object { $_.RemoteAddress -eq $IP }
if ($Match) {
Write-Host "[!] ALERT: Active connection to C2 IP detected: $IP (Owning Process PID: $($Match.OwningProcess))" -ForegroundColor Red
}
}
}
Write-Host "[+] Checking for Suspicious Processes..."
$Processes = Get-Process -ErrorAction SilentlyContinue
foreach ($ProcName in $SuspiciousProcs) {
$Match = $Processes | Where-Object { $_.ProcessName -eq $ProcName }
if ($Match) {
Write-Host "[!] WARNING: Suspicious process running: $ProcName (PID: $($Match.Id))" -ForegroundColor Yellow
}
}
Write-Host "[+] Hunt Complete."
Response Priorities
- Immediate: Block all listed domains and IPs at the perimeter. Initiate a hunt for
finger.exeandfodhelper.exeexecution events across endpoints. - 24h: If credential-thealing malware (CastleStealer, KarstoRAT) is suspected, initiate a reset of Discord tokens and stored browser credentials for potentially affected users. Audit Python environments for the malicious
telnyxpackage versions. - 1 Week: Implement application control policies to restrict
msbuild.exeandfinger.exeto legitimate users only. Conduct a review of software supply chain security and PyPI package usage within the organization.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-aptkarstoratclickfixteampcpsupply-chainrat
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.