Recent OTX pulses indicate a convergence of sophisticated delivery mechanisms utilizing AI-generated content, SEO poisoning, and traffic distribution systems (TDS) to commodity malware families. The threat landscape has shifted towards highly targeted lure factories (TroyDen) and impersonation-as-a-service (ClickFix, TDS Ecosystem).

Collectively, these campaigns aim to harvest credentials, cryptocurrency wallets, and session data from developers, gamers, and job seekers. The attack chains predominantly rely on social engineering to bypass initial defenses, followed by fileless execution techniques or staged payloads leveraging legitimate interpreters like Python and LuaJIT to evade static detection.

Threat Actor / Malware Profile

TroyDen (AI-Assisted Lure Factory)

Malware: LuaJIT, Redline, LummaStealer
Distribution: GitHub repositories masquerading as legitimate tools using AI-generated biological taxonomy names.
Behavior: Two-component payload; uses Prometheus obfuscator. Targeted at developers (GitHub users) and gamers (Roblox/Crypto).

ClickFix (Job Platform Impersonation)

Malware: CastleLoader, Python-based RAT
Distribution: Typosquatted domains mimicking LinkedIn/Indeed; fake CAPTCHA pages served via Google Ads.
Behavior: Leverages legacy Finger protocol and LOLBINs (Living Off The Land Binaries) to execute commands, deploying portable Python runtimes (CPython/IronPython) for fileless RAT execution.

TDS Ecosystem (Click Hijacking)

Malware: SessionGate, RemusStealer, AnimateClipper
Distribution: Impersonation of open-source tools (Ghidra, dnSpy) via SEO poisoning.
Behavior: CloudFront-hosted JavaScript hijacks download buttons, redirecting to a TDS which enforces strict gating (anti-bot, state verification) before delivering malware.

IOC Analysis

The provided indicators consist of infrastructure domains, IPs, and payload hashes.

Domains: Several domains exhibit patterns of typosquatting (teamsvoicehub.com vs legitimate teams services) or algorithmically generated DGA (Domain Generation Algorithm) strings (staruxaproruha.com, forestoaker.com). These are critical for blocking at the DNS layer.
IPs: 194.150.220.218 and 217.156.122.75 serve as direct payload hosts or TDS nodes.
Hashes: SHA256 hashes provided correspond to the malicious payloads (e.g., 08a474368a2f94f347ad9e1a0a08d4258fcf49c6b9373214f7901bb770bacca4). SOC teams should utilize EDR correlation or hash-lookup tools to detect these files on disk or in memory.

Detection Engineering

YAML

title: Suspicious Python Interpreter Execution via LOLBINs
id: 82b3c7f2-1a4e-4d8a-9b5c-3f7d6e5a4b1c
description: Detects execution of portable Python runtimes (CPython/IronPython) spawned by cmd.exe or powershell.exe, a technique used by ClickFix/CastleLoader to bypass application control.
status: experimental
date: 2026/06/07
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6658a3b1c8d87a8f8a4b5c6d
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '\python.exe'
            - '\pythonw.exe'
            - '\ipy.exe'
    selection_parent:
        ParentImage|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
    context_cli:
        CommandLine|contains:
            - '-c '
            - ' -Base64'
    condition: all of selection_* and context_cli
falsepositives:
    - Legitimate developer scripts
level: high
---
title: Potential LuaJIT Infostealer Execution
id: 91c2d8e3-2b5f-4e9a-0a6d-4e8f7b6c5d4e
description: Identifies execution of LuaJIT processes often associated with TroyDen campaigns delivering LummaStealer and Redline. Looks for unsigned or suspicious paths.
status: experimental
date: 2026/06/07
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6658a3b1c8d87a8f8a4b5c6d
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|contains: 'luajit'
        Image|endswith: '.exe'
    filter_legit:
        Signed: 'true'
    condition: selection and not filter_legit
falsepositives:
    - Gaming software (Roblox, League of Legends) - adjust filter as needed
level: medium
---
title: TDS Traffic Distribution System Network Indicators
id: 73d1e9f4-3c6g-5h0b-1b7c-5f9g8c7d6e5f
description: Detects network connections to known Traffic Distribution System (TDS) infrastructure associated with malware delivery ecosystem for SessionGate and RemusStealer.
status: experimental
date: 2026/06/07
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6658a3b1c8d87a8f8a4b5c6d
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
    product: windows
detection:
    selection_ip:
        DestinationIp:
            - '194.150.220.218'
            - '217.156.122.75'
    selection_domain:
        DestinationHostname|contains:
            - 'teamsvoicehub.com'
            - 'dapala.net'
            - 'staruxaproruha.com'
            - 'ai-like.net'
            - 'mtg-life.net'
            - 'novayastaruxa.com'
            - 'kevinnotanother.com'
            - 'guiformat.com'
            - 'forestoaker.com'
            - 'arch2.maxdatahost1.cyou'
            - 'baxe.pics'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: critical


kql
// Hunt for ClickFix Python RAT Activity
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("python.exe", "pythonw.exe", "ipy64.exe", "ipy32.exe")
| where ProcessCommandLine contains "-c" or ProcessCommandLine contains "import"
| where InitiatingProcessFileName in~ ("cmd.exe", "powershell.exe", "mshta.exe", "iexplore.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, SHA256

// Hunt for TDS/SessionGate Network Connections
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("teamsvoicehub.com", "dapala.net", "staruxaproruha.com", "ai-like.net", "mtg-life.net", "novayastaruxa.com", "kevinnotanother.com", "guiformat.com", "forestoaker.com", "arch2.maxdatahost1.cyou")
  or RemoteIP in ("194.150.220.218", "217.156.122.75")
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName

// Hunt for Malicious File Hashes
DeviceFileEvents
| where Timestamp > ago(7d)
| where SHA256 in ("08a474368a2f94f347ad9e1a0a08d4258fcf49c6b9373214f7901bb770bacca4", "87361ba2bb412dcf49f8738f3b8b9b7dccb557ad2e76ea8d98ffa5b098ae3886")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName


powershell
# IOC Hunt Script for TroyDen and TDS Ecosystem
# Requires Administrator privileges

$MaliciousHashes = @(
    "08a474368a2f94f347ad9e1a0a08d4258fcf49c6b9373214f7901bb770bacca4",
    "87361ba2bb412dcf49f8738f3b8b9b7dccb557ad2e76ea8d98ffa5b098ae3886"
)

$MaliciousDomains = @(
    "teamsvoicehub.com", "dapala.net", "staruxaproruha.com", "ai-like.net", 
    "mtg-life.net", "novayastaruxa.com", "kevinnotanother.com", "guiformat.com", 
    "forestoaker.com", "arch2.maxdatahost1.cyou", "baxe.pics"
)

$MaliciousIPs = @(
    "194.150.220.218", "217.156.122.75"
)

Write-Host "[*] Checking for active network connections to known C2/TDS infrastructure..." -ForegroundColor Cyan
$ActiveConnections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue

foreach $IP in $MaliciousIPs {
    $Hits = $ActiveConnections | Where-Object { $_.RemoteAddress -eq $IP }
    if ($Hits) {
        Write-Host "[!] ALERT: Found connection to malicious IP $IP" -ForegroundColor Red
        $Hits | Format-Table -AutoSize
    }
}

Write-Host "[*] Scanning for malware hashes on system drives..." -ForegroundColor Cyan
$Drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root

foreach ($Drive in $Drives) {
    Write-Host "Scanning $Drive..."
    try {
        $Files = Get-ChildItem -Path $Drive -Recurse -Include *.exe, *.dll, *.bin, *.rtf -ErrorAction SilentlyContinue
        foreach ($File in $Files) {
            $Hash = (Get-FileHash -Path $File.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($MaliciousHashes -contains $Hash) {
                Write-Host "[!] MALWARE FOUND: $($File.FullName)" -ForegroundColor Red
            }
        }
    } catch {
        # Ignore access errors
    }
}

Write-Host "[*] Checking DNS Cache for malicious domains..." -ForegroundColor Cyan
$DnsCache = Get-DnsClientCache -ErrorAction SilentlyContinue
foreach ($Domain in $MaliciousDomains) {
    $Hits = $DnsCache | Where-Object { $_.Entry -like "*$Domain*" }
    if ($Hits) {
        Write-Host "[!] ALERT: DNS Cache hit for $Domain" -ForegroundColor Yellow
        $Hits | Select-Object Entry, Data, TimeToLive
    }
}


# Response Priorities

*   **Immediate (0-4h):**
    *   Block all listed domains and IPs at the firewall and proxy tier.
    *   Add SHA256 hashes to EDR blocklists.
    *   Hunt for `python.exe` or `luajit.exe` spawned by browsers or office suites.

*   **24h:**
    *   Identify and credential-reset any accounts accessed from devices flagged with network hits to TDS infrastructure.
    *   Review GitHub repository cloning logs for developers accessing repositories matching AI-generated taxonomy patterns.

*   **1 Week:**
    *   Implement strict DNS filtering for newly registered domains (NRDs) to combat TDS and typosquatting.
    *   Conduct security awareness training focused on "fake CAPTCHA" checks and AI-generated lure detection.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

Multi-Vector Infostealer Surge: TroyDen AI Lures, ClickFix RATs, and TDS Hijacking