Back to Intelligence

Redline, Lumma, and Argamal: A Multivector Infostealer Assault on Developers and Gamers — OTX Pulse Analysis

SA
Security Arsenal Team
June 7, 2026
6 min read

Threat Summary

Recent OTX pulses reveal a coordinated surge in credential theft and infostealer operations targeting distinct demographics using varied delivery mechanisms. The TroyDen threat actor is actively abusing GitHub with over 300 repositories hosting "AI-generated" lures using biological taxonomy to distribute Redline and LummaStealer (LuaJIT-based) to developers and gamers. In parallel, the Argamal campaign targets gamers through adult-themed game installers, utilizing a COM hijacking persistence mechanism to drop the Termixia RAT. Furthermore, a sophisticated Traffic Distribution System (TDS) is impersonating popular tools like Ghidra and dnSpy to distribute SessionGate and RemusStealer. Separately, a critical PAN-OS zero-day (CVE-2026-1281) is being exploited by the CL-STA-1132 actor to deploy tunneling tools (EarthWorm), potentially facilitating data exfiltration.

Threat Actor / Malware Profile

  • TroyDen (Lure Factory)

    • Distribution: GitHub repositories named with obscure biological/medical terms.
    • Payload: LuaJIT-based droppers leading to Redline or LummaStealer.
    • Technique: Uses "Prometheus obfuscator" and a two-component payload design. Targets crypto-wallets and browser credentials.

  • Argamal / Termixia

    • Distribution: Malicious installers for adult games (Hentai).
    • Payload: Argamal (dropper) -> Termixia (RAT).
    • Persistence: COM Hijacking. Replaces the InprocServer32 entry for the Windows Color System Calibration Loader DLL.
    • Behavior: Delayed execution (several days) to evade sandboxing.

  • SessionGate / RemusStealer / AnimateClipper

    • Distribution: SEO poisoning and typosquatting of open-source software (Ghidra, dnSpy, SpiderFoot).
    • Infrastructure: Uses CloudFront-hosted JavaScript and a TDS to filter traffic and validate clicks.
    • Behavior: Clipboard hijacking for cryptocurrency and session theft.

IOC Analysis

The provided IOCs cover a broad spectrum of the attack chain:

  • Domains & Hostnames: asper1.freeddns.org (Argamal C2), guiformat.com and forestoaker.com (Fake TDS sites). SOC teams should immediately block these at the DNS layer and hunt for historical DNS requests in proxy logs.
  • File Hashes: Multiple SHA1 and SHA256 hashes are provided for the game installers (Argamal) and malware loaders (TDS ecosystem). These should be loaded into EDR solutions for immediate quarantining.
  • CVEs: The PAN-OS pulse lists multiple CVEs (e.g., CVE-2026-1281, CVE-2026-1340). Security teams must check firewall logs for exploitation attempts on the GlobalProtect User-ID portal.
  • IP Addresses: 194.150.220.218 and 217.156.122.75 act as TDS endpoints. Firewall rules blocking inbound/outbound traffic to these IPs are recommended.

Detection Engineering

Sigma Rules

YAML
title: Potential Argamal COM Hijacking Persistence
id: 8a7b9c1d-1e2f-3a4b-5c6d-7e8f9a0b1c2d
description: Detects registry modifications associated with Argamal malware hijacking the Windows Color System Calibration Loader via InprocServer32.
status: experimental
author: Security Arsenal
date: 2026/06/07
references:
    - https://securelist.com/argamal-rat-distributed-with-hentai-games/119999/
tags:
    - attack.persistence
    - attack.t1546.015
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: 'InprocServer32'
        TargetObject|contains: 'CLSID'
        # Specific keyword often associated with color system classes
        TargetObject|contains: 'Color'
    filter_legit_windows_path:
        Details|startswith: 'C:\Windows\System32\'
    filter_legit_syswow64_path:
        Details|startswith: 'C:\Windows\SysWOW64\'
    condition: selection and not 1 of filter_legit*
falsepositives:
    - Legitimate software installation of color calibration tools
level: high
---
title: Suspicious LuaJIT Execution (TroyDen Campaign)
id: b2c3d4e5-3f4a-5b6c-7d8e-9f0a1b2c3d4e
description: Detects execution of LuaJIT from user directories or archives, indicative of TroyDen's AI-generated lure delivery.
status: experimental
author: Security Arsenal
date: 2026/06/07
references:
    - https://www.netskope.com/blog/openclaw-trap-ai-assisted-lure-factory-targets-developers-gamers
tags:
    - attack.execution
    - attack.t1204
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\luajit.exe'
    selection_path:
        # Excluding standard program files installation paths
        CurrentDirectory|contains:
            - '\Downloads\'
            - '\Desktop\'
            - '\AppData\Local\Temp\'
    condition: all of selection_*
falsepositives:
    - Developer usage of LuaJIT from local project folders
level: medium
---
title: Connection to Malware Distribution TDS Infrastructure
id: c3d4e5f6-4b5c-6d7e-8f9a-0b1c2d3e4f5a
description: Detects network connections to domains associated with the SessionGate/RemusStealer Traffic Distribution System.
status: experimental
author: Security Arsenal
date: 2026/06/07
references:
    - https://research.checkpoint.com/2026/impersonation-click-hijacking-and-tds-inside-a-malware-distribution-ecosystem/
tags:
    - attack.command_and_control
    - attack.c2
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|contains:
            - 'freeddns.org'
            - 'guiformat.com'
            - 'maxdatahost1.cyou'
            - 'forestoaker.com'
    condition: selection
falsepositives:
    - None expected
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for file hashes associated with Argamal and TDS Loaders
let FileHashes = dynamic([
    "02819d200d1424882af81cb504b3e8614b32397a", "1405a3c5e0aeb08012484134e16cdec4ab29b4a4", // Argamal SHA1s
    "17f8f8f34dfa737f36182fed7ff9e9814a114058", "2423a5bf0fa7cb9ec09211630a5488629499691b",
    "87361ba2bb412dcf49f8738f3b8b9b7dccb557ad2e76ea8d98ffa5b098ae3886" // TDS SHA256
]);
DeviceFileEvents
| where SHA1 in (FileHashes) or SHA256 in (FileHashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA1, SHA256, InitiatingProcessAccountName
| extend Description = "Match on known Argamal or TDS malware hash"
;
// Hunt for network connections to TDS domains
DeviceNetworkEvents
| where RemoteUrl has_any ("freeddns.org", "guiformat.com", "maxdatahost1.cyou", "forestoaker.com")
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, InitiatingProcessFileName, InitiatingProcessCommandLine

PowerShell Hunt Script

PowerShell
# Hunt for Argamal COM Hijacking Persistence
# Checks for non-standard paths in InprocServer32 keys that might contain the color system loader string

Write-Host "[+] Hunting for Argamal COM Hijacking Artifacts..." -ForegroundColor Cyan

$UserHives = Get-ChildItem "Registry::HKU\"
$SuspiciousKeys = @()

foreach ($Hive in $UserHives.Name) {
    $Path = "$Hive\Software\Classes\CLSID"
    if (Test-Path $Path) {
        # Search for InprocServer32 keys
        $Keys = Get-Item -Path $Path -ErrorAction SilentlyContinue | Select-Object -ExpandProperty SubKeyNames
        
        foreach ($Key in $Keys) {
            $FullKey = "$Path\$Key\InprocServer32"
            if (Test-Path $FullKey) {
                $Item = Get-ItemProperty -Path $FullKey -ErrorAction SilentlyContinue
                if ($Item -and $Item.'(default)') {
                    $DllPath = $Item.'(default)'
                    # Check if DLL path is not in standard Windows directories
                    if ($DllPath -notmatch "^C:\\Windows\\(System32|SysWOW64|WinSxS)\\") {
                        # Additional check for Color System Calibration context if possible
                        if ($DllPath -match "calibration" -or $Key -match "Color") {
                            $SuspiciousKeys += [PSCustomObject]@{
                                Hive = $Hive
                                CLSID = $Key
                                DefaultPath = $DllPath
                            }
                        }
                    }
                }
            }
        }
    }
}

if ($SuspiciousKeys.Count -gt 0) {
    Write-Host "[!] Potential COM Hijacking detected:" -ForegroundColor Red
    $SuspiciousKeys | Format-Table -AutoSize
} else {
    Write-Host "[-] No suspicious COM Hijacking artifacts found." -ForegroundColor Green
}

Response Priorities

Immediate

  • Block IOCs: Implement blocks on all listed domains (guiformat.com, asper1.freeddns.org), IPs, and file hashes across EDR, firewalls, and proxies.
  • PAN-OS Patching: Immediately patch PAN-OS firewalls against the CVE-2026-1281 zero-day and review GlobalProtect logs for exploitation.

24 Hours

  • Identity Verification: If credential theft is suspected (Redline/Lumma/SessionGate), initiate forced password resets and MFA challenges for affected developer and gaming accounts.
  • Artifact Hunting: Run the provided PowerShell script across endpoints to identify Argamal persistence mechanisms.

1 Week

  • Supply Chain Security: Review GitHub access policies and educate developers on the risks of downloading unofficial tools or repositories with obfuscated names.
  • Architecture Hardening: Restrict the execution of LuaJIT and unsigned binaries in user directories. Implement application allowlisting for critical systems.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsredline-stealerargamal-rattroydengithub-supply-chainsessiongate

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action