Back to Intelligence

Multi-Vector Infostealer Surge: Lumma, Rhadamanthys & PyPI Supply Chain Attacks — Detection Engineering

SA
Security Arsenal Team
April 29, 2026
7 min read

OTX pulse data from 2026-04-29 indicates a surge in sophisticated credential theft campaigns utilizing a diverse array of initial access vectors. The intelligence highlights a convergence on "Infostealer" payloads (Lumma, Rhadamanthys, GlassWorm) deployed via novel mechanisms:

  1. Supply Chain Poisoning: The compromise of the Xinference AI framework on PyPI (versions 2.6.0–2.6.2) demonstrates a shift toward targeting AI/ML development environments. The malicious code uses Base64 obfuscation within __init__.py to exfiltrate cloud credentials.
  2. Social Engineering & AI Lures: Threat actors are abusing the hype around AI agents (OpenClaw) to distribute GachiLoader, which ultimately drops Rhadamanthys. Additionally, "ClickFix" campaigns continue to evolve, using obfuscated PowerShell to deliver Lumma Stealer via MSI payloads.
  3. Targeted Mobile & Developer Attacks: The GlassWorm campaign specifically targets developers via fake browser extensions and Solana blockchain-based payload delivery, while KYCShadow targets banking users in India via WhatsApp.

The collective objective of these campaigns is the mass harvesting of credentials, including cloud environment keys, cryptocurrency wallets, and banking OTPs, likely for initial access brokering and financial fraud.

Threat Actor / Malware Profile

1. Lumma Stealer (via HijackLoader)

  • Distribution: ClickFix phishing sites (fake browser error/captcha pages) triggering obfuscated PowerShell.
  • Payload Behavior: Delivered via malicious MSI; uses DLL sideloading with renamed legitimate binaries to evade detection.
  • C2 Communication: Standard HTTP/HTTPS to hardcoded IPs (e.g., 85.11.161.198).
  • Objective: Steals browser cookies, passwords, and cryptocurrency wallet data.

2. Xinference (PyPI Supply Chain)

  • Distribution: Malicious packages uploaded to PyPI (versions 2.6.0, 2.6.1, 2.6.2).
  • Payload Behavior: Upon import, __init__.py executes Base64-encoded shell commands. It establishes persistence and scans for cloud credentials (AWS, GCP, Azure).
  • Technique: Dependency confusion / Repo compromise.

3. GlassWorm

  • Distribution: Compromised code repositories and fake browser extensions targeting developers.
  • Payload Behavior: Staged execution; fingerprints the machine and fetches payloads via the Solana blockchain to avoid traditional network IOC detection.
  • Persistence: Installs a fake browser extension for surveillance and a Remote Access Trojan (RAT).

4. GachiLoader / Rhadamanthys

  • Distribution: Fake "AI Agent Skill" packages (OpenClaw lure) hosted on rogue GitHub-like infrastructure.
  • Payload Behavior: Pure social engineering lure; the user manually executes a Windows binary disguised as a skill package.
  • C2: Uses Blockchain-based C2 for resilience.

IOC Analysis

  • File Hashes: A significant volume of MD5 and SHA256 hashes are provided for the PyPI compromise (Xinference), Lumma Stealer binaries, and GachiLoader droppers. These should be immediately imported into EDR quarantine lists.
  • Network Indicators:
    • IP: 85.11.161.198 (Lumma C2/Download server).
    • Domains: serv.biz, serv.xyz, api.biz (KYCShadow C2).
  • Operationalization:
    • Firewall/Proxy: Block the listed IPs and Domains immediately. Investigate any historical egress connections to these endpoints.
    • EDR: Hunt for the specific file hashes. Focus on the Xinference package hashes in developer environments.
    • SIEM: Correlate process creation of python.exe or pip.exe with network connections to unknown external endpoints, specifically looking for the Base64 encoding pattern described in the Xinference pulse.

Detection Engineering

Sigma Rules

YAML
---
title: PyPI Package Xinference Malicious Version Installation
id: 4b2e9c8a-1f3d-4c5a-9b6e-7f8d9a0b1c2d
description: Detects the installation of known malicious Xinference versions (2.6.0 - 2.6.2) or suspicious Base64 activity in Python child processes.
status: experimental
date: 2026/04/29
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/662fa8e5e8e9b40d8c1e8f8a
tags:
    - attack.supply_chain
    - attack.t1195.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_pip:
        Image|endswith: '\pip.exe'
        CommandLine|contains: 'install xinference'
    selection_malicious_version:
        CommandLine|contains:
            - '==2.6.0'
            - '==2.6.1'
            - '==2.6.2'
    selection_base64_python:
        ParentImage|endswith: '\python.exe'
        CommandLine|contains:
            - 'powershell -e'
            - 'certutil -decode'
            - 'FromBase64String'
    condition: 1 of selection_*
falsepositives:
    - Legitimate installation of older versions (unlikely in new envs)
level: critical
---
title: ClickFix PowerShell Downloader for Lumma Stealer
id: 5d3f0d9b-2e4a-5f6b-0c7d-8e9f1a2b3c4d
description: Detects PowerShell commands downloading MSI files from non-standard ports or IPs associated with ClickFix campaigns.
status: experimental
date: 2026/04/29
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/662fa8e5e8e9b40d8c1e8f8b
tags:
    - attack.execution
    - attack.t1059.001
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_powershell:
        Image|endswith: '\powershell.exe'
        CommandLine|contains:
            - 'Invoke-WebRequest'
            - 'IEX'
            - 'DownloadString'
    selection_msi:
        CommandLine|contains: '.msi'
    selection_suspicious_ip:
        CommandLine|contains: '85.11.161.198'
    condition: selection_powershell and selection_msi and selection_suspicious_ip
falsepositives:
    - Low
level: high
---
title: Suspicious Node.js SEA or Electron Dropper Execution (GachiLoader)
id: 6e4g0h0j-3f5b-6g7c-1d8e-9f0g2b3c4d5e
description: Detects execution of Node.js Single Executable Applications or Electron binaries from temporary or user profile directories, typical of GachiLoader AI skill lures.
status: experimental
date: 2026/04/29
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/662fa8e5e8e9b40d8c1e8f8c
tags:
    - attack.initial_access
    - attack.t1204
logsource:
    category: process_creation
    product: windows
detection:
    selection_node:
        Image|endswith:
            - '\node.exe'
            - '\electron.exe'
    location_suspicious:
        Image|contains:
            - '\AppData\Local\Temp'
            - '\Downloads'
    context_ai:
        CommandLine|contains:
            - 'skill'
            - 'agent'
            - 'openclaw'
    condition: selection_node and location_suspicious and context_ai
falsepositives:
    - Legitimate developer tools running from temp (rare)
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for ClickFix and Lumma Stealer Network Activity
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has ".msi" or RemotePort == 6600
| where RemoteIP == "85.11.161.198" or InitiatingProcessFileName == "powershell.exe"
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, RemoteIP, RemoteUrl, RemotePort
| extend IOCScore = case(
    RemoteIP == "85.11.161.198", "Critical",
    RemotePort == 6600, "High",
    "Medium"
)

// Hunt for PyPI Xinference Malicious Activity
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has "pip" and ProcessCommandLine has "install" and ProcessCommandLine has "xinference"
| where ProcessCommandLine has "2.6.0" or ProcessCommandLine has "2.6.1" or ProcessCommandLine has "2.6.2"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, FolderPath

PowerShell Hunt Script

PowerShell
# IOC Hunt Script: GlassWorm, Xinference, and Lumma Artifacts
# Requires Administrative Privileges

Write-Host "[+] Starting Hunt for Infostealer Artifacts..." -ForegroundColor Cyan

# 1. Check for Malicious Xinference Python Packages
Write-Host "[*] Checking for Xinference versions 2.6.0 - 2.6.2..." -ForegroundColor Yellow
$pythonPaths = @("C:\Python*", "$env:LOCALAPPDATA\Programs\Python", "$env:APPDATA\Python")
$maliciousHashes = @("3ee893ae46530b92e0d26435fb979d82", "484067fd6232f7cdd7b664b33857fc2c", "971670c10eff28339a085ca50a600e35")

foreach ($path in $pythonPaths) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -Recurse -Filter "*Xinference*" -ErrorAction SilentlyContinue | ForEach-Object {
            Write-Host "Found Xinference Artifact: $($_.FullName)" -ForegroundColor Red
        }
    }
}

# 2. Scan for specific file hashes (Lumma/GachiLoader samples)
Write-Host "[*] Scanning for known malicious file hashes..." -ForegroundColor Yellow
$drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root
$lummaHashes = @(
    "f31a8953531ffb5c14e2d8347e283e1f8f3c732a5a9a68f611c96f4730e8a7dc",
    "c529217014b732abbe646046c07ce8f0366a42051839d4cb3be5b400285fc728"
)

foreach ($hash in $lummaHashes) {
    $result = Get-ChildItem -Path $drives -Recurse -ErrorAction SilentlyContinue | 
              Get-FileHash -Algorithm SHA256 -ErrorAction SilentlyContinue | 
              Where-Object { $_.Hash -eq $hash }
    if ($result) {
        Write-Host "CRITICAL: Malicious file found: $($result.Path)" -ForegroundColor Red
    }
}

# 3. Check for GlassWorm fake browser extensions (Registry check)
Write-Host "[*] Checking for suspicious browser extensions..." -ForegroundColor Yellow
$chromeExtPath = "HKCU:\Software\Google\Chrome\Default\Extensions"
if (Test-Path $chromeExtPath) {
    # Basic check for recently added extensions (heuristics)
    $exts = Get-ChildItem $chromeExtPath
    Write-Host "Found $($exts.Count) extensions in Chrome. Manual review recommended for IDs not present in enterprise whitelist." -ForegroundColor Yellow
}

Write-Host "[+] Hunt Complete." -ForegroundColor Green


---

Response Priorities

  • Immediate (0-4h):

    • Block IOCs: Add 85.11.161.198, serv.biz, serv.xyz, api.biz to firewalls and secure web gateways.
    • Endpoint Isolation: Isolate any endpoints returning hits for the Lumma Stealer or GachiLoader file hashes.
    • PyPI Audit: Identify any systems running Xinference and force upgrade to a verified safe version (>2.6.2) or uninstall if compromised.

  • 24 Hours:

    • Credential Reset: Force password resets for developers who may have utilized the compromised Xinference package. Rotate API keys (AWS, Azure, GCP) used in environments where this package was installed.
    • Investigation: Review logs for GlassWorm activity (Solana blockchain interactions) and KYCShadow (mobile SMS forwarding).

  • 1 Week:

    • Architecture Hardening: Implement Software Composition Analysis (SCA) scanning within CI/CD pipelines to detect typosquatting and malicious package uploads.
    • Awareness Training: Update security awareness training to include "ClickFix" and "AI Skill" social engineering vectors.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialslumma-stealerrhadamanthyspypi-compromisesupply-chain-attackxinference

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action