Back to Intelligence

Rising Tide of Infostealers: KarstoRAT, LofyStealer, and Malicious AI Extensions — OTX Pulse Analysis

SA
Security Arsenal Team
May 4, 2026
6 min read

The latest OTX pulse data indicates a significant convergence on credential theft and surveillance operations. While the vectors vary—ranging from supply chain compromises (TeamPCP) and social engineering lures (ClickFix, LofyStealer) to malicious browser extensions (GenAI themes)—the collective objective is the theft of identity data, session tokens, and financial information.

A notable trend is the weaponization of legitimate administrative tools and trusted platforms (PyPI, Chrome Web Store, finger.exe) to bypass heuristic defenses. Adversaries are increasingly employing multi-stage payloads that blend remote access trojans (RATs) like NetSupport and KarstoRAT with specialized stealers (CastleStealer, LofyStealer) to maximize monetization from compromised endpoints.

Threat Actor / Malware Profile

KarstoRAT

  • Distribution: Gaming-themed lure pages targeting players.
  • Behavior: Performs extensive reconnaissance, audio/video capture, keylogging, and Discord token theft.
  • C2: Communicates via HTTP to IP 212.227.65[.]132.
  • Persistence: Utilizes the FodHelper UAC bypass technique to establish persistence.

ClickFix / CastleLoader

  • Distribution: Fake image-editing tool "BackgroundFix" using social engineering to trick users into copying malicious commands to their clipboard.
  • Behavior: Abuses finger.exe to retrieve payloads. Drops CastleLoader, which subsequently deploys NetSupport RAT and CastleStealer.
  • Persistence: Uses a reflective loader to execute payloads in memory, avoiding disk-based signatures.

TeamPCP (Telnyx SDK)

  • Distribution: Supply chain attack via malicious PyPI packages (telnyx SDK).
  • Behavior: Uses steganography to hide second-stage payloads within WAV files. Deploys a credential harvester that exfiltrates data to attacker-controlled infrastructure.
  • C2: Communicates with scan.aquasecurtiy.org (typosquatting) and raw GitHub pages.

LofyStealer (LofyGang)

  • Distribution: Social engineering targeting Minecraft players.
  • Behavior: Two-stage attack: Node.js loader disguised in libraries executing a 1.4MB C++ payload directly in memory. Steals cookies, passwords, credit cards, and IBANs from 8+ browsers.
  • Persistence: Uses syscalls evasion techniques to avoid analysis hooks.

Malicious AI Extensions

  • Distribution: Fraudulent Chrome extensions masquerading as productivity tools (e.g., "Chat AI for Chrome").
  • Behavior: Meddler-in-the-middle attacks, DOM observation, and API interception to steal prompts and session data.
  • Persistence: Installed as browser extensions, granting persistent background access to browser sessions.

IOC Analysis

The provided indicators primarily consist of File Hashes (SHA256, MD5) for the various payload stages (loaders, stealers, RATs), Domains used for C2 infrastructure and payload delivery, and IPv4 addresses associated with backend servers.

Operational Guidance:

  • Network IOCs: Block identified domains (e.g., trindastal.com, chatgptforchrome.com) and IPs (e.g., 212.227.65.132) at the perimeter and proxy. Note the use of typosquatting (aquasecurtiy.org) which requires broad regex or DNS filtering rules.
  • File IOCs: Use EDR capabilities to hunt for the specific SHA256 hashes provided. The prevalence of Node.js and native C++ payloads suggests a need for memory scanning rules rather than just disk scanning.
  • Tooling: Sigma rules should be deployed to detect the behavioral misuse of finger.exe and the suspicious spawning of msbuild.exe or Node.js processes, as these are technique-based detections.

Detection Engineering

YAML
---
title: Potential ClickFix Activity via Finger.exe
id: a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d
description: Detects suspicious usage of finger.exe often associated with ClickFix campaigns where finger is invoked to fetch malicious payloads.
status: experimental
date: 2026/05/05
author: Security Arsenal
tags:
    - attack.execution
    - attack.t1204
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\finger.exe'
        CommandLine|contains: 'http'
    condition: selection
falsepositives:
    - Legitimate administration usage of finger.exe (rare)
level: high
---
title: KarstoRAT C2 Communication
id: b2c3d4e5-f6a7-5b6c-9d0e-1f2a3b4c5d6e
description: Detects outbound HTTP connections to known KarstoRAT C2 infrastructure IP addresses.
status: experimental
date: 2026/05/05
author: Security Arsenal
tags:
    - attack.c2
    - attack.t1071.001
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationIp|startswith:
            - '212.227.65.'
        DestinationPort: 80
    condition: selection
falsepositives:
    - Unknown
level: critical
---
title: Suspicious Node.js Loader (LofyStealer)
id: c3d4e5f6-a7b8-6c7d-0e1f-2a3b4c5d6e7f
description: Detects Node.js processes spawning unsigned binaries or accessing system credentials, characteristic of LofyStealer activity.
status: experimental
date: 2026/05/05
author: Security Arsenal
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        Image|endswith: '\node.exe'
    selection_child:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\reg.exe'
    filter_legit:
        ParentCommandLine|contains: 'npm' # Filter out legitimate npm builds
    condition: selection_parent and selection_child and not filter_legit
falsepositives:
    - Legitimate Node.js development
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for ClickFix Finger.exe activity and C2 connections
DeviceProcessEvents
| where Timestamp > ago(7d)
| where (ProcessCommandLine contains "finger.exe" and ProcessCommandLine has "http") 
    or (FileName =~ "node.exe" and InitiatingProcessFileName !~ "npm.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName
| extend IOCType = "ProcessAnomaly"
union (DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in ("trindastal.com", "poronto.com", "brionter.com", "chatgptforchrome.com", "aquasecurtiy.org") 
    or RemoteIP in ("212.227.65.132", "38.146.28.30", "24.152.36.241")
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort
| extend IOCType = "NetworkIOC")

PowerShell Hunt Script

PowerShell
# IOC Hunter for KarstoRAT, ClickFix, and LofyStealer Hashes
# Requires Admin privileges for full system scan

$TargetHashes = @(
    "65229ef9d09e4cbfae326d41c517576cc2143c259fd764f259f3925fc8917c8b",
    "bde21d8be65d31e1c380f2daae2f73c79f3e1f4bca70fb990db6fdf6c3768c92",
    "d21a5d08b4614005c8fcd9d0068f0190",
    "0cbf101e96f6d5c4146812f07105f8b89bd76dd994f540470cd1c4bc37df37d5"
)

Write-Host "Scanning for malicious file IOCs..." -ForegroundColor Cyan

# Scan fixed common locations and user profiles
$Paths = @("C:\Users\", "C:\ProgramData\", "C:\Windows\Temp")

foreach ($Path in $Paths) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
            $FileHash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($TargetHashes -contains $FileHash) {
                Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
                # Log to Event Log for SOC visibility
                Write-EventLog -LogName "Security" -Source "SecurityArsenal" -EntryType Warning -EventId 1337 -Message "Malicious IOC Found: $($_.FullName)"
            }
        }
    }
}

# Check for suspicious scheduled tasks or persistence mechanisms (Generic Stealer Check)
Write-Host "Checking for suspicious persistence mechanisms..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object { $_.Actions.Execute -like "*node.exe" -or $_.Actions.Execute -like "*powershell*http*" } | Select-Object TaskName, TaskPath, Actions


# Response Priorities

*   **Immediate**: Block all identified IOCs at the firewall and proxy. Isolate endpoints exhibiting `finger.exe` spawning command shells or Node.js spawning `reg.exe`.
*   **24h**: Initiate credential resets for identities associated with compromised endpoints (specifically if LofyStealer or CastleStealer is suspected). Audit browser extensions across the enterprise for the "GenAI" themes identified.
*   **1 week**: Implement application control policies to block unsigned binaries and restrict `finger.exe` usage. Review supply chain security regarding PyPI package usage and enforce strict pinning.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialskarstoratlofystealerclickfixinfostealersupply-chain-attack

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action