Back to Intelligence

KarstoRAT Surveillance & TeamPCP Supply Chain: OTX Pulse Analysis — RAT & Loader Detection Pack

SA
Security Arsenal Team
May 6, 2026
5 min read

OTX Pulse data for the week of 2026-05-06 indicates a convergence of distinct, high-impact threat vectors targeting enterprise environments and software supply chains. The intelligence highlights three separate but active campaigns:

  1. KarstoRAT Campaign: A novel Remote Access Trojan (RAT) emphasizing surveillance and data theft, utilizing the FodHelper UAC bypass for persistence and HTTP for C2 communications.
  2. ClickFix / CastleLoader: A social engineering campaign masquerading as a "BackgroundFix" image tool. It abuses legitimate Windows utilities (finger.exe) to fetch payloads, ultimately delivering NetSupport RAT and CastleStealer.
  3. TeamPCP Supply Chain Attack: A sophisticated compromise of the Python Package Index (PyPI) involving a trojanized Telnyx SDK. This campaign uses steganography to hide second-stage payloads within WAV files to evade detection.

Collective Objective: These campaigns primarily seek credential harvesting, persistent remote access, and surveillance. The inclusion of supply chain tactics (TeamPCP) and social engineering (ClickFix) suggests a broadened attack surface designed to bypass traditional perimeter defenses.

Threat Actor / Malware Profile

KarstoRAT

  • Type: Remote Access Trojan (RAT)
  • Distribution: Currently unknown, likely phishing or gaming-related lures based on tags.
  • Capabilities: System reconnaissance, keylogging, screenshot/audio capture, webcam monitoring, token theft.
  • Persistence: Utilizes the FodHelper exploit to bypass User Account Control (UAC).
  • C2: Communicates via HTTP to 212.227.65[.]132.

ClickFix (CastleLoader / NetSupport RAT)

  • Type: Social Engineering Loader / RAT
  • Distribution: Fake "BackgroundFix" image editing tools; "ClickFix" browser verification scams.
  • Capabilities: Remote desktop control (NetSupport), credential/data theft (CastleStealer).
  • Execution Chain: User copies command to clipboard -> finger.exe execution -> retrieves CastleLoader -> drops NetSupport RAT / CastleStealer.
  • C2 Infrastructure: Domains include trindastal.com, poronto.com, brionter.com.

TeamPCP

  • Type: Supply Chain Attack / Credential Harvester
  • Distribution: Malicious packages uploaded to PyPI (Python Package Index), specifically targeting the telnyx SDK ecosystem.
  • Capabilities: Exfiltration of system credentials and environment variables.
  • Evasion: Uses steganography to hide malicious payloads inside WAV audio files.
  • Infrastructure: Uses typosquatting domains like aquasecurtiy.org for C2.

IOC Analysis

The provided IOCs span multiple infrastructure types and artifacts, requiring a multi-layered detection approach:

  • File Hashes (SHA256/MD5): Over 20 unique hashes provided across the pulses. These correspond to the KarstoRAT binaries, CastleLoader components, and the malicious Python packages. SOC teams should prioritize scanning VDI and user directories for these specific hashes.
  • Network Infrastructure (IPv4/Domains):
    • 212.227.65.132: KarstoRAT C2.
    • 38.146.28.30: ClickFix infrastructure.
    • trindastal.com, poronto.com, brionter.com: ClickFix C2/Distribution.
    • aquasecurtiy.org: TeamPCP C2 (not associated with legitimate Aqua Security).
  • Operational Guidance:
    • Block all listed domains and IPs at the perimeter firewall and proxy servers.
    • SIEM correlations should trigger on any outbound HTTP connections to 212.227.65.132 or non-standard ports (e.g., :688) to giovettiadv.com.
    • Investigate any processes resolving to the typosquatted aquasecurtiy.org.

Detection Engineering

Sigma Rules

YAML
---
title: KarstoRAT FodHelper UAC Bypass
id: 7b7b8b8b-8b8b-8b8b-8b8b-8b8b8b8b8b8b
description: Detects registry modification used by KarstoRAT for FodHelper UAC bypass via HKCU Environment registry keys.
status: experimental
date: 2026/05/06
author: Security Arsenal
logsource:
  product: windows
  registry:
    eventid: 13
detection:
  selection:
    EventType: SetValue
    TargetObject|contains: 'Environment\Debug'
    Details|contains: 'fodhelper.exe'
  condition: selection
falsepositives:
  - Legitimate administration usage (rare)
level: critical
tags:
  - attack.privilege_escalation
  - attack.t1548.002
---
title: Suspicious Finger.exe Execution (ClickFix)
id: 9c9c9c9c-9c9c-9c9c-9c9c-9c9c9c9c9c9c
description: Detects the execution of finger.exe, which is abused by ClickFix campaigns to retrieve malicious payloads.
status: experimental
date: 2026/05/06
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\finger.exe'
  filter_legit:
    ParentImage|contains:
      - '\System32\'
      - '\SysWOW64\'
  condition: selection and not filter_legit
falsepositives:
  - Rare legitimate administrative usage
level: high
tags:
  - attack.execution
  - attack.t1059.001
---
title: TeamPCP PyPI Supply Chain Steganography Loader
id: 1a1a1a1a-1a1a-1a1a-1a1a-1a1a1a1a1a1a
description: Detects Python processes downloading .wav files or suspicious network connections indicative of the TeamPCP steganography payload.
status: experimental
date: 2026/05/06
author: Security Arsenal
logsource:
  category: network_connection
  product: windows
detection:
  selection_python:
    Image|endswith: '\python.exe'
  selection_suspicious:
    Initiated: 'true'
    DestinationHostname|contains:
      - 'raw.icp0.io'
      - 'aquasecurtiy.org'
  condition: selection_python and selection_suspicious
falsepositives:
  - Legitimate developer tool usage (rare for these domains)
level: critical
tags:
  - attack.initial_access
  - attack.t1195.002

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for KarstoRAT and ClickFix Network Indicators
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIP in ("212.227.65.132", "38.146.28.30") 
   or RemoteUrl has_any ("trindastal.com", "poronto.com", "brionter.com", "giovettiadv.com", "aquasecurtiy.org")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteIP, RemoteUrl, RemotePort
| extend ThreatLogic = case(
    RemoteIP == "212.227.65.132", "KarstoRAT C2",
    RemoteUrl has_any ("trindastal.com", "poronto.com", "brionter.com"), "ClickFix CastleLoader",
    RemoteUrl has "aquasecurtiy.org", "TeamPCP C2",
    "Unknown Indicator"
)

PowerShell Hunt Script

PowerShell
# IOC Hunter for KarstoRAT, ClickFix, and TeamPCP
# Checks for specific file hashes on the system.

$TargetHashes = @(
    "65229ef9d09e4cbfae326d41c517576cc2143c259fd764f259f3925fc8917c8b",
    "07131e3fcb9e65c1e4d2e756efdb9f263fd90080d3ff83fbcca1f31a4890ebdb",
    "839e882551258bf34e5c5105147f7198af2daf7e579d7d4a8c5f1f105966fd7e",
    "bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92",
    "ed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9",
    "6cf223aea68b0e8031ff68251e30b6017a0513fe152e235c26f248ba1e15c92a"
)

$PathsToScan = @("C:\Users\", "C:\ProgramData\", "C:\Windows\Temp")

Write-Host "Starting IOC Scan..." -ForegroundColor Cyan

foreach ($Path in $PathsToScan) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $FileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($TargetHashes -contains $FileHash) {
                Write-Host "[MALWARE FOUND] $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

# Check for TeamPCP Typosquat Domain Connection via DNS Cache
Write-Host "Checking DNS Cache for TeamPCP Typosquat..." -ForegroundColor Cyan
Get-DnsClientCache | Where-Object { $_.Entry -like "*aquasecurtiy*" } | ForEach-Object {
    Write-Host "[SUSPICIOUS DNS] Resolved typosquat domain: $($_.Entry)" -ForegroundColor Yellow
}


# Response Priorities

*   **Immediate:**
    *   Block all listed IOCs (IPs, Domains, Hashes) at the network perimeter and endpoint (EDR) level.
    *   Initiate a hunt for processes matching `finger.exe` (ClickFix) and `fodhelper.exe` (KarstoRAT).
*   **24 Hours:**
    *   **Identity Audit:** Given the prevalence of credential theft (KarstoRAT/TeamPCP/CastleStealer), force a password reset and MDE check for accounts associated with infected endpoints.
    *   **Software Supply Chain:** Audit Python environments (`pip list`) for the malicious `telnyx` versions or suspicious packages.
*   **1 Week:**
    *   **Application Control:** Implement strict allow-listing for `finger.exe` and `msbuild.exe` to prevent abuse by loaders.
    *   **Supply Chain Policy:** Enforce GPG signature verification for internal Python package usage and block access to typosquatted domains.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptkarstoratclickfixteampcpcastleloadersupply-chain

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action