Back to Intelligence

OTX Pulse Analysis: Lumma, LofyStealer, and Supply Chain Attacks — Credential Theft Surge

SA
Security Arsenal Team
May 2, 2026
7 min read

Threat Summary

Recent OTX pulses indicate a coordinated surge in credential harvesting operations spanning software supply chains, social engineering, and mobile platforms. The threat landscape is dominated by infostealers like Lumma Stealer and LofyStealer, which are being distributed via diverse mechanisms including the "ClickFix" technique, malicious PyPI packages (TeamPCP), and gaming-focused social engineering. Additionally, the emergence of GhostSocks (a MaaS proxy) and KYCShadow (Android banking trojan) highlights an expansion into residential proxy evasion and mobile banking fraud. The collective objective of these campaigns is the mass exfiltration of session cookies, banking credentials, and multi-factor authentication tokens to fuel further cybercrime operations.

Threat Actor / Malware Profile

1. TeamPCP (Supply Chain Attack)

  • Malware: Credential Harvester (Steganography hidden in WAV).
  • Distribution: Malicious Python SDK (telnyx) uploaded to PyPI (750k+ downloads/month).
  • Behavior: Three-stage attack. Trojaned package triggers a loader, which downloads a payload hidden inside a WAV file.
  • Objective: Steal system credentials and encrypt them for exfiltration.

2. LofyGang (Gaming Sector)

  • Malware: LofyStealer (aka GrabBot/Slinky), Chromelevator.
  • Distribution: Social engineering targeting Minecraft players.
  • Behavior: Uses a 53.5MB Node.js loader to execute a 1.4MB C++ payload directly in memory. Targets 8 browsers for cookies, passwords, and credit cards.
  • Evasion: Syscalls evasion and in-memory execution.

3. GhostSocks (MaaS & Proxy)

  • Malware: GhostSocks (GoLang), Lumma Stealer (Partner).
  • Target: Education sector.
  • Behavior: Turns compromised devices into residential proxy nodes using SOCKS5 and TLS encryption. Often bundles Lumma Stealer for data theft.
  • Objective: Evade detection via proxy rotation and monetize infected bandwidth.

4. ClickFix Campaigns (Phishing-as-a-Service)

  • Malware: HijackLoader, Lumma Stealer.
  • Distribution: Fake browser error pages (ClickFix) prompting users to run PowerShell commands.
  • Behavior: Downloads malicious MSI payloads; employs DLL sideloading with renamed binaries.

5. KYCShadow (Mobile Banking)

  • Malware: KYCShadow.
  • Target: Finance (India).
  • Distribution: WhatsApp smishing posing as Bank KYC verification.
  • Behavior: Firebase C2, WebView phishing, VPN manipulation to intercept SMS OTPs.

IOC Analysis

The provided IOCs include a mix of network infrastructure and payload artifacts:

  • File Hashes (MD5, SHA1, SHA256): Critical for EDR correlation. Malware families like LofyStealer and Lumma Stealer have specific payload hashes (e.g., 293006cec43c663ccff331795d662c3b73b4d7af).
  • Domains & Hostnames: C2 infrastructure such as serv.xyz (KYCShadow) and retreaw.click (GhostSocks). These should be blocked immediately at the perimeter and DNS layer.
  • IPs: IPs like 85.11.161.198 are hosting malicious MSI payloads for the ClickFix campaign.
  • URLs: Specific paths hosting payloads (e.g., http://85.11.161.198:6600/qffww8ph/2DTYOKUEN.msi).

Operationalizing IOCs: SOC teams should import these hashes into EDR solutions for isolation and block the domains/IPs on firewall/proxies. The specific domains associated with the PyPI attack (scan.aquasecurtiy.org - note the typo) are key indicators of the TeamPCP C2.

Detection Engineering

Sigma Rules

YAML
title: Potential TeamPCP Python SDK Supply Chain Attack
id: 0c8f3c1e-1b2a-4a5c-9d6e-1f2g3h4i5j6k
date: 2026/05/02
status: experimental
description: Detects execution of msbuild.exe or suspicious processes spawned by python.exe, potentially indicating the TeamPCP trojanized SDK payload execution.
references:
    - https://hexastrike.com/resources/blog/threat-intelligence/ringing-in-chaos-how-teampcp-weaponized-the-telnyx-python-sdk
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\python.exe'
        Image|endswith:
            - '\msbuild.exe'
            - '\powershell.exe'
            - '\cmd.exe'
    filter_legit_dev:
        CommandLine|contains: 'build'
    condition: selection and not filter_legit_dev
falsepositives:
    - Legitimate developer build environments
level: high
tags:
    - attack.execution
    - attack.supply_chain
    - attack.t1204

---

title: ClickFix PowerShell Execution Pattern
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
date: 2026/05/02
status: experimental
description: Detects PowerShell commands downloading MSI files, a technique used in ClickFix campaigns to deliver HijackLoader and Lumma Stealer.
references:
    - Internal OTX Analysis
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection_pwsh:
        Image|endswith: '\powershell.exe'
    selection_download:
        CommandLine|contains:
            - 'Invoke-WebRequest'
            - 'IEX'
            - 'DownloadFile'
    selection_msi:
        CommandLine|contains: '.msi'
    condition: all of selection_*
falsepositives:
    - System administration scripts
level: critical
tags:
    - attack.execution
    - attack.user_execution
    - attack.t1059.001

---

title: LofyStealer Node.js Loader Activity
id: 12345678-1234-1234-1234-123456789012
date: 2026/05/02
status: experimental
description: Detects Node.js processes spawning native Windows binaries, indicative of LofyStealer's loader executing its C++ payload.
references:
    - https://zenox.ai/en/lofystealer-malware-mirando-jogadores-de-minecraft
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\node.exe'
    selection_child:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\rundll32.exe'
    condition: selection_parent and selection_child
falsepositives:
    - Legitimate Node.js development
level: high
tags:
    - attack.defense_evasion
    - attack.t1202

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for TeamPCP C2 Domains and GhostSocks Infrastructure
let IoC_Domains = dynamic(["aquasecurtiy.org", "tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io", "retreaw.click", "serv.biz", "serv.xyz", "api.biz"]);
let IoC_IPs = dynamic(["24.152.36.241", "85.11.161.198"]);
let IoC_Hashes = dynamic(["6cf223aea68b0e8031ff68251e30b6017a0513fe152e235c26f248ba1e15c92a", "d21a5d08b4614005c8fcd9d0068f0190", "ddd2994acd25bde5ac32a03f1cf30b41", "f31a8953531ffb5c14e2d8347e283e1f8f3c732a5a9a68f611c96f4730e8a7dc"]);

// Network Connections
DeviceNetworkEvents
| where RemoteUrl in IoC_Domains or RemoteIP in IoC_IPs
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort

// Process Execution with Known Hashes
DeviceProcessEvents
| where SHA256 in IoC_Hashes or MD5 in IoC_Hashes or SHA1 in IoC_Hashes
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, SHA256
| union (
    // File Creation for hashes
    DeviceFileEvents
    | where SHA256 in IoC_Hashes or MD5 in IoC_Hashes
    | project Timestamp, DeviceName, FileName, FolderPath, SHA256
)

PowerShell Hunt Script

PowerShell
# IOC Hunter for TeamPCP, LofyStealer, and KYCShadow campaigns
# Checks running processes and specific file paths against known hashes.

$TargetHashes = @(
    "6cf223aea68b0e8031ff68251e30b6017a0513fe152e235c26f248ba1e15c92a",
    "8395c3268d5c5dbae1c7c6d4bb3c318c752ba4608cfcd90eb97ffb94a910eac2",
    "d21a5d08b4614005c8fcd9d0068f0190",
    "fb203c0ac030a97281960d7c28d86ebf",
    "ddd2994acd25bde5ac32a03f1cf30b41",
    "f31a8953531ffb5c14e2d8347e283e1f8f3c732a5a9a68f611c96f4730e8a7dc"
)

function Get-FileHashLocal {
    param ([string]$Path)
    if (Test-Path $Path) {
        $hash = Get-FileHash -Path $Path -Algorithm SHA256 -ErrorAction SilentlyContinue
        if ($hash) { return $hash.Hash }
    }
    return $null
}

# 1. Scan Running Processes
Write-Host "[+] Scanning running processes for malicious hashes..."
$Processes = Get-Process
foreach ($proc in $Processes) {
    try {
        $path = $proc.Path
        if ($path) {
            $fileHash = Get-FileHashLocal -Path $path
            if ($fileHash -in $TargetHashes) {
                Write-Host "[!] MALICIOUS PROCESS DETECTED: $($proc.ProcessName) (PID: $($proc.Id)) Path: $path" -ForegroundColor Red
            }
        }
    } catch {
        # Access denied errors expected for system processes
    }
}

# 2. Scan Common Cache/Temp Directories for Suspicious Files (LofyStealer/ClickFix)
Write-Host "[+] Scanning temp directories..."
$pathsToScan = @("$env:TEMP", "$env:APPDATA")
foreach ($targetPath in $pathsToScan) {
    if (Test-Path $targetPath) {
        Get-ChildItem -Path $targetPath -Recurse -Include *.msi, *.wav, *.exe -ErrorAction SilentlyContinue | ForEach-Object {
            $hash = Get-FileHashLocal -Path $_.FullName
            if ($hash -in $TargetHashes) {
                Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
            }
        }
    }
}

# 3. DNS Cache Check for TeamPCP C2
Write-Host "[+] Checking DNS Cache for malicious domains..."
$MaliciousDomains = @("aquasecurtiy.org", "retreaw.click", "serv.biz", "serv.xyz")
$DnsCache = Get-DnsClientCache -ErrorAction SilentlyContinue
if ($DnsCache) {
    foreach ($domain in $MaliciousDomains) {
        $matches = $DnsCache | Where-Object { $_.Entry -like "*$domain*" }
        if ($matches) {
            Write-Host "[!] SUSPICIOUS DNS ENTRY FOUND: $domain" -ForegroundColor Yellow
            $matches | Format-Table Entry, Data, Type
        }
    }
}

Write-Host "Scan complete."

Response Priorities

Immediate (0-4 hours):

  • Block all listed IOCs (Domains, IPs, URLs) at the perimeter, proxy, and DNS layers.
  • Execute the provided PowerShell hunt script across endpoints to identify active infections or dropped artifacts.
  • Isolate any devices returning positive matches for the file hashes provided (specifically the LofyStealer and Lumma Stealer payloads).

24 Hours:

  • Conduct credential audits for users who may have been targeted by the ClickFix campaign or LofyStealer (specifically gaming developers or IT staff).
  • Review Python package repositories and build pipelines for the telnyx SDK (TeamPCP indicators) and revert to verified versions.
  • Force password resets and session invalidation for accounts accessed from the affected proxy IP ranges (GhostSocks).

1 Week:

  • Implement strict code-signing requirements for build tools (msbuild.exe) to prevent misuse by supply chain malware.
  • Harden PowerShell execution policies to prevent obfuscated scripts (ClickFix vector).
  • Deploy application controls to block unapproved Node.js loaders and unsigned MSI installers.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialslumma-stealerinfostealersupply-chainandroid-trojancredential-theft

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action