Back to Intelligence

KarstoRAT Surveillance, ClickFix CastleLoader & PyPI Supply Chain: OTX Pulse Analysis

SA
Security Arsenal Team
May 4, 2026
5 min read

Recent OTX pulses indicate a surge in diverse, high-impact threats ranging from novel surveillance malware to supply chain compromises. The threat landscape features the emergence of KarstoRAT, a Remote Access Trojan (RAT) with extensive surveillance capabilities (webcam, audio, keylogging) targeting gaming communities and Discord users via the FodHelper UAC bypass. Simultaneously, the ClickFix campaign has evolved, utilizing fake "BackgroundFix" image-editing tools to trick users into executing clipboard hijacks that invoke finger.exe to deploy CastleLoader, ultimately dropping NetSupport RAT and CastleStealer. Finally, the threat actor TeamPCP has weaponized the Telnyx Python SDK on PyPI, introducing a supply chain attack that uses steganography to hide payloads within WAV files for credential theft. These campaigns share a common objective: persistent access, credential harvesting, and surveillance.

Threat Actor / Malware Profile

KarstoRAT

  • Type: Remote Access Trojan (RAT)
  • Distribution: Gaming lure pages, Discord-themed social engineering.
  • Behavior: Performs system reconnaissance, screen/audio capture, webcam monitoring, and keylogging. Notable for targeting Discord tokens.
  • Persistence & Exploitation: Utilizes the FodHelper UAC bypass technique to establish persistence without triggering admin prompts.
  • C2 Communication: Communicates via HTTP with the C2 server 212.227.65[.]132.

ClickFix / CastleLoader / NetSupport RAT

  • Type: Social Engineering Loader / RAT / Stealer
  • Distribution: "BackgroundFix" fake tools; prompts users to "verify they are human" by copying PowerShell commands to the clipboard.
  • Behavior: The copied command executes finger.exe (a rarely used Windows utility) to fetch remote payloads. CastleLoader acts as a reflective loader to decrypt and drop NetSupport RAT (remote administration) and CastleStealer (.NET credential stealer).
  • C2 Communication: Uses specific domains (e.g., trindastal.com, poronto.com) and raw IP addresses (38.146.28.30) for payload delivery.

TeamPCP (Telnyx SDK Supply Chain)

  • Actor: TeamPCP
  • Type: Supply Chain Attack / Credential Harvester
  • Distribution: Malicious packages uploaded to PyPI mimicking the legitimate telnyx SDK (750k+ downloads).
  • Behavior: The trojanized package triggers a loader that downloads a second-stage payload concealed inside a WAV file using steganography. This deploys a credential harvester that exfiltrates encrypted data.
  • C2 Communication: Connects to infrastructure hosted on suspicious domains (aquasecurtiy.org) and specific hostnames.

IOC Analysis

The provided IOCs offer high-fidelity detection opportunities across the attack chain:

  • Network Infrastructure: Key IPs like 212.227.65.132 (KarstoRAT) and 38.146.28.30 (CastleLoader) should be blocked immediately at the perimeter. Domains such as trindastal.com and aquasecurtiy.org are C2 or payload delivery nodes.
  • File Hashes: A significant number of SHA256 and MD5 hashes are provided for the KarstoRAT samples, CastleLoader, and the malicious Python package files. These should be integrated into EDR detection rules and YARA scans.
  • Operationalization: SOC teams should prioritize the KarstoRAT hashes for quick scanning of user directories, as this malware indicates active surveillance. The ClickFix domains are critical for web proxy blocking to prevent the initial finger.exe download.

Detection Engineering

YAML
title: Potential KarstoRAT Activity via FodHelper UAC Bypass
id: 4a8b3c1d-5e6f-4a7b-8c9d-0e1f2a3b4c5d
description: Detects the execution of fodhelper.exe with specific registry modifications often used by KarstoRAT for UAC bypass to gain persistence.
status: experimental
date: 2026/05/04
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/626b3c1d5e6f4a7b8c9d0e1f
tags:
    - attack.defense_evasion
    - attack.privilege_escalation
    - attack.t1548.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\fodhelper.exe'
        CommandLine|contains: 'registry'
    condition: selection
falsepositives:
    - Legitimate administrative use of fodhelper (rare)
level: high
---
title: Suspicious Finger.exe Execution (ClickFix Indicator)
id: 5b9c4d2e-6f7a-5b8c-9d0e-1f2a3b4c5d6e
description: Detects the execution of finger.exe making network connections, a technique used by ClickFix campaigns to retrieve payloads like CastleLoader.
status: experimental
date: 2026/05/04
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/637c4d2e6f7a5b8c9d0e1f2a
tags:
    - attack.execution
    - attack.command_and_control
    - attack.t1105
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith: '\finger.exe'
        Initiated: 'true'
    condition: selection
falsepositives:
    - Legitimate usage of finger protocol (extremely rare in modern networks)
level: critical
---
title: TeamPCP PyPI Supply Chain Steganography Payload
id: 6c0d5e3f-7a8b-6c9d-0e1f-2a3b4c5d6e7f
description: Detects the execution of python.exe loading sysmon.py, a component associated with the TeamPCP compromised Telnyx SDK attack using steganography.
status: experimental
date: 2026/05/04
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/648d5e3f7a8b6c9d0e1f2a3b
tags:
    - attack.initial_access
    - attack.t1195.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\python.exe'
        CommandLine|contains: 'sysmon.py'
    condition: selection
falsepositives:
    - Legitimate development using sysmon tools
level: high


kql
// Hunt for KarstoRAT C2 Traffic and ClickFix Domains
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has "trindastal.com" or 
          RemoteUrl has "poronto.com" or 
          RemoteUrl has "brionter.com" or 
          RemoteUrl has "aquasecurtiy.org" or
          RemoteIP == "212.227.65.132" or 
          RemoteIP == "38.146.28.30"
| extend DeviceCustom = pack_all()
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemoteUrl, RemotePort, DeviceCustom
| order by Timestamp desc


powershell
# IOC Hunt Script for KarstoRAT and CastleLoader Hashes
$targetHashes = @(
    "65229ef9d09e4cbfae326d41c517576cc2143c259fd764f259f3925fc8917c8b",
    "07131e3fcb9e65c1e4d2e756efdb9f263fd90080d3ff83fbcca1f31a4890ebdb",
    "bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92",
    "ed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9",
    "6cf223aea68b0e8031ff68251e30b6017a0513fe152e235c26f248ba1e15c92a"
)

Write-Host "Scanning system for known malicious IOCs..."

$drives = @("C:\", "D:\", "E:\")

foreach ($drive in $drives) {
    if (Test-Path $drive) {
        Write-Host "Scanning $drive..."
        Get-ChildItem -Path $drive -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($targetHashes -contains $hash) {
                Write-Host "[MALICIOUS FILE FOUND] $($_.FullName) - Hash: $hash" -ForegroundColor Red
            }
        }
    }
}

Write-Host "Scan complete."

Response Priorities

  • Immediate:

    • Block all listed IPs (212.227.65.132, 38.146.28.30) and domains (trindastal.com, aquasecurtiy.org) at the firewall and proxy level.
    • Scan endpoints for the SHA256 hashes associated with KarstoRAT and CastleLoader.
    • Hunt for processes executing finger.exe or fodhelper.exe with suspicious arguments.

  • 24 Hours:

    • Conduct credential audits for users who may have interacted with gaming lures or fake image editors.
    • Reset Discord tokens and API keys if infection is suspected.
    • Review Python environment pip lists for the compromised telnyx package or versions.

  • 1 Week:

    • Implement application allowlisting to prevent the execution of utilities like finger.exe by non-administrators.
    • Harden the software supply chain by verifying Python package integrity and requiring signed packages.
    • Update EDR policies to detect clipboard hijacking behaviors and FodHelper UAC bypass attempts.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptkarstoratclickfixcastleloaderteampcppy-supply-chain

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action